From: SamLT <sam@sltosis.org>
To: cc <cc@kdtc.net>
Cc: netfilter@vger.kernel.org
Subject: Re: SNAT
Date: Wed, 22 Feb 2012 08:47:24 +0100 [thread overview]
Message-ID: <20120222074724.GA11787@tosh.sltosis.org> (raw)
In-Reply-To: <20120222014817.M7308@kdtc.net>
On Wed, Feb 22, 2012 at 10:04:32AM +0800, cc wrote:
> Hi,
>
> Long story short, I'm now rebuilding a netfilter firewall
> script as the original died with the firewall. Well, died
> in the sense that it got corrupted.
>
> Instead of needing to specify the following for each required
> port that needs to be used to connect to external sites,
> how do I just let any traffic originating from the LAN
> to connect? (I'm feeling this isn't the right way of doing
> things. I appreciate any corrections.)
>
> $IPT -t nat -A POSTROUTING -o $EXTETH -p tcp -s $LAN_NET \
> --dport 1025: -j SNAT --to-source $EXTIP
>
> But the above rule 'looks' like it should work; but it
> doesn't. tcpdumping the traffic, it seems the traffic is
> going one way and not the other.
>
> So if I want to set the firewall to allow the following
> situations: machine A in $LAN_NET wants to RDP to an external
> site, it can. If machine B wants to surf the net, it also
> can. I don't need to separately do the following:
>
> $IPT -A FORWARD -i $LANETH -o $EXTETH -p tcp -s $LAN_NET \
> --dport 3389 -j ACCEPT
> $IPT -A FORWARD -i $LANETH -o $EXTETH -p tcp -s $LAN_NET \
> --dport 80 -j ACCEPT
> $IPT -A FORWARD -i $LANETH -o $EXTETH -p tcp -s $LAN_NET \
> --dport 443 -j ACCEPT
You need to allow the reply too, e.g. for tcp 443, you could add this
rule:
| $IPT -A FORWARD -o $LANETH -i $EXTETH -p tcp -d $LAN_NET \
| --sport 443 -m state --state ESTABLISHED -j ACCEPT
Doing it this way, you'd also need to allow, at least, ICMP RELATED
packets.
>
> $IPT -t nat -A POSTROUTING -o $EXTETH -p tcp -s $LAN_NET \
> --dport 3389 -j SNAT --to-source $EXTIP
> $IPT -t nat -A POSTROUTING -o $EXTETH -p tcp -s $LAN_NET \
> --dport 80 -j SNAT --to-source $EXTIP
> $IPT -t nat -A POSTROUTING -o $EXTETH -p tcp -s $LAN_NET \
> --dport 443 -j SNAT --to-source $EXTIP
>
Instead of doing it per "tcp connection", if you don't have special
needs, you could SNAT globally, allow the outbound traffic you want, and
allow every inbound ESTABLISHED and RELATED traffic. e.g.:
| $IPT -t nat -A POSTROUTING -o $EXTETH -s $LAN_NET \
| -j SNAT --to-source $EXTIP
| $IPT -A FORWARD -o $LANETH -i $EXTETH -d $LAN_NET -m state \
| --state ESTABLISHED,RELATED -j ACCEPT
| $IPT -A FORWARD -i $LANETH -o $EXTETH -p tcp -d $LAN_NET \
| -m multiport --dports 80,443,3389 -j ACCEPT
This may or may not suit you though.
>
>
> Now if I remembered, I used MASQUERADE when I was using
> a dynamic IP. Now with a fixed IP, I shouldn't be using
> MASQUERADE (seems less of a headache) as the manual says
> it's more appropriate to use SNAT for fixed IP.
>
> Any help/clarifications/hints appreciated.
>
> Ed
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-02-22 7:47 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-22 2:04 SNAT cc
2012-02-22 7:47 ` SamLT [this message]
-- strict thread matches above, loose matches on Subject: below --
2007-10-09 18:47 SNAT Chad Eldridge
2007-10-09 19:47 ` SNAT Grant Taylor
2005-05-02 15:32 snat Marco Berizzi
2005-05-02 15:53 ` snat Jason Opperisano
2005-05-03 13:58 ` snat Marco Berizzi
2005-05-02 16:07 ` snat Taylor, Grant
2005-05-02 16:14 ` snat Jason Opperisano
2005-05-02 2:52 ` snat Ken Hilliard
2005-05-02 18:04 ` snat Charlie Brady
2005-05-02 18:06 ` snat Jason Opperisano
2005-05-02 3:14 ` snat Ken Hilliard
2004-07-09 3:57 SNAT Payal Rathod
2004-07-09 4:58 ` SNAT John A. Sullivan III
2003-07-08 0:21 SNAT David Busby
2003-04-25 17:45 SNAT Andy Wood
2003-04-03 18:34 SNAT Daniel Chemko
2003-04-06 10:52 ` SNAT Rio Martin.
2003-04-06 21:49 ` SNAT Daniel Chemko
[not found] <20030403102302.5858.91445.Mailman@kashyyyk>
2003-04-03 10:29 ` SNAT Rio Martin.
2002-11-13 11:21 SNAT Rob Sterenborg
2002-11-13 13:26 ` SNAT Breno Cardoso Perucchi
2002-11-13 13:48 ` SNAT Rob Sterenborg
2002-11-13 16:33 ` SNAT Luis Fernando Barrera
2002-11-12 18:38 MS Messenger Aaron Clausen
2002-11-12 19:53 ` SNAT Breno Cardoso Perucchi
2002-11-12 21:01 ` SNAT Rob Sterenborg
2002-11-12 21:29 ` SNAT Antony Stone
2002-11-12 21:47 ` SNAT Luis Fernando Barrera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120222074724.GA11787@tosh.sltosis.org \
--to=sam@sltosis.org \
--cc=cc@kdtc.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.