need help on *nat filter for multiple source IP

All of lore.kernel.org
 help / color / mirror / Atom feed

* need help on *nat filter for multiple source IP
@ 2009-04-13  3:05 no doubt
  2009-04-13  5:05 ` Mart Frauenlob
  0 siblings, 1 reply; 7+ messages in thread
From: no doubt @ 2009-04-13  3:05 UTC (permalink / raw)
  To: netfilter

Hi,

Currently Im running a gw firewall for internal soho network.

I would like to achieve that for all IP's in 192.168.4.0/24 that are
accessing outside internet address port 80, will be directed to
192.168.3.10 port 80 EXCEPT for few IPs namely 192.168.4.10,
192.168.4.100 and 192.168.4.20

my rules in nat filter read like this.
*nat
:PREROUTING ACCEPT [4314:569235]
:POSTROUTING ACCEPT [42:12421]
:OUTPUT ACCEPT [2807:264498]

iptables -A PREROUTING -s ! 192.168.4.10/32 -d ! 192.168.0.0/16 -i
eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10
iptables -A PREROUTING -s ! 192.168.4.20/32 -d ! 192.168.0.0/16 -i
eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10
iptables -A PREROUTING -s ! 192.168.4.100/32 -d ! 192.168.0.0/16 -i
eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10

-A POSTROUTING -o ppp+ -j MASQUERADE
COMMIT

somehoe it doesnt work. but if I left only 1st line, it works.

is there anything i can modify the rules ?

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: need help on *nat filter for multiple source IP
  2009-04-13  3:05 need help on *nat filter for multiple source IP no doubt
@ 2009-04-13  5:05 ` Mart Frauenlob
  2009-04-15 19:00   ` no doubt
  0 siblings, 1 reply; 7+ messages in thread
From: Mart Frauenlob @ 2009-04-13  5:05 UTC (permalink / raw)
  To: netfilter

no doubt wrote:
> Hi,
>
> Currently Im running a gw firewall for internal soho network.
>
> I would like to achieve that for all IP's in 192.168.4.0/24 that are
> accessing outside internet address port 80, will be directed to
> 192.168.3.10 port 80 EXCEPT for few IPs namely 192.168.4.10,
> 192.168.4.100 and 192.168.4.20
>
> my rules in nat filter read like this.
> *nat
> :PREROUTING ACCEPT [4314:569235]
> :POSTROUTING ACCEPT [42:12421]
> :OUTPUT ACCEPT [2807:264498]
>
> iptables -A PREROUTING -s ! 192.168.4.10/32 -d ! 192.168.0.0/16 -i
> eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10
> iptables -A PREROUTING -s ! 192.168.4.20/32 -d ! 192.168.0.0/16 -i
> eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10
> iptables -A PREROUTING -s ! 192.168.4.100/32 -d ! 192.168.0.0/16 -i
> eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10
>
> -A POSTROUTING -o ppp+ -j MASQUERADE
> COMMIT
>
> somehoe it doesnt work. but if I left only 1st line, it works.
>
> is there anything i can modify the rules ?
>   

try this:

iptables -t nat -N my_dnat
iptables -t nat -A PREROUTING -i eth2 -s 192.168.4.10 -p tcp --dport 80 
-j my_dnat
[...]

iptables -t nat -A my_dnat -j DNAT --to-destination 192.168.3.10

-A POSTROUTING -o ppp+ -j MASQUERADE



greets

Mart

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: need help on *nat filter for multiple source IP
  2009-04-13  5:05 ` Mart Frauenlob
@ 2009-04-15 19:00   ` no doubt
  2009-04-15 20:59     ` Mart Frauenlob
  0 siblings, 1 reply; 7+ messages in thread
From: no doubt @ 2009-04-15 19:00 UTC (permalink / raw)
  To: netfilter

Hello Mart,

Thanks for the guide. It now works.

-khairul

On Mon, Apr 13, 2009 at 1:05 PM, Mart Frauenlob
<mart.frauenlob@chello.at> wrote:
> no doubt wrote:
>>
>> Hi,
>>
>> Currently Im running a gw firewall for internal soho network.
>>
>> I would like to achieve that for all IP's in 192.168.4.0/24 that are
>> accessing outside internet address port 80, will be directed to
>> 192.168.3.10 port 80 EXCEPT for few IPs namely 192.168.4.10,
>> 192.168.4.100 and 192.168.4.20
>>
>> my rules in nat filter read like this.
>> *nat
>> :PREROUTING ACCEPT [4314:569235]
>> :POSTROUTING ACCEPT [42:12421]
>> :OUTPUT ACCEPT [2807:264498]
>>
>> iptables -A PREROUTING -s ! 192.168.4.10/32 -d ! 192.168.0.0/16 -i
>> eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10
>> iptables -A PREROUTING -s ! 192.168.4.20/32 -d ! 192.168.0.0/16 -i
>> eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10
>> iptables -A PREROUTING -s ! 192.168.4.100/32 -d ! 192.168.0.0/16 -i
>> eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10
>>
>> -A POSTROUTING -o ppp+ -j MASQUERADE
>> COMMIT
>>
>> somehoe it doesnt work. but if I left only 1st line, it works.
>>
>> is there anything i can modify the rules ?
>>
>
> try this:
>
> iptables -t nat -N my_dnat
> iptables -t nat -A PREROUTING -i eth2 -s 192.168.4.10 -p tcp --dport 80 -j
> my_dnat
> [...]
>
> iptables -t nat -A my_dnat -j DNAT --to-destination 192.168.3.10
>
> -A POSTROUTING -o ppp+ -j MASQUERADE
>
>
>
> greets
>
> Mart
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: need help on *nat filter for multiple source IP
  2009-04-15 19:00   ` no doubt
@ 2009-04-15 20:59     ` Mart Frauenlob
  2009-04-16  8:38       ` no doubt
  0 siblings, 1 reply; 7+ messages in thread
From: Mart Frauenlob @ 2009-04-15 20:59 UTC (permalink / raw)
  To: netfilter; +Cc: hell.no.doubt

no doubt wrote:
> Hello Mart,
>
> Thanks for the guide. It now works.
>
> -khairul
>
> On Mon, Apr 13, 2009 at 1:05 PM, Mart Frauenlob
> <mart.frauenlob@chello.at> wrote:
>   
>> no doubt wrote:
>>     
>>> Hi,
>>>
>>> Currently Im running a gw firewall for internal soho network.
>>>
>>> I would like to achieve that for all IP's in 192.168.4.0/24 that are
>>> accessing outside internet address port 80, will be directed to
>>> 192.168.3.10 port 80 EXCEPT for few IPs namely 192.168.4.10,
>>> 192.168.4.100 and 192.168.4.20
>>>
>>> my rules in nat filter read like this.
>>> *nat
>>> :PREROUTING ACCEPT [4314:569235]
>>> :POSTROUTING ACCEPT [42:12421]
>>> :OUTPUT ACCEPT [2807:264498]
>>>
>>> iptables -A PREROUTING -s ! 192.168.4.10/32 -d ! 192.168.0.0/16 -i
>>> eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10
>>> iptables -A PREROUTING -s ! 192.168.4.20/32 -d ! 192.168.0.0/16 -i
>>> eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10
>>> iptables -A PREROUTING -s ! 192.168.4.100/32 -d ! 192.168.0.0/16 -i
>>> eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.10
>>>
>>> -A POSTROUTING -o ppp+ -j MASQUERADE
>>> COMMIT
>>>
>>> somehoe it doesnt work. but if I left only 1st line, it works.
>>>
>>> is there anything i can modify the rules ?
>>>
>>>       
>> try this:
>>
>> iptables -t nat -N my_dnat
>> iptables -t nat -A PREROUTING -i eth2 -s 192.168.4.10 -p tcp --dport 80 -j
>> my_dnat
>> [...]
>>
>> iptables -t nat -A my_dnat -j DNAT --to-destination 192.168.3.10
>>
>> -A POSTROUTING -o ppp+ -j MASQUERADE
>>
>>     
Hello,

now as i read this again, i had misread your request.

guess you figured it out yourself in the meantime.
actually i think something like that would be a solution:

iptables -t nat -N my_dnat

iptables -t nat -A my_dnat -s 192.168.4.10  -j RETURN
iptables -t nat -A my_dnat -s 192.168.4.20  -j RETURN
iptables -t nat -A my_dnat -s 192.168.4.100 -j RETURN
iptables -t nat -A my_dnat -j DNAT --to-destination 192.168.13.10

iptables -t nat -A PREROUTING -i eth2 -s 192.168.4.0/24 -p tcp --dport 
80 -j my_dnat

iptables -A POSTROUTING -o ppp+ -j MASQUERADE

how did you work it out?


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: need help on *nat filter for multiple source IP
  2009-04-15 20:59     ` Mart Frauenlob
@ 2009-04-16  8:38       ` no doubt
  2009-04-16  9:23         ` Mart Frauenlob
  0 siblings, 1 reply; 7+ messages in thread
From: no doubt @ 2009-04-16  8:38 UTC (permalink / raw)
  To: netfilter

Hello Mart,
Yeah, I just tweak around your config.

Here they are..

iptables -t nat -n MY80FWD
iptables -A PREROUTING -s 192.168.4.20/32 -i eth2 -p tcp -m tcp
--dport 80 -j MY80FWD
iptables -A PREROUTING -s 192.168.4.10/32 -i eth2 -p tcp -m tcp
--dport 80 -j MY80FWD
iptables -A PREROUTING -s 192.168.4.100/32 -i eth2 -p tcp -m tcp
--dport 80 -j MY80FWD
iptables -A MY80FWD -p tcp -j DNAT --to-destination 192.168.3.10:80

iptables -A POSTROUTING -o ppp+ -j MASQUERADE


--khairul

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: need help on *nat filter for multiple source IP
  2009-04-16  8:38       ` no doubt
@ 2009-04-16  9:23         ` Mart Frauenlob
  2009-04-16 11:30           ` no doubt
  0 siblings, 1 reply; 7+ messages in thread
From: Mart Frauenlob @ 2009-04-16  9:23 UTC (permalink / raw)
  To: netfilter; +Cc: no doubt

no doubt wrote:
> Hello Mart,
> Yeah, I just tweak around your config.
>
> Here they are..
>
> iptables -t nat -n MY80FWD
> iptables -A PREROUTING -s 192.168.4.20/32 -i eth2 -p tcp -m tcp
> --dport 80 -j MY80FWD
> iptables -A PREROUTING -s 192.168.4.10/32 -i eth2 -p tcp -m tcp
> --dport 80 -j MY80FWD
> iptables -A PREROUTING -s 192.168.4.100/32 -i eth2 -p tcp -m tcp
> --dport 80 -j MY80FWD
> iptables -A MY80FWD -p tcp -j DNAT --to-destination 192.168.3.10:80
>
> iptables -A POSTROUTING -o ppp+ -j MASQUERADE
>
>
> --khairul

Hello,

well, this is funny then.
Your original request was:

[quote]

I would like to achieve that for all IP's in 192.168.4.0/24 that are
accessing outside internet address port 80, will be directed to
192.168.3.10 port 80 EXCEPT for few IPs namely 192.168.4.10,
192.168.4.100 and 192.168.4.20


There must have been some 'unfiltered' mental connection between us :-)
Because I was misunderstanding your post, just the way you were actually 
intending, but somehow not expressing correctly.
Just too funny :-)
You should have asked some like that:

I'd like to redirect http traffic for only 3 host of my subnet, while 
the rest...

Well, maybe I then would have misread your posting and the result would 
not have been the desired one.
lol :-)

Have a nice day

Mart

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: need help on *nat filter for multiple source IP
  2009-04-16  9:23         ` Mart Frauenlob
@ 2009-04-16 11:30           ` no doubt
  0 siblings, 0 replies; 7+ messages in thread
From: no doubt @ 2009-04-16 11:30 UTC (permalink / raw)
  To: netfilter

On Thu, Apr 16, 2009 at 5:23 PM, Mart Frauenlob
<mart.frauenlob@chello.at> wrote:
> Hello,
>
> well, this is funny then.
> Your original request was:
>
> Well, maybe I then would have misread your posting and the result would not
> have been the desired one.
> lol :-)


Yea... I think so..

Its ok, however I figured out what it was and it works. Thanks for the tips.


>
> Have a nice day
>
> Mart
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2009-04-16 11:30 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-13  3:05 need help on *nat filter for multiple source IP no doubt
2009-04-13  5:05 ` Mart Frauenlob
2009-04-15 19:00   ` no doubt
2009-04-15 20:59     ` Mart Frauenlob
2009-04-16  8:38       ` no doubt
2009-04-16  9:23         ` Mart Frauenlob
2009-04-16 11:30           ` no doubt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.