IPTables again: selective NAT?

IPTables again: selective NAT?

[Jens Knoell]

Is it possible to selectively enable NAT? i.e. I want to NAT everything 
from 192.168.0.0/24 and nothing from 192.168.1.0/24 ...?

Thanks
J

Re: IPTables again: selective NAT?

[Grant Coady]

On Fri, 11 Mar 2005 13:25:52 -0700, you wrote:

>Is it possible to selectively enable NAT? i.e. I want to NAT everything 
>from 192.168.0.0/24 and nothing from 192.168.1.0/24 ...?

Yes, anything is possible, clarify your query please.

Cheers,
Grant.

Re: IPTables again: selective NAT?

[Andreas Unterkircher]

What about:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to yourIP

iptables -t nat -A POSTROUTING -j DROP
or
iptables -t nat -P POSTROUTING DROP

Andreas

Jens Knoell wrote:

> Is it possible to selectively enable NAT? i.e. I want to NAT 
> everything from 192.168.0.0/24 and nothing from 192.168.1.0/24 ...?
>
> Thanks
> J
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: IPTables again: selective NAT?

[Jens Knoell]

Andreas Unterkircher wrote:

> Jens Knoell wrote:
>
>> Is it possible to selectively enable NAT? i.e. I want to NAT 
>> everything from 192.168.0.0/24 and nothing from 192.168.1.0/24 ...?
>>
>> Thanks
>> J
>> -
>> To unsubscribe from this list: send the line "unsubscribe 
>> linux-admin" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
 > What about:
 >
 > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to yourIP
 >
 > iptables -t nat -A POSTROUTING -j DROP
 > or
 > iptables -t nat -P POSTROUTING DROP
 >
 > Andreas

I don't quite think that'll do the job... so as requested, a clarification:

The network layout is like this:
eth0 is hooked up to the LAN and has a private IP (say, 10.0.0.1)
eth1 is hooked up to the DMZ and has a public IP (say, 12.13.14.15)

There's an IPsec gateway running on this machine for connecting outlying 
offices to the central office.

The machine does NAT connections to the outside world. Then there are 
the IPsec connections... and that's what's giving me headaches:

If an IPsec client connects to the server at 12.13.14.15, it connects 
the remote LAN to the office LAN. As an example, lets say I have an 
office in NYC which connects to my central office, say in Utah.
So:
Utah server has WAN 12.13.14.15, Utah LAN has 10.0.0.1/24
NYC IPsec router has 44.33.22.11, NYC LAN has 192.168.0.1/27

When the IPsec connection establishes, the routing table automatically 
adds the necessary entries. I can ping from NYC to Utah, but NOT from 
Utah to NYC.

The lines responsible for NAT are:
# Enable NAT
/usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 
12.13.14.15
# Allow NAT from inside only
/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
/usr/sbin/iptables -A INPUT -m state --state NEW -i eth1 -j REJECT

As best as I can tell, the packages from the Utah server to the NYC 
router get NAT'ed at least by the Utah server. Which I am trying to 
explicitly avoid. If I throw out the first line from above, things work 
just fine. Since the NYC router has a static IP I figured I just disable 
NAT for anything going to 44.33.22.11 and should be done with it. Except 
that I cannot figure out how to do that :/

Does that make sense?

J