Excluding IP ranges from masquerade rules

Excluding IP ranges from masquerade rules

[Ted Kaczmarek]

I presently exclude 1 ip block in POSTROUTING using
"! X.X.X.X/24" . Is their a way to specify multiple ranges that are 
excluded?
or
Is their a way to have POSTROUTING only have affect on a certain
interface?

If anyone has a good link on this it would be appreciated, looked
through some of the docs already but their are many more :-)

Thanks,
Ted

RE: Excluding IP ranges from masquerade rules

[Rob Sterenborg]

> I presently exclude 1 ip block in POSTROUTING using "! 
> X.X.X.X/24" . Is their a way to specify multiple ranges that 
> are excluded?

If you mean to specify a range instead of a complete block, there is a
Netfilter "iprange" patch for that. You'll have to compile a new kernel
and iptables.
http://www.netfilter.org/documentation/pomlist/pom-base.html#iprange
Create multiple rules for each range you want to exclude.

> Is their a way to have POSTROUTING only have affect on a 
> certain interface?

iptables -t nat -A POSTROUTING -o <if_out> ...
You cannot use "-i <if_in>".
See "man itables".


Rob

Re: Excluding IP ranges from masquerade rules

[Ralf Spenneberg]

Am Mon, 2003-10-13 um 11.44 schrieb Ted Kaczmarek:
> I presently exclude 1 ip block in POSTROUTING using
> "! X.X.X.X/24" . Is their a way to specify multiple ranges that are 
> excluded?
Only if you can combine them in one network, like:
10.0.0.0/8 and 11.0.0.0/8 can be written as 10.0.0.0/7

> or
> Is their a way to have POSTROUTING only have affect on a certain
> interface?
You can use -o eth0 to specify the interface in you rules.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: Excluding IP ranges from masquerade rules

[Ted Kaczmarek]

Thanks to all for the great reponses and choices, but I like 
Ulrich Gebauer's way the best :-)

iptables -t nat -A POSTROUTING -s x.x.x.x/x -j ACCEPT
iptables -t nat -A POSTROUTING -s y.y.y.y -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE

Makes the most sense to me and will be the easiest way for me to teach
others.

Thanks again,
Ted



On Mon, 2003-10-13 at 09:24, Ralf Spenneberg wrote:
> Am Mon, 2003-10-13 um 11.44 schrieb Ted Kaczmarek:
> > I presently exclude 1 ip block in POSTROUTING using
> > "! X.X.X.X/24" . Is their a way to specify multiple ranges that are 
> > excluded?
> Only if you can combine them in one network, like:
> 10.0.0.0/8 and 11.0.0.0/8 can be written as 10.0.0.0/7
> 
> > or
> > Is their a way to have POSTROUTING only have affect on a certain
> > interface?
> You can use -o eth0 to specify the interface in you rules.
> 
> Cheers,
> 
> Ralf