NATTING for a whole network.

NATTING for a whole network.

[Irvin, Michael Thad]

I'm kinda new at this iptables thing.  I've been running into a problem with
trying to NAT for a class C subnetted class A network...i.e. 10.168.1.0/24.
The syntax I've been using is as follows -- $ipt -t nat -A POSTROUTING -o
$outside -j SNAT -to-source $lan, with the variable $lan = "10.168.1.0/24".
Everytime I've ran the script I get the following error <iptables v.x.x.x
Bad IP Address.  Can anyone please help me with the proper syntax to make
this work?  I've tried various options such the one above, also including
the whole subnetmask  and playing around with different delimitation
options, nothing seems to work.

 

Michael "Thad" Irvin
Lead Analyst - Internet Engineering
Citibank Cards Technology
904.954.2213
michael.irvin@citicorp.com

Re: NATTING for a whole network.

[primero@hdr-roma.it]

Irvin, Michael Thad wrote:

>I'm kinda new at this iptables thing.  I've been running into a problem with
>trying to NAT for a class C subnetted class A network...i.e. 10.168.1.0/24.
>The syntax I've been using is as follows -- $ipt -t nat -A POSTROUTING -o
>$outside -j SNAT -to-source $lan, with the variable $lan = "10.168.1.0/24".
>Everytime I've ran the script I get the following error <iptables v.x.x.x
>Bad IP Address.  Can anyone please help me with the proper syntax to make
>this work?  I've tried various options such the one above, also including
>the whole subnetmask  and playing around with different delimitation
>options, nothing seems to work.
>
> 
>
>  
>
Check out "MASQUERADE" target ;)

with masquerade u can SNAT all comunication that "match" your rule with 
the IP Address of output interface.

so a rule like

$ipt -t nat -A POSTROUTING -o $outside -j MASQUERADE

should be the trick.

Byez

Re: NATTING for a whole network.

[Andreas Grabner]

Hi,
> I'm kinda new at this iptables thing.  I've been running into a problem
> with trying to NAT for a class C subnetted class A network...i.e.
> 10.168.1.0/24. The syntax I've been using is as follows -- $ipt -t nat
> -A POSTROUTING -o $outside -j SNAT -to-source $lan, with the variable
> $lan = "10.168.1.0/24". Everytime I've ran the script I get the
> following error <iptables v.x.x.x Bad IP Address.  Can anyone please
> help me with the proper syntax to make this work?  I've tried various
> options such the one above, also including the whole subnetmask  and
> playing around with different delimitation options, nothing seems to
> work.

I think you have to give the IP Address of the $outside Interface to
--to-source (not a network Address)
Are you trying to reach the Internet  from your local net?? then the
follwing should work:$ipt -t nat -A POSTROUTING -o $outside -j SNAT -to-source $outsideIP

If you dont have a static IP use -j MASQ

hth
Andreas Grabner

Re: NATTING for a whole network.

[primero@hdr-roma.it]

Irvin, Michael Thad wrote:

>I'm kinda new at this iptables thing.  I've been running into a problem with
>trying to NAT for a class C subnetted class A network...i.e. 10.168.1.0/24.
>The syntax I've been using is as follows -- $ipt -t nat -A POSTROUTING -o
>$outside -j SNAT -to-source $lan, with the variable $lan = "10.168.1.0/24".
>Everytime I've ran the script I get the following error <iptables v.x.x.x
>Bad IP Address.  Can anyone please help me with the proper syntax to make
>this work?  I've tried various options such the one above, also including
>the whole subnetmask  and playing around with different delimitation
>options, nothing seems to work.
>
> 
>
>Michael "Thad" Irvin
>Lead Analyst - Internet Engineering
>Citibank Cards Technology
>904.954.2213
>michael.irvin@citicorp.com
>
>
>  
>
sorry , reading again the message made me see that i've not understood 
the problem cause you want to NAT to a complete lan address;)  ... i 
should need some rest maybe :)

byez

Re: NATTING for a whole network.

[Jason Opperisano]

On Thu, 2004-12-09 at 12:22, Irvin, Michael Thad wrote:
> I'm kinda new at this iptables thing.  I've been running into a problem with
> trying to NAT for a class C subnetted class A network...i.e. 10.168.1.0/24.
> The syntax I've been using is as follows -- $ipt -t nat -A POSTROUTING -o
> $outside -j SNAT -to-source $lan, with the variable $lan = "10.168.1.0/24".

are you really trying to source-nat all traffic exiting your outside
interface to 10.168.1.x?  you say you're trying to NAT *for* a class C
subnet--while your rule is NATing *to* a class C subnet.

> Everytime I've ran the script I get the following error <iptables v.x.x.x
> Bad IP Address.  Can anyone please help me with the proper syntax to make
> this work?  I've tried various options such the one above, also including
> the whole subnetmask  and playing around with different delimitation
> options, nothing seems to work.

"-j SNAT" does not accept CIDR notation--to get the same effect, you
would need to use a range specified as:

  iptables -t nat -A POSTROUTING -o $OUTSIDE \
    -j SNAT --to-source 10.168.1.1-10.168.1.254

if your intent is actually to source-nat hosts on the inside that are in
the 10.168.1.0/24 network--your rule would be:

  iptables -t nat -A POSTROUTING -o $OUTSIDE -s $LAN \
    -j SNAT --to-source $OUTSIDE_IP

  where LAN="10.168.1.0/24"

this is also covered clearly in 'man iptables.'

-j

--
"Beer. Now there's a temporary solution."
	--The Simpsons

Re: NATTING for a whole network.

[John A. Sullivan III]

On Thu, 2004-12-09 at 12:22, Irvin, Michael Thad wrote:
> I'm kinda new at this iptables thing.  I've been running into a problem with
> trying to NAT for a class C subnetted class A network...i.e. 10.168.1.0/24.
> The syntax I've been using is as follows -- $ipt -t nat -A POSTROUTING -o
> $outside -j SNAT -to-source $lan, with the variable $lan = "10.168.1.0/24".
> Everytime I've ran the script I get the following error <iptables v.x.x.x
> Bad IP Address.  Can anyone please help me with the proper syntax to make
> this work?  I've tried various options such the one above, also including
> the whole subnetmask  and playing around with different delimitation
> options, nothing seems to work.
<snip>
I generally use the NETMAP patch from patch-o-matic for this.  SNAT/DNAT
does not necessarily create a straight mapping of addresses as far as I
know whereas NETMAP does.  In fact we use it all the time in the ISCS
network security project (http://iscs.sourceforge.net) to resolve
conflicting IP address space problems.  Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevel.com