From: "Rob Sterenborg (lists)" <lists@sterenborg.info>
To: J Webster <jw.jwebster@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: masquerade error
Date: Fri, 14 Oct 2011 12:27:19 +0200 [thread overview]
Message-ID: <1318588039.3179.16.camel@ns014530.dcyb.net> (raw)
In-Reply-To: <4E980794.7040906@googlemail.com>
On Fri, 2011-10-14 at 10:57 +0100, J Webster wrote:
> The problem is that the connection comes from a VPN client so I do not
> usually know the external IP.
Yes, well, if MASQUERADE is disabled and you can only use SNAT but you
don't know the --to address, then it may not be possible to do what you
want because you can't create a valid rule. Maybe someone else has a
better idea or the VPS provider can shed some more light.
> All I know is that they connect on the tun/vpn networks of 10.8.0.0/24
> and 172.16.0.0/24.
> In the mangle section do I put:
> *mangle
> :PREROUTING ACCEPT [19588:10233482]
> :INPUT ACCEPT [19588:10233482]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [18858:10334564]
> -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o venet0 -j SNAT --to-source
> xxx.xxx.xxx.xxx
> -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o venet0 -j SNAT --to-source
> xxx.xxx.xxx.xxx
> :POSTROUTING ACCEPT [18858:10334564]
> COMMIT
Did you actually check 'man iptables'? Because the man says:
'SNAT This target is only valid in the nat table, in the
POSTROUTING chain.'
Unless there's something missing (or I'm missing something) in the
above, you're trying to use the mangle table to do NAT.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [18851:10333352]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -m state --state NEW -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8002 -m state --state NEW
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9001 -m state --state NEW
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -m state --state
> NEW,RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 1194 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> *nat
> :PREROUTING ACCEPT [1234:59200]
> :POSTROUTING ACCEPT [338:21268]
> :OUTPUT ACCEPT [338:21268]
> COMMIT
--
Rob
next prev parent reply other threads:[~2011-10-14 10:27 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-11 7:01 masquerade error J Webster
2011-10-11 13:31 ` Jan Sarenik
2011-10-11 13:43 ` J Webster
2011-10-12 18:18 ` J Webster
2011-10-13 14:09 ` Jan Sarenik
2011-10-14 7:34 ` J Webster
2011-10-14 8:55 ` Rob Sterenborg (lists)
2011-10-14 9:05 ` Rob Sterenborg (lists)
[not found] ` <4E980738.5040202@googlemail.com>
2011-10-14 9:57 ` J Webster
2011-10-14 10:27 ` Rob Sterenborg (lists) [this message]
2011-10-14 11:45 ` J Webster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1318588039.3179.16.camel@ns014530.dcyb.net \
--to=lists@sterenborg.info \
--cc=jw.jwebster@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox