From: Philip Craig <philipc@snapgear.com>
To: "Coutts, Ashe (Testing Account)" <ATest@sbsdk12.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: Not quite understanding DNAT
Date: Fri, 25 Jul 2003 10:14:28 +1000 [thread overview]
Message-ID: <3F207664.1000109@snapgear.com> (raw)
In-Reply-To: <3F1FA56E.28480.E59161E@localhost>
Coutts, Ashe (Testing Account) wrote:
> It is working almost as I expected except for the following. The DNAT
> connections come into the system fine but are seen as originating from the
> eth0 interface rather than their eth0:x interface. So, when attaching to a linux
> cpu with ssh I am needing to place the ip# for the eth0 interface in the
> hosts.allow file rather than the much more restrictive eth0:x ip#. Can it be set
> up so the connection is between the external eth0:x ip# and its linked internal
> ip#?
If all you are doing is DNATing, then the source address should be
the real external source address, not eth0 *or* eth0:x.
> ## Setup NAT from entire WAN to the outside world
> /sbin/iptables --table nat --append POSTROUTING --source 0.0.0.0/0 \
> --jump SNAT --to 204.48.178.2
But here we see that you are SNATing everything. This is probably
not what you want. I expect you only want to SNAT outgoing traffic:
## Setup NAT from entire WAN to the outside world
/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 \
--jump SNAT --to 204.48.178.2
With this rule, you should now place the real external hosts in
your hosts.allow, rather than any IP address that belongs to the
firewall.
--
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances
next prev parent reply other threads:[~2003-07-25 0:14 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-24 7:00 DNAT question Rio Martin.
2003-07-24 8:29 ` Philip Craig
2003-07-24 8:56 ` Rio Martin.
2003-07-24 9:42 ` Chris Wilson
2003-07-24 13:37 ` Gonzalez, Federico
2003-07-24 14:16 ` Cedric Blancher
2003-07-24 16:22 ` Not quite understanding DNAT Coutts, Ashe (Testing Account)
2003-07-24 16:43 ` Aldo S. Lagana
2003-07-25 0:14 ` Philip Craig [this message]
2003-07-25 9:47 ` Chris Wilson
2003-07-25 10:10 ` Cedric Blancher
-- strict thread matches above, loose matches on Subject: below --
2003-07-24 17:14 Daniel Chemko
2003-07-24 17:47 ` Ramin Dousti
2003-07-24 22:06 George Vieira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F207664.1000109@snapgear.com \
--to=philipc@snapgear.com \
--cc=ATest@sbsdk12.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox