* Re: NATTING for a whole network.
2004-12-09 17:22 NATTING for a whole network Irvin, Michael Thad
@ 2004-12-10 18:56 ` primero@hdr-roma.it
2004-12-10 18:58 ` Andreas Grabner
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: primero@hdr-roma.it @ 2004-12-10 18:56 UTC (permalink / raw)
To: Irvin, Michael Thad; +Cc: 'netfilter@lists.netfilter.org'
Irvin, Michael Thad wrote:
>I'm kinda new at this iptables thing. I've been running into a problem with
>trying to NAT for a class C subnetted class A network...i.e. 10.168.1.0/24.
>The syntax I've been using is as follows -- $ipt -t nat -A POSTROUTING -o
>$outside -j SNAT -to-source $lan, with the variable $lan = "10.168.1.0/24".
>Everytime I've ran the script I get the following error <iptables v.x.x.x
>Bad IP Address. Can anyone please help me with the proper syntax to make
>this work? I've tried various options such the one above, also including
>the whole subnetmask and playing around with different delimitation
>options, nothing seems to work.
>
>
>
>
>
Check out "MASQUERADE" target ;)
with masquerade u can SNAT all comunication that "match" your rule with
the IP Address of output interface.
so a rule like
$ipt -t nat -A POSTROUTING -o $outside -j MASQUERADE
should be the trick.
Byez
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: NATTING for a whole network.
2004-12-09 17:22 NATTING for a whole network Irvin, Michael Thad
2004-12-10 18:56 ` primero@hdr-roma.it
@ 2004-12-10 18:58 ` Andreas Grabner
2004-12-10 18:58 ` primero@hdr-roma.it
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Andreas Grabner @ 2004-12-10 18:58 UTC (permalink / raw)
To: netfilter
Hi,
> I'm kinda new at this iptables thing. I've been running into a problem
> with trying to NAT for a class C subnetted class A network...i.e.
> 10.168.1.0/24. The syntax I've been using is as follows -- $ipt -t nat
> -A POSTROUTING -o $outside -j SNAT -to-source $lan, with the variable
> $lan = "10.168.1.0/24". Everytime I've ran the script I get the
> following error <iptables v.x.x.x Bad IP Address. Can anyone please
> help me with the proper syntax to make this work? I've tried various
> options such the one above, also including the whole subnetmask and
> playing around with different delimitation options, nothing seems to
> work.
I think you have to give the IP Address of the $outside Interface to
--to-source (not a network Address)
Are you trying to reach the Internet from your local net?? then the
follwing should work:$ipt -t nat -A POSTROUTING -o $outside -j SNAT -to-source $outsideIP
If you dont have a static IP use -j MASQ
hth
Andreas Grabner
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: NATTING for a whole network.
2004-12-09 17:22 NATTING for a whole network Irvin, Michael Thad
2004-12-10 18:56 ` primero@hdr-roma.it
2004-12-10 18:58 ` Andreas Grabner
@ 2004-12-10 18:58 ` primero@hdr-roma.it
2004-12-10 18:59 ` Jason Opperisano
2004-12-10 19:02 ` John A. Sullivan III
4 siblings, 0 replies; 6+ messages in thread
From: primero@hdr-roma.it @ 2004-12-10 18:58 UTC (permalink / raw)
To: Irvin, Michael Thad; +Cc: 'netfilter@lists.netfilter.org'
Irvin, Michael Thad wrote:
>I'm kinda new at this iptables thing. I've been running into a problem with
>trying to NAT for a class C subnetted class A network...i.e. 10.168.1.0/24.
>The syntax I've been using is as follows -- $ipt -t nat -A POSTROUTING -o
>$outside -j SNAT -to-source $lan, with the variable $lan = "10.168.1.0/24".
>Everytime I've ran the script I get the following error <iptables v.x.x.x
>Bad IP Address. Can anyone please help me with the proper syntax to make
>this work? I've tried various options such the one above, also including
>the whole subnetmask and playing around with different delimitation
>options, nothing seems to work.
>
>
>
>Michael "Thad" Irvin
>Lead Analyst - Internet Engineering
>Citibank Cards Technology
>904.954.2213
>michael.irvin@citicorp.com
>
>
>
>
sorry , reading again the message made me see that i've not understood
the problem cause you want to NAT to a complete lan address;) ... i
should need some rest maybe :)
byez
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: NATTING for a whole network.
2004-12-09 17:22 NATTING for a whole network Irvin, Michael Thad
` (2 preceding siblings ...)
2004-12-10 18:58 ` primero@hdr-roma.it
@ 2004-12-10 18:59 ` Jason Opperisano
2004-12-10 19:02 ` John A. Sullivan III
4 siblings, 0 replies; 6+ messages in thread
From: Jason Opperisano @ 2004-12-10 18:59 UTC (permalink / raw)
To: netfilter
On Thu, 2004-12-09 at 12:22, Irvin, Michael Thad wrote:
> I'm kinda new at this iptables thing. I've been running into a problem with
> trying to NAT for a class C subnetted class A network...i.e. 10.168.1.0/24.
> The syntax I've been using is as follows -- $ipt -t nat -A POSTROUTING -o
> $outside -j SNAT -to-source $lan, with the variable $lan = "10.168.1.0/24".
are you really trying to source-nat all traffic exiting your outside
interface to 10.168.1.x? you say you're trying to NAT *for* a class C
subnet--while your rule is NATing *to* a class C subnet.
> Everytime I've ran the script I get the following error <iptables v.x.x.x
> Bad IP Address. Can anyone please help me with the proper syntax to make
> this work? I've tried various options such the one above, also including
> the whole subnetmask and playing around with different delimitation
> options, nothing seems to work.
"-j SNAT" does not accept CIDR notation--to get the same effect, you
would need to use a range specified as:
iptables -t nat -A POSTROUTING -o $OUTSIDE \
-j SNAT --to-source 10.168.1.1-10.168.1.254
if your intent is actually to source-nat hosts on the inside that are in
the 10.168.1.0/24 network--your rule would be:
iptables -t nat -A POSTROUTING -o $OUTSIDE -s $LAN \
-j SNAT --to-source $OUTSIDE_IP
where LAN="10.168.1.0/24"
this is also covered clearly in 'man iptables.'
-j
--
"Beer. Now there's a temporary solution."
--The Simpsons
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: NATTING for a whole network.
2004-12-09 17:22 NATTING for a whole network Irvin, Michael Thad
` (3 preceding siblings ...)
2004-12-10 18:59 ` Jason Opperisano
@ 2004-12-10 19:02 ` John A. Sullivan III
4 siblings, 0 replies; 6+ messages in thread
From: John A. Sullivan III @ 2004-12-10 19:02 UTC (permalink / raw)
To: Irvin, Michael Thad; +Cc: 'netfilter@lists.netfilter.org'
On Thu, 2004-12-09 at 12:22, Irvin, Michael Thad wrote:
> I'm kinda new at this iptables thing. I've been running into a problem with
> trying to NAT for a class C subnetted class A network...i.e. 10.168.1.0/24.
> The syntax I've been using is as follows -- $ipt -t nat -A POSTROUTING -o
> $outside -j SNAT -to-source $lan, with the variable $lan = "10.168.1.0/24".
> Everytime I've ran the script I get the following error <iptables v.x.x.x
> Bad IP Address. Can anyone please help me with the proper syntax to make
> this work? I've tried various options such the one above, also including
> the whole subnetmask and playing around with different delimitation
> options, nothing seems to work.
<snip>
I generally use the NETMAP patch from patch-o-matic for this. SNAT/DNAT
does not necessarily create a straight mapping of addresses as far as I
know whereas NETMAP does. In fact we use it all the time in the ISCS
network security project (http://iscs.sourceforge.net) to resolve
conflicting IP address space problems. Hope this helps - John
--
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevel.com
^ permalink raw reply [flat|nested] 6+ messages in thread