* Newbie request
@ 2006-12-12 7:34 Nandan Bhat
2006-12-12 8:31 ` Rob Sterenborg
0 siblings, 1 reply; 5+ messages in thread
From: Nandan Bhat @ 2006-12-12 7:34 UTC (permalink / raw)
To: netfilter
Hi,
I am trying to setup an old machine having two NICs with Fedora Core 5.
I have two Class C networks (I hope I got that right).
eth0 is assigned 192.168.1.6/255.255.255.0 .
eth1 is set to DHCP and is part of 192.168.0.0/24 .
I need some machines on 192.168.1.0/24 network to be able to get/send
mail using 192.168.0.10 . Mail is limited to these networks and does not
go to the outside world.
I have gone through the Linux-IP-Masquerade HOWTO and feel that I don't
need a very liberal ruleset. Only smtp,pop functionality, especially
connecting with 192.168.0.10 is sufficient.
My question is: Do I need a SNAT rule or should I try something with
nat+FORWARD? I just went through iptables manual and am somewhat able to
understand the rules in the HOWTO - stronger firewall example.
Thanks in advance,
Nandan Bhat
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Newbie request
2006-12-12 7:34 Newbie request Nandan Bhat
@ 2006-12-12 8:31 ` Rob Sterenborg
2006-12-12 10:47 ` Pascal Hambourg
0 siblings, 1 reply; 5+ messages in thread
From: Rob Sterenborg @ 2006-12-12 8:31 UTC (permalink / raw)
To: netfilter
On Tue, December 12, 2006 08:34, Nandan Bhat wrote:
> Hi,
>
>
> I am trying to setup an old machine having two NICs with Fedora Core 5.
> I have two Class C networks (I hope I got that right).
> eth0 is assigned 192.168.1.6/255.255.255.0 . eth1 is set to DHCP and is part of
> 192.168.0.0/24 .
>
>
> I need some machines on 192.168.1.0/24 network to be able to get/send
> mail using 192.168.0.10 . Mail is limited to these networks and does not go to
> the outside world.
>
> I have gone through the Linux-IP-Masquerade HOWTO and feel that I don't
> need a very liberal ruleset. Only smtp,pop functionality, especially connecting
> with 192.168.0.10 is sufficient.
>
> My question is: Do I need a SNAT rule or should I try something with
> nat+FORWARD? I just went through iptables manual and am somewhat able to
> understand the rules in the HOWTO - stronger firewall example.
No. You can just route from 192.168.0.0/24 to 192.168.1.0/24 and back without
using NAT.
You can filter packets you don't want to be routed.
$ipt -P FORWARD DROP
$ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -m state --state NEW -s 192.168.0.0/24 \
-d 192.168.1.0/24 -m mport -p tcp --dports 25,110 -j ACCEPT
$ipt -A FORWARD -m state --state NEW -s 192.168.1.0/24 \
-d 192.168.0.0/24 -m mport -p tcp --dports 25,110 -j ACCEPT
The last 2 rules can also be split into 4 rules if you don't have the mport
module :
$ipt -A FORWARD -m state --state NEW -s 192.168.0.0/24 \
-d 192.168.1.0/24 -p tcp --dport 25 -j ACCEPT
$ipt -A FORWARD -m state --state NEW -s 192.168.0.0/24 \
-d 192.168.1.0/24 -p tcp --dport 110 -j ACCEPT
$ipt -A FORWARD -m state --state NEW -s 192.168.1.0/24 \
-d 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT
$ipt -A FORWARD -m state --state NEW -s 192.168.1.0/24 \
-d 192.168.0.0/24 -p tcp --dport 110 -j ACCEPT
Don't forget to:
echo 1 > /proc/sys/net/ipv4/ip_forward
Grts,
Rob
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Newbie request
2006-12-12 8:31 ` Rob Sterenborg
@ 2006-12-12 10:47 ` Pascal Hambourg
2006-12-12 11:10 ` Rob Sterenborg
0 siblings, 1 reply; 5+ messages in thread
From: Pascal Hambourg @ 2006-12-12 10:47 UTC (permalink / raw)
To: netfilter
Hello,
Rob Sterenborg a écrit :
> On Tue, December 12, 2006 08:34, Nandan Bhat wrote:
>>
>>I need some machines on 192.168.1.0/24 network to be able to get/send
>>mail using 192.168.0.10 . Mail is limited to these networks and does not go to
>>the outside world.
>>
>>My question is: Do I need a SNAT rule or should I try something with
>>nat+FORWARD?
>
> No. You can just route from 192.168.0.0/24 to 192.168.1.0/24 and back without
> using NAT.
But then you need that host 192.168.0.10 has a route back to
192.168.1.0/24, either directly via eth1 IP address (so it'd better be
fixed), or indirectly via the default gateway which must have a route to
192.168.1.0/24 via eth1 IP address. Else you must do SNAT or MASQUERADE
for 192.168.1.0/24 on eth1 :
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
> $ipt -A FORWARD -m state --state NEW -s 192.168.0.0/24 \
> -d 192.168.1.0/24 -m mport -p tcp --dports 25,110 -j ACCEPT
> $ipt -A FORWARD -m state --state NEW -s 192.168.1.0/24 \
> -d 192.168.0.0/24 -m mport -p tcp --dports 25,110 -j ACCEPT
>
> The last 2 rules can also be split into 4 rules if you don't have the mport
> module :
Or just use the more standard 'multiport' match instead.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Newbie request
2006-12-12 10:47 ` Pascal Hambourg
@ 2006-12-12 11:10 ` Rob Sterenborg
2006-12-13 2:37 ` Grant Taylor
0 siblings, 1 reply; 5+ messages in thread
From: Rob Sterenborg @ 2006-12-12 11:10 UTC (permalink / raw)
To: netfilter
On Tue, December 12, 2006 11:47, Pascal Hambourg wrote:
> Hello,
>
> Rob Sterenborg a �crit :
>
>>> My question is: Do I need a SNAT rule or should I try something with
>>> nat+FORWARD?
>>
>> No. You can just route from 192.168.0.0/24 to 192.168.1.0/24 and back
>> without using NAT.
>
> But then you need that host 192.168.0.10 has a route back to
> 192.168.1.0/24, either directly via eth1 IP address (so it'd better be
> fixed), or indirectly via the default gateway which must have a route to
> 192.168.1.0/24 via eth1 IP address. Else you must do SNAT or MASQUERADE
> for 192.168.1.0/24 on eth1 :
Yes, I was assuming that the default gateway is set to the router's IP, but in
fact we don't know about the connection to the internet which is there
somewhere.
>> $ipt -A FORWARD -m state --state NEW -s 192.168.0.0/24 \
>> -d 192.168.1.0/24 -m mport -p tcp --dports 25,110 -j ACCEPT
>> $ipt -A FORWARD -m state --state NEW -s 192.168.1.0/24 \
>> -d 192.168.0.0/24 -m mport -p tcp --dports 25,110 -j ACCEPT
>>
>>
>> The last 2 rules can also be split into 4 rules if you don't have the mport
>> module :
>
> Or just use the more standard 'multiport' match instead.
I keep getting confused with these two.. I thought it was mport but someday
I'll remember.
Grts,
Rob
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Newbie request
2006-12-12 11:10 ` Rob Sterenborg
@ 2006-12-13 2:37 ` Grant Taylor
0 siblings, 0 replies; 5+ messages in thread
From: Grant Taylor @ 2006-12-13 2:37 UTC (permalink / raw)
To: Mail List - Netfilter
On 12/12/06 05:10, Rob Sterenborg wrote:
> Yes, I was assuming that the default gateway is set to the router's IP, but in
> fact we don't know about the connection to the internet which is there
> somewhere.
No, we do not know about the gateway. However, recall from the OP that
"eth1 is set to DHCP and is part of 192.168.0.0/24", which means that
the route back to the 192.168.1.0/24 network could change as the
""router in question reboots. So, either the routers are running some
sort of routing protocol, or the 192.168.1.0/24 network needs to be
""hidden from the 192.168.0.0/24 network. This is very easily
accomplished with SNAT / MASQUERADE.
Something to keep in mind is that the source IP is a dynamic IP on the
192.168.0.0/24 network, so it would be better if MASQUERADE was used
verses SNAT. SNAT does not clear out stale nat translations like
MASQUERADE does when the IP for the interface changes.
Grant. . . .
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-12-13 2:37 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-12 7:34 Newbie request Nandan Bhat
2006-12-12 8:31 ` Rob Sterenborg
2006-12-12 10:47 ` Pascal Hambourg
2006-12-12 11:10 ` Rob Sterenborg
2006-12-13 2:37 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox