FW wrote:

The original NAT config that the admin set was:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

On 4/19/06, FW wrote:

...

Hi, all.

My situation is:

the gateway(Linux 2.4) imposes NAT on all the traffic from all workstations(configured with public IP addresses rathar than private ones) within the LAN.

Now I want to set an exception in the NAT rule. That's to say, I want the gateway not to do NAT on *one specific workstation* within the LAN. Could you HELP me on how to do that?

The iptables need a source parameter, like: iptables -t nat -A POSTROUTING -s <IP address> -o ppp0 -j MASQUERADE <IPADDRESS> could be a plain (local) address like 192.168.2.3, but also a subnet like 192.168.2.0/24 Regards, -- Jos van Kan registered Linux user #152704

On Wednesday 19 April 2006 16:12, FW wrote:

Thanks. But my question is how to unNAT a specific host under a situation of universal NAT, whihe the  example you gave is to enable NAT.

I seem to remember a rule: go from the specific to the less specific. So create a rule for that single ws first, and tell iptables what to do with it. Then add a catch all for the rest. (Others: please comment on this, cause I'm not quite sure...) Cheers, Leen

On 18/04/06 23:43, FW wrote:

The original NAT config that the admin set was:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

On 4/19/06, FW wrote:

...

Hi, all.

My situation is:

the gateway(Linux 2.4) imposes NAT on all the traffic from all workstations(configured with public IP addresses rathar than private ones) within the LAN.

Now I want to set an exception in the NAT rule. That's to say, I want the gateway not to do NAT on *one specific workstation* within the LAN. Could you HELP me on how to do that?

I'm quite sorry that I haven't had a good reading on iptables docs. But I'm not likely going to configure iptables other than this time since I'm not an network administrator. I just got the temperory approval from the network administrator who has been busy and gave me the root password to configure the gateway myself. I only want to enable the sshd on one Linux workstation within the LAN so that I may login to do some work when I am far from the LAN.

Using NAT on public IPs? Sheesh, does your admin think otherwise you'd all be hosting a game of DOOM on your workstations? :D The last paragraph there actually suggests you do not really need or want to turn off all NAT for your workstation, but only open the gateway firewall to allow you to ssh to it. This problem is very easy to solve. If this is a SuSE system with a firewall configured in YaST, you only need to do the following in the firewall configuration (don't type in the quotes, YaST will supply them as needed): set FW_ROUTE to "yes" set FW_FORWARD as follows: "0/0,,tcp,22" If you have one single IP you will be working from, you can put that IP in place of the "0/0" part, eg. "1.2.3.4,,tcp,22". If there is anything already in the FW_FORWARD variable, just add your information on the end (separated from the existing information by a space). If you have several static IPs you will be using, create a separate block for each one, eg. "1.2.3.4,,tcp,22 4.3.2.1,,tcp,22". The firewall script will take care of network traffic in both directions once your incoming connection is established. It also creates a rule to log any such incoming connections (which will come in handy if anyone tries to bust into your system). If I have read the SuSEfirewall script correctly, this will allow you to ssh into your workstation from outside your LAN, but anything you do *from* the workstation (including ssh sessions to, say, your home system) will still follow NAT rules. Your admin may be using some firewall generator other than YaST; if so, I cannot help you, but the above remarks may assist you to figure it out on your own. I also prefer not to make any suggestions at this time concerning modifications to any custom firewall script the admin may have written, certainly not without first having been able to review that script. While the modifications you require are quite straightforward, writing them into the wrong locations in the script may have unforeseen consequences. If he has written his own script, then with his permission, I would be happy to look at it, and suggest what modifications are needed to achieve the desired result.

Hi Daryl,

I just read your post about NAT (OP from FW). For a while I was thinking how I could forward some ports. I think you gave the answer. My procedure : set FW_ROUTE to "yes" set FW_FORWARD : "192.168.10.0/24,,tcp," This will forward network traffic without doing any masquerading; if you want to allow external systems to access things like a web server, but

On 20/04/06 09:26, Koenraad Lelong wrote: that server is on a private IP inside your LAN, you need to use FW_FORWARD_MASQ instead.

If I do this I think I would be able to access a samba-server from the outside. Before you say "don't do this, security" I will add that between the Suse-machine and the 'net I have a VPN router/firewall. The other side of the VPN tunnel will have net-address 192.168.10.x. I think this is a secure setup. I hope you can confirm this.

A VPN is really just a connection between two private networks, with the added twist that at one point, the traffic between the two must travel on the internet. I have no experience with a VPN, so I cannot say for sure if using FW_FORWARD is correct. With the information given for that variable (see /etc/sysconfig/SuSEfirewall2), I would think it is not: "With this option you may allow access to e.g. your mailserver. The machines must have valid, non-private, IP addresses which were assigned to you by your ISP. This opens a direct link to the specified network, so please think twice befor using this option!"