A Simple Question on iptables (NAT issue)
Hi, all. My situation is: the gateway(Linux 2.4) imposes NAT on all the traffic from all workstations(configured with public IP addresses rathar than private ones) within the LAN. Now I want to set an exception in the NAT rule. That's to say, I want the gateway not to do NAT on *one specific workstation* within the LAN. Could you HELP me on how to do that? I'm quite sorry that I haven't had a good reading on iptables docs. But I'm not likely going to configure iptables other than this time since I'm not an network administrator. I just got the temperory approval from the network administrator who has been busy and gave me the root password to configure the gateway myself. I only want to enable the sshd on one Linux workstation within the LAN so that I may login to do some work when I am far from the LAN. Thanks in advance.
The original NAT config that the admin set was:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
On 4/19/06, FW
Hi, all.
My situation is:
the gateway(Linux 2.4) imposes NAT on all the traffic from all workstations(configured with public IP addresses rathar than private ones) within the LAN.
Now I want to set an exception in the NAT rule. That's to say, I want the gateway not to do NAT on *one specific workstation* within the LAN. Could you HELP me on how to do that?
I'm quite sorry that I haven't had a good reading on iptables docs. But I'm not likely going to configure iptables other than this time since I'm not an network administrator. I just got the temperory approval from the network administrator who has been busy and gave me the root password to configure the gateway myself. I only want to enable the sshd on one Linux workstation within the LAN so that I may login to do some work when I am far from the LAN.
Thanks in advance.
FW wrote:
The original NAT config that the admin set was:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
On 4/19/06, FW
wrote: Hi, all.
My situation is:
the gateway(Linux 2.4) imposes NAT on all the traffic from all workstations(configured with public IP addresses rathar than private ones) within the LAN.
Now I want to set an exception in the NAT rule. That's to say, I want the gateway not to do NAT on *one specific workstation* within the LAN. Could you HELP me on how to do that?
The iptables need a source parameter, like: iptables -t nat -A POSTROUTING -s <IP address> -o ppp0 -j MASQUERADE <IPADDRESS> could be a plain (local) address like 192.168.2.3, but also a subnet like 192.168.2.0/24 Regards, -- Jos van Kan registered Linux user #152704
Thanks. But my question is how to unNAT a specific host under a
situation of universal NAT, whihe the example you gave is to enable
NAT.
On 4/19/06, Jos van Kan
FW wrote:
The original NAT config that the admin set was:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
On 4/19/06, FW
wrote: Hi, all.
My situation is:
the gateway(Linux 2.4) imposes NAT on all the traffic from all workstations(configured with public IP addresses rathar than private ones) within the LAN.
Now I want to set an exception in the NAT rule. That's to say, I want the gateway not to do NAT on *one specific workstation* within the LAN. Could you HELP me on how to do that?
The iptables need a source parameter, like:
iptables -t nat -A POSTROUTING -s <IP address> -o ppp0 -j MASQUERADE
<IPADDRESS> could be a plain (local) address like 192.168.2.3, but also a subnet like 192.168.2.0/24
Regards, -- Jos van Kan registered Linux user #152704
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Wednesday 19 April 2006 16:12, FW wrote:
Thanks. But my question is how to unNAT a specific host under a situation of universal NAT, whihe the example you gave is to enable NAT.
I seem to remember a rule: go from the specific to the less specific. So create a rule for that single ws first, and tell iptables what to do with it. Then add a catch all for the rest. (Others: please comment on this, cause I'm not quite sure...) Cheers, Leen
FW wrote: (reversed the toppost)
On 4/19/06, Jos van Kan
wrote: FW wrote:
The original NAT config that the admin set was:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
On 4/19/06, FW
wrote: Hi, all.
My situation is:
the gateway(Linux 2.4) imposes NAT on all the traffic from all workstations(configured with public IP addresses rathar than private ones) within the LAN.
Now I want to set an exception in the NAT rule. That's to say, I want the gateway not to do NAT on *one specific workstation* within the LAN. Could you HELP me on how to do that?
The iptables need a source parameter, like:
iptables -t nat -A POSTROUTING -s <IP address> -o ppp0 -j MASQUERADE
<IPADDRESS> could be a plain (local) address like 192.168.2.3, but also a subnet like 192.168.2.0/24
Thanks. But my question is how to unNAT a specific host under a situation of universal NAT, whihe the example you gave is to enable NAT.
Hmm. I can imagine that you don't want to do a total read up on iptables, but I cannot imagine that you don't look into the manpage *at all*, because the solution to that problem is there for all to see. Use !. <quote> (from the description of the -s parameter) A "!" argument before the address specification inverts the sense of the address. </quote> On the other hand I'm not sure at all that you want this for the solution of your actual problem as Darryl Gregorash has explained so eloquently . Regards, -- Jos van Kan registered Linux user #152704
On 18/04/06 23:43, FW wrote:
The original NAT config that the admin set was:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
On 4/19/06, FW
wrote: Hi, all.
My situation is:
the gateway(Linux 2.4) imposes NAT on all the traffic from all workstations(configured with public IP addresses rathar than private ones) within the LAN.
Now I want to set an exception in the NAT rule. That's to say, I want the gateway not to do NAT on *one specific workstation* within the LAN. Could you HELP me on how to do that?
I'm quite sorry that I haven't had a good reading on iptables docs. But I'm not likely going to configure iptables other than this time since I'm not an network administrator. I just got the temperory approval from the network administrator who has been busy and gave me the root password to configure the gateway myself. I only want to enable the sshd on one Linux workstation within the LAN so that I may login to do some work when I am far from the LAN.
Using NAT on public IPs? Sheesh, does your admin think otherwise you'd
all be hosting a game of DOOM on your workstations? :D
The last paragraph there actually suggests you do not really need or
want to turn off all NAT for your workstation, but only open the gateway
firewall to allow you to ssh to it. This problem is very easy to solve.
If this is a SuSE system with a firewall configured in YaST, you only
need to do the following in the firewall configuration (don't type in
the quotes, YaST will supply them as needed):
set FW_ROUTE to "yes"
set FW_FORWARD as follows: "0/0,
Hi Daryl,
I just read your post about NAT (OP from FW). For a while I was thinking
how I could forward some ports. I think you gave the answer.
My procedure :
set FW_ROUTE to "yes"
set FW_FORWARD : "192.168.10.0/24,
Hi Daryl,
I just read your post about NAT (OP from FW). For a while I was thinking how I could forward some ports. I think you gave the answer. My procedure : set FW_ROUTE to "yes" set FW_FORWARD : "192.168.10.0/24,
,tcp, " This will forward network traffic without doing any masquerading; if you want to allow external systems to access things like a web server, but
On 20/04/06 09:26, Koenraad Lelong wrote: that server is on a private IP inside your LAN, you need to use FW_FORWARD_MASQ instead.
If I do this I think I would be able to access a samba-server from the outside. Before you say "don't do this, security" I will add that between the Suse-machine and the 'net I have a VPN router/firewall. The other side of the VPN tunnel will have net-address 192.168.10.x. I think this is a secure setup. I hope you can confirm this.
A VPN is really just a connection between two private networks, with the added twist that at one point, the traffic between the two must travel on the internet. I have no experience with a VPN, so I cannot say for sure if using FW_FORWARD is correct. With the information given for that variable (see /etc/sysconfig/SuSEfirewall2), I would think it is not: "With this option you may allow access to e.g. your mailserver. The machines must have valid, non-private, IP addresses which were assigned to you by your ISP. This opens a direct link to the specified network, so please think twice befor using this option!"
participants (5)
-
Darryl Gregorash
-
FW
-
Jos van Kan
-
Koenraad Lelong
-
Leendert Meyer