Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
Re: [suse-security] Reverse masquerade one IP ...
- From: Sven Michels <smichels@xxxxxxxxxxxx>
- Date: Tue, 13 Nov 2001 14:38:54 +0100
- Message-id: <3BF1226E.7D1F9FD@xxxxxxxxxxxx>
Sven Michels wrote:
>
> Ray Leach wrote:
> >
> > Hi
> >
> > What would be the reverse of this rule?
> >
> > Sven Michels wrote:
> >
> > > Ray Leach wrote:
> > > >
> > > > Hi
> > > >
> > > > Is it possible to reverse masq just one IP in a subnet?
> > > >
> > > > I have a mail server on a private subnet and I want to reverse masq just
> > > > the IP of the mail server.
> > > Like that:
> > > iptables -A PREROUTING -t nat -p tcp --dport 25 -i $WORLD_DEV -j DNAT --to
> > > $MAILSERVERIP
> > >
> >
> > iptables -A POSTROUTING -t nat -p tcp --sport 25 -o $DMZ_NET -j SNAT
> > --to-source $WORLD_IP
>
> you don't need a reverse rule. The server need to have the default gw set to
> the maschine where you used the iptables. it rewrites only the destination
> in the packet. source is the same.
i was wrong ;) you need a masq rule... normal masquerading like for
other connections (if you don't masql all traffic which is leaving your
wall thru $WORLD_DEV
--
intraDAT AG http://www.intradat.com
Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0
D - 60329 Frankfurt am Main Fax: +49 69-25629-256
Junk mail is war. RFCs do not apply.
>
> Ray Leach wrote:
> >
> > Hi
> >
> > What would be the reverse of this rule?
> >
> > Sven Michels wrote:
> >
> > > Ray Leach wrote:
> > > >
> > > > Hi
> > > >
> > > > Is it possible to reverse masq just one IP in a subnet?
> > > >
> > > > I have a mail server on a private subnet and I want to reverse masq just
> > > > the IP of the mail server.
> > > Like that:
> > > iptables -A PREROUTING -t nat -p tcp --dport 25 -i $WORLD_DEV -j DNAT --to
> > > $MAILSERVERIP
> > >
> >
> > iptables -A POSTROUTING -t nat -p tcp --sport 25 -o $DMZ_NET -j SNAT
> > --to-source $WORLD_IP
>
> you don't need a reverse rule. The server need to have the default gw set to
> the maschine where you used the iptables. it rewrites only the destination
> in the packet. source is the same.
i was wrong ;) you need a masq rule... normal masquerading like for
other connections (if you don't masql all traffic which is leaving your
wall thru $WORLD_DEV
--
intraDAT AG http://www.intradat.com
Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0
D - 60329 Frankfurt am Main Fax: +49 69-25629-256
Junk mail is war. RFCs do not apply.
| < Previous | Next > |