Mailinglist Archive: opensuse (3337 mails)

< Previous Next >
Re: [SLE] Re: A Simple Question on iptables (NAT issue)
  • From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
  • Date: Wed, 19 Apr 2006 19:20:59 -0600
  • Message-id: <4446E1FB.5040001@xxxxxxxxxxxxx>
On 18/04/06 23:43, FW wrote:
>The original NAT config that the admin set was:
>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>On 4/19/06, FW <frost.wrath@xxxxxxxxx> wrote:
>>Hi, all.
>>My situation is:
>>the gateway(Linux 2.4) imposes NAT on all the traffic from all
>>workstations(configured with public IP addresses rathar than private
>>ones) within the LAN.
>>Now I want to set an exception in the NAT rule. That's to say, I want
>>the gateway not to do NAT on *one specific workstation* within the
>>LAN. Could you HELP me
>>on how to do that?
>>I'm quite sorry that I haven't had a good reading on iptables docs.
>>But I'm not likely going to configure iptables other than this time
>>since I'm not an network administrator. I just got the temperory
>>approval from the network administrator who has been busy and gave me
>>the root password to configure the gateway myself. I only want to
>>enable the sshd on one Linux workstation within the LAN so that I may
>>login to do some work when I am far from the LAN.

Using NAT on public IPs? Sheesh, does your admin think otherwise you'd
all be hosting a game of DOOM on your workstations? :D

The last paragraph there actually suggests you do not really need or
want to turn off all NAT for your workstation, but only open the gateway
firewall to allow you to ssh to it. This problem is very easy to solve.

If this is a SuSE system with a firewall configured in YaST, you only
need to do the following in the firewall configuration (don't type in
the quotes, YaST will supply them as needed):

set FW_ROUTE to "yes"
set FW_FORWARD as follows: "0/0,<your_workstation_IP>,tcp,22"

If you have one single IP you will be working from, you can put that IP
in place of the "0/0" part, eg. ",<workstation_IP>,tcp,22". If
there is anything already in the FW_FORWARD variable, just add your
information on the end (separated from the existing information by a
space). If you have several static IPs you will be using, create a
separate block for each one, eg. ",<workstation_IP>,tcp,22,<workstation_IP>,tcp,22". The firewall script will take care of
network traffic in both directions once your incoming connection is
established. It also creates a rule to log any such incoming connections
(which will come in handy if anyone tries to bust into your system).

If I have read the SuSEfirewall script correctly, this will allow you to
ssh into your workstation from outside your LAN, but anything you do
*from* the workstation (including ssh sessions to, say, your home
system) will still follow NAT rules.

Your admin may be using some firewall generator other than YaST; if so,
I cannot help you, but the above remarks may assist you to figure it out
on your own. I also prefer not to make any suggestions at this time
concerning modifications to any custom firewall script the admin may
have written, certainly not without first having been able to review
that script. While the modifications you require are quite
straightforward, writing them into the wrong locations in the script may
have unforeseen consequences. If he has written his own script, then
with his permission, I would be happy to look at it, and suggest what
modifications are needed to achieve the desired result.

< Previous Next >