I am still digging into this and I think I am making progress grokking somewhat... I think I found what Andrei was referring to with his suggestion to use --persistent option, it has nothing to do with making my changes to the iptables persistent, instead it has something to do with giving "a client the same source-/destination-address for each connection." I don't really understand what this means but it sounds good... Anywise I think I need to refine my earlier guess as to what iptables command I need, for example for my first static IP address I want to forward to one of my internal system might look like this? - $ iptables -t nat -A PREROUTING -d 111.222.333.11 -i eth0+ -j DNAT --persistent --to-destination 192.168.10.10 $ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth1 -j SNAT --persistent --to-source 111.222.333.11 Please let me know if this is correct? I am still not sure about how to persist these settings across a reboot, and how to add these while co-existing with the settings in /etc/sysconfig/SuSEfirewall. I did find a couple of commands - iptables-save and iptables-restore that look promising but not sure how to automate using them while using SuSEfirewall. If these are what I have to use, how best do I integrate them into the boot up/system startup? Am I on the right path? Thanks again in advance for suggestions/advice/show and tell comments! Marc.. On 02/24/2019 09:31 AM, Marc Chamberlin wrote:
Boy did the formatting of my post come out bad for some reason (thanks Thunderbird), I will attempt to repost it with corrections...
Andrie, James - I am struggling to get off the ground with iptables, I have never had to dink with firewalls at this low level before because folks have always provided me with easy to use tools like SuSEFirewall2 and YaST2 before ;-) So my Googling has come up with this representation of the commands I need to give, can you verify these for me? eth0 is my external facing NIC, eth1 is my internal facing NIC.
$ echo 1 > /proc/sys/net/ipv4/ip_forward $ iptables -t nat -A PREROUTING -d 111.222.333.11 -i eth1 -j DNAT --to-destination 192.168.10.10 $ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0 -j SNAT --to-source 111.222.333.11
I also labeled my additional IP addresses on the external NIC with the hostname that I want to route that particular IP address to, so instead of using eth0 should I be using eth0:hostname instead? So for example should this latter command be -
$ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0:hostname -j SNAT --to-source 111.222.333.11
I believe this is what Andrie is calling NAT routing? James you seem to be saying there is another way to accomplish doing what I want without doing NAT, can you say more? I don't want to break anything on my system by experimenting around with stuff that I am not familiar with, so figured I better ask before I do anything. And please remember I am a neophyte with iptables so showing me the commands is really helpful, there is a LOT of stuff about iptables to grok!
Does iptables persist these settings somewhere for me or is there a file/script somewhere I have to edit and add these commands? I think Andrie might have been pointing me in the right direction with his reference to the --persistent suggestion but I don't see it in the man pages for iptables so I am not sure where he wanted me to use that option.
Marc...
On 02/24/2019 05:48 AM, James Knott wrote:
On 02/24/2019 01:52 AM, Andrei Borzenkov wrote:
Yes, you can forward traffic to specific external address to specific internal address and mangle packets in reverse direction to have this outgoing address. This is exactly what Network *Address* Translation is for. I do not know if SUSEfirewall2 offers high level means to configure it, on iptables level this would be DNAT for packets entering external interface and SNAT on packets leaving external interface. In which case you probably want to use --persistent to simplify tracking. If he has a block of addresses, why not use them as is, instead of this NAT nonsense? NAT is a hack to get around the IPv4 address shortage and it introduces it's own problems.
Incidentally the world is moving to IPv6, where NAT is not used. For example, I have a /56 prefix, which gives me 256x 18.4 billion, billion addresses to use. No NAT needed. I just set up my firewall rules as appropriate.
This is one thing that really bugs me about NAT. It's become so common that people think it's the right way to do things. It's not, it's a hack!
-- *Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! * Linux Counter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org