![](https://seccdn.libravatar.org/avatar/9435667f7160374bc34a8600b686aecd.jpg?s=120&d=mm&r=g)
24.02.2019 20:31, Marc Chamberlin пишет:
Boy did the formatting of my post come out bad for some reason (thanks Thunderbird), I will attempt to repost it with corrections...
Andrie, James - I am struggling to get off the ground with iptables, I have never had to dink with firewalls at this low level before because folks have always provided me with easy to use tools like SuSEFirewall2 and YaST2 before ;-) So my Googling has come up with this representation of the commands I need to give, can you verify these for me? eth0 is my external facing NIC, eth1 is my internal facing NIC.
$ echo 1 > /proc/sys/net/ipv4/ip_forward
Routing should have already been enabled in your case, you are already using this system as router.
$ iptables -t nat -A PREROUTING -d 111.222.333.11 -i eth1 -j DNAT --to-destination 192.168.10.10 $ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0 -j SNAT --to-source 111.222.333.11
Yes.
I also labeled my additional IP addresses on the external NIC with the hostname that I want to route that particular IP address to, so instead of using eth0 should I be using eth0:hostname instead? So for example should this latter command be -
$ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0:hostname -j SNAT --to-source 111.222.333.11
I do not think so. You still have just one interface and multiple addresses on it. But try and tell us :)
I believe this is what Andrie is calling NAT routing? James you seem to be saying there is another way to accomplish doing what I want without doing NAT, can you say more? I don't want to break anything on my system by experimenting around with stuff that I am not familiar with, so figured I better ask before I do anything. And please remember I am a neophyte with iptables so showing me the commands is really helpful, there is a LOT of stuff about iptables to grok!
Alternative is to simply plug cable from your ISP into switch, connect all hosts to it and assign hosts addresses you got from ISP. This means each host will be directly connected to Internet. This requires (or at least makes easier) full address block from your ISP. Note that from security point of view it is the same as above two commands.
Does iptables persist these settings somewhere for me or is there a file/script somewhere I have to edit and add these commands? I think
You need to check SUSEfirewall2 manuals. I presume it has some place where you can add arbitrary rules.
Andrie might have been pointing me in the right direction with his reference to the --persistent suggestion but I don't see it in the man pages for iptables so I am not sure where he wanted me to use that option.
--persistent is useful when you configure forwarding to multiple addresses and makes sure specific client is always forwarded to the same address. If you make 1-to-1 forwarding it does not matter. Sorry for for confusion.
Marc...
On 02/24/2019 05:48 AM, James Knott wrote:
On 02/24/2019 01:52 AM, Andrei Borzenkov wrote:
Yes, you can forward traffic to specific external address to specific internal address and mangle packets in reverse direction to have this outgoing address. This is exactly what Network *Address* Translation is for. I do not know if SUSEfirewall2 offers high level means to configure it, on iptables level this would be DNAT for packets entering external interface and SNAT on packets leaving external interface. In which case you probably want to use --persistent to simplify tracking. If he has a block of addresses, why not use them as is, instead of this NAT nonsense? NAT is a hack to get around the IPv4 address shortage and it introduces it's own problems.
Incidentally the world is moving to IPv6, where NAT is not used. For example, I have a /56 prefix, which gives me 256x 18.4 billion, billion addresses to use. No NAT needed. I just set up my firewall rules as appropriate.
This is one thing that really bugs me about NAT. It's become so common that people think it's the right way to do things. It's not, it's a hack!
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org