Andrie, James - I am struggling to get off the ground with iptables, I have never had to dink with firewalls at this low level before because folks have always provided me with easy to use tools like SuSEFirewall2 and YaST2 before ;-) So my Googling has come up with this representation of the commands I need to give, can you verify these for me? eth0 is my external facing NIC, eth1 is my internal facing NIC. |$ echo 1 > /proc/sys/net/ipv4/ip_forward ||$ iptables -t nat -A PREROUTING -d ||111.222.333.11 -i eth1 -j DNAT --to-destination |192.168.10.10 |$ iptables -t nat -A POSTROUTING -s ||192.168.10.10 -o eth0 -j SNAT --to-source |111.222.333.11 || I also labeled my additional IP addresses on the external NIC with the hostname that I want to route that particular IP address to, so instead of using eth0 should I be using eth0:hostname instead? So for example should this latter command be - |$ iptables -t nat -A POSTROUTING -s ||192.168.10.10 -o eth0:hostname -j SNAT --to-source |111.222.333.11 I believe this is what Andrie is calling NAT routing? James you seem to be saying there is another way to accomplish doing what I want without doing NAT, can you say more? I don't want to break anything on my system by experimenting around with stuff that I am not familiar with, so figured I better ask before I do anything. And please remember I am a neophyte with iptables so showing me the commands is really helpful, there is a LOT of stuff about iptables to grok! Does iptables persist these settings somewhere for me or is there a file/script somewhere I have to edit and add these commands? I think Andrie might have been pointing me in the right direction with his reference to the --persistent suggestion but I don't see it in the man pages for iptables so I am not sure where he wanted me to use that option. Marc... On 02/24/2019 05:48 AM, James Knott wrote:
On 02/24/2019 01:52 AM, Andrei Borzenkov wrote:
Yes, you can forward traffic to specific external address to specific internal address and mangle packets in reverse direction to have this outgoing address. This is exactly what Network *Address* Translation is for. I do not know if SUSEfirewall2 offers high level means to configure it, on iptables level this would be DNAT for packets entering external interface and SNAT on packets leaving external interface. In which case you probably want to use --persistent to simplify tracking. If he has a block of addresses, why not use them as is, instead of this NAT nonsense? NAT is a hack to get around the IPv4 address shortage and it introduces it's own problems.
Incidentally the world is moving to IPv6, where NAT is not used. For example, I have a /56 prefix, which gives me 256x 18.4 billion, billion addresses to use. No NAT needed. I just set up my firewall rules as appropriate.
This is one thing that really bugs me about NAT. It's become so common that people think it's the right way to do things. It's not, it's a hack!
-- *Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! * Linux Counter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org