[opensuse] iptables: limiting NAT
Hi all, does anyone knows how to get around a build-in limitation of iptables? What i want to do is something like: iptables -t nat -A POSTROUTING -p tcp -port 873 -j SNAT -o br1 --to-source 1.1.1.82 iptables -t nat -A POSTROUTING -p tcp -port 80 -j SNAT -o br1 --to-source 1.1.1.83 iptables -t nat -A POSTROUTING -p tcp -port 25 -j SNAT -o br1 --to-source 1.1.1.84 etc etc ...... So basically i want SOME traffic being SNAT-ed, but not all !! specifically: my six ipv6-tunnels towards H.E. don't like to be natted, the all have their own specific IPv4-addres. Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/04/2014 03:45 AM, Hans Witvliet wrote:
Hi all,
does anyone knows how to get around a build-in limitation of iptables?
What i want to do is something like: iptables -t nat -A POSTROUTING -p tcp -port 873 -j SNAT -o br1 --to-source 1.1.1.82
iptables -t nat -A POSTROUTING -p tcp -port 80 -j SNAT -o br1 --to-source 1.1.1.83
iptables -t nat -A POSTROUTING -p tcp -port 25 -j SNAT -o br1 --to-source 1.1.1.84 etc etc ......
So basically i want SOME traffic being SNAT-ed, but not all !!
specifically: my six ipv6-tunnels towards H.E. don't like to be natted, the all have their own specific IPv4-addres.
Hans
As I understand it, he.net connections have to be terminated on your firewall/router and not passed onto another computer. I use gogo6 and it does support NAT, though by using UDP instead of 6in4 tunnelling. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Mon, 04 Aug 2014 09:45:19 +0200 Hans Witvliet <suse@a-domani.nl> пишет:
Hi all,
does anyone knows how to get around a build-in limitation of iptables?
Which limitation?
What i want to do is something like: iptables -t nat -A POSTROUTING -p tcp -port 873 -j SNAT -o br1 --to-source 1.1.1.82
If you mean "option -port is missing", then --match tcp --dport 873 See man iptables-extensions(8)
iptables -t nat -A POSTROUTING -p tcp -port 80 -j SNAT -o br1 --to-source 1.1.1.83
iptables -t nat -A POSTROUTING -p tcp -port 25 -j SNAT -o br1 --to-source 1.1.1.84 etc etc ......
So basically i want SOME traffic being SNAT-ed, but not all !!
specifically: my six ipv6-tunnels towards H.E. don't like to be natted, the all have their own specific IPv4-addres.
Hans
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 2014-08-04 at 18:31 +0400, Andrey Borzenkov wrote:
В Mon, 04 Aug 2014 09:45:19 +0200 Hans Witvliet <suse@a-domani.nl> пишет:
Hi all,
does anyone knows how to get around a build-in limitation of iptables?
Which limitation?
What i want to do is something like: iptables -t nat -A POSTROUTING -p tcp -port 873 -j SNAT -o br1 --to-source 1.1.1.82
If you mean "option -port is missing", then
--match tcp --dport 873
See man iptables-extensions(8)
iptables -t nat -A POSTROUTING -p tcp -port 80 -j SNAT -o br1 --to-source 1.1.1.83
iptables -t nat -A POSTROUTING -p tcp -port 25 -j SNAT -o br1 --to-source 1.1.1.84 etc etc ......
So basically i want SOME traffic being SNAT-ed, but not all !!
specifically: my six ipv6-tunnels towards H.E. don't like to be natted, the all have their own specific IPv4-addres.
Ah, thanks This seems to work, this allows me to selectively do a SNAT. Insteaed of "snatting" everything, i can do it on specific services, i hope i can void interferrence with my tunnels. tnx. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hans Witvliet wrote:
Ah, thanks This seems to work, this allows me to selectively do a SNAT. Insteaed of "snatting" everything, i can do it on specific services, i hope i can void interferrence with my tunnels.
I have one or two situations where I want to apply <something> to all traffic satisfying e.g. port=80 - exceptions I simply add to the chain before the main rule. -- Per Jessen, Zürich (18.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Andrey Borzenkov
-
Hans Witvliet
-
James Knott
-
Per Jessen