[oclug] iptables NAT + routing problem
Adrian Chung
adrian at enfusion-group.com
Tue Mar 19 17:22:27 EST 2002
On Tue, Mar 19, 2002 at 05:02:42PM -0500, Matt McParland wrote:
[...]
> pingable from the outside world. The problem is that when I connect to
> external sites, they all see the static IP that the /29 is routed to and
> not an IP in the /29 block as I'd expect. Some sort of mangling is
> happening to the packets as they go out and I don't know how to do plain
> routing. I've tried various incantations of the iptables command and
> nothing changes. Anyone done this before?
>
> #!/bin/sh
>
> route add -net 216.187.105.100 netmask 255.255.255.248 eth0
>
> LAN="192.168.0.0/24"
> LAN2="216.187.105.200/29"
>
> LANDEV="eth0"
> INETDEV="ppp0"
>
> echo -n "Setting default chain policies... "
> iptables -P INPUT DROP
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
> echo " OK"
[...]
> echo -n "Setting FORWARD rules..."
> iptables -A FORWARD -s $LAN -j ACCEPT
> iptables -A FORWARD -d $LAN -j ACCEPT
> iptables -A FORWARD -s $LAN2 -j ACCEPT
> iptables -A FORWARD -d $LAN2 -j ACCEPT
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> echo -n "Activating masquerading..."
> iptables -t nat -A POSTROUTING -o $INETDEV -j MASQUERADE
> echo " OK"
You're masquerading any and all traffic going out over ppp0. What you
want instead is to only masquerade traffic from $LAN, and make sure
you have FORWARD rules allowing traffic to and from the /29 you're
forwarding:
iptables -t nat -A POSTROUTING -s $LAN -o $INETDEV -j MASQUERADE
You already have a default FORWARD policy of ACCEPT, so your box will
happily forward anything to anywhere. As such, the rules below
"Setting FORWARD rules..." are redundant.
Hope that helps.
--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[toad.enfusion-group.com] up 16:51, 9 users, load average: 0.24
More information about the OCLUG
mailing list