[oclug] iptables NAT + routing problem
adrian at enfusion-group.com
Tue Mar 19 17:22:27 EST 2002
On Tue, Mar 19, 2002 at 05:02:42PM -0500, Matt McParland wrote:
> pingable from the outside world. The problem is that when I connect to
> external sites, they all see the static IP that the /29 is routed to and
> not an IP in the /29 block as I'd expect. Some sort of mangling is
> happening to the packets as they go out and I don't know how to do plain
> routing. I've tried various incantations of the iptables command and
> nothing changes. Anyone done this before?
> route add -net 184.108.40.206 netmask 255.255.255.248 eth0
> echo -n "Setting default chain policies... "
> iptables -P INPUT DROP
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
> echo " OK"
> echo -n "Setting FORWARD rules..."
> iptables -A FORWARD -s $LAN -j ACCEPT
> iptables -A FORWARD -d $LAN -j ACCEPT
> iptables -A FORWARD -s $LAN2 -j ACCEPT
> iptables -A FORWARD -d $LAN2 -j ACCEPT
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo -n "Activating masquerading..."
> iptables -t nat -A POSTROUTING -o $INETDEV -j MASQUERADE
> echo " OK"
You're masquerading any and all traffic going out over ppp0. What you
want instead is to only masquerade traffic from $LAN, and make sure
you have FORWARD rules allowing traffic to and from the /29 you're
iptables -t nat -A POSTROUTING -s $LAN -o $INETDEV -j MASQUERADE
You already have a default FORWARD policy of ACCEPT, so your box will
happily forward anything to anywhere. As such, the rules below
"Setting FORWARD rules..." are redundant.
Hope that helps.
Adrian Chung (adrian at enfusion-group dot com)
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[toad.enfusion-group.com] up 16:51, 9 users, load average: 0.24
More information about the OCLUG