Where is the correct place to control what traffic is masq'ed out? This is what I have, but I was told the Forward chain isn't the right place to do this?
iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 80,443 -j ACCEPT
So which table is the theoretically correct place to add all the ports/services I would want masq'ed out for internal clients?
Thanks! jlc
On Friday 29 August 2008 17:26, Joseph L. Casale wrote:
Where is the correct place to control what traffic is masq'ed out? This is what I have, but I was told the Forward chain isn't the right place to do this?
iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 80,443 -j ACCEPT
So which table is the theoretically correct place to add all the ports/services I would want masq'ed out for internal clients?
Postrouting is the correct one. After everything is routed it is MASQ before leaving the interface.
Postrouting is the correct one. After everything is routed it is MASQ before leaving the interface.
That makes sense, but I am stuck at making the transition, should I simply pull the port specifications from my third line in the FORWARD chain to the first line in the POSTROUTING chain?
iptables -A POSTROUTING -t nat -o $WAN -p tcp -m multiport --dports 80,443 -j MASQUERADE iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Does that look groovy?
Thanks! jlc
On Friday 29 August 2008 17:52, Joseph L. Casale wrote:
Postrouting is the correct one. After everything is routed it is MASQ before leaving the interface.
That makes sense, but I am stuck at making the transition, should I simply pull the port specifications from my third line in the FORWARD chain to the first line in the POSTROUTING chain?
iptables -A POSTROUTING -t nat -o $WAN -p tcp -m multiport --dports 80,443 -j MASQUERADE iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Does that look groovy?
If your WAN interface is using a public IP and your LAN is using a private IP range then you need to MASQ everything leaving your LAN like this;
iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE
No port or packet types are needed as everything needs to be MASQed.
There is nothing you need to do to make the transition as all packets go though the Postrouting/Prerouting tables.
On Friday 29 August 2008 18:38, Joseph L. Casale wrote:
No port or packet types are needed as everything needs to be MASQed.
Sorry, I wasn't clear. I only want ports 80/443 translated for internal clients so I do need a rule of some sorts.
We should be talking live. Why don't your join the #centos-social on freenode so we can chat real time?
We should be talking live. Why don't your join the #centos-social on freenode so we can chat real time?
Robert, Just got back from my trip and reading that Tutorial, it went on to state what I now find to be two distinct opposite thoughts. Its says at http://iptables-tutorial.frozentux.net/chunkyhtml/c962.html that you shouldn't filter in the NAT Postrouting chain as some streams of packets only have their first packet hit the chain and everything else is redirected hence the possibility exists that some packets can miss the rule.
It seems the Filter Forward chain is the safest place to limit what gets masq'ed so internal clients could only have say port 80/443 but no ftp access as an example.
What are your thoughts in this? Thanks, jlc
On Sunday 31 August 2008 22:31, Joseph L. Casale wrote:
We should be talking live. Why don't your join the #centos-social on freenode so we can chat real time?
Robert, Just got back from my trip and reading that Tutorial, it went on to state what I now find to be two distinct opposite thoughts. Its says at http://iptables-tutorial.frozentux.net/chunkyhtml/c962.html that you shouldn't filter in the NAT Postrouting chain as some streams of packets only have their first packet hit the chain and everything else is redirected hence the possibility exists that some packets can miss the rule.
It seems the Filter Forward chain is the safest place to limit what gets masq'ed so internal clients could only have say port 80/443 but no ftp access as an example.
That is correct. The only thing that should hit the NAT chain is what you have already decided should be allowed out.
On Sat, Aug 30, 2008 at 2:56 AM, Joseph L. Casale JCasale@activenetwerx.com wrote:
Where is the correct place to control what traffic is masq'ed out? This is what I have, but I was told the Forward chain isn't the right place to do this?
iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 80,443 -j ACCEPT
So which table is the theoretically correct place to add all the ports/services I would want masq'ed out for internal clients?
Pls try belwo two
iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE iptables -A FORWARD -i $LAN -o $WAN -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 80,443 -j ACCEPT
Thanks! jlc _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Indunil Jayasooriya -
Joseph L. Casale -
Robert Spangler