Hi,
I know these are a few iptbales questions. NOT CentOS, anyway, I am running a firewall on centos 5.x.
If you can response, it would be fine.
I want to add a SNAT rule for one user in LAN to access one particular destination on the internet.
Let's say www.centos.org
I added the below rule. But . it does NOT work Pls assume 1.2.3.4 is the real ip of the firewall. ip address 192.168.101.230 is the client PC
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -j SNAT --to-source 1.2.3.4 -d www.centos.org
Any idea to achieve it?
And Also,
the below rule excludes 1 ip. it works fine.
iptables -t nat -A PREROUTING -p tcp -m multiport -s ! 192.168.1.9 --destination-port 80,465,995 -j DNAT --to-destination :3128
I want to exclude about 4 or 5 ips.
let's say 192.168.1.11, 192.168.1.19, 192.168.1.20,192.168.1.25
Is there a way to do it?
Hope to hear from you.
Indunil Jayasooriya wrote:
Hi,
I know these are a few iptbales questions. NOT CentOS, anyway, I am running a firewall on centos 5.x.
If you can response, it would be fine.
I want to add a SNAT rule for one user in LAN to access one particular destination on the internet.
May sound a little smug, but get Shorewall and use it to manage your iptables rules. It has worked well for me and many others.
Let's say www.centos.org
I added the below rule. But . it does NOT work Pls assume 1.2.3.4 is the real ip of the firewall. ip address 192.168.101.230 is the client PC
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -j SNAT --to-source 1.2.3.4 -d www.centos.org
Any idea to achieve it?
And Also,
the below rule excludes 1 ip. it works fine.
iptables -t nat -A PREROUTING -p tcp -m multiport -s ! 192.168.1.9 --destination-port 80,465,995 -j DNAT --to-destination :3128
I want to exclude about 4 or 5 ips.
let's say 192.168.1.11, 192.168.1.19, 192.168.1.20,192.168.1.25
Is there a way to do it?
Hope to hear from you.
I want to add a SNAT rule for one user in LAN to access one particular destination on the internet.
Let's say www.centos.org
I added the below rule. But . it does NOT work Pls assume 1.2.3.4 is the real ip of the firewall. ip address 192.168.101.230 is the client PC
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -j SNAT --to-source 1.2.3.4 -d www.centos.org
Any idea to achieve it?
The destination should be before the SNAT ... so try this:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -d www.centos.org -j SNAT --to-source 1.2.3.4
the below rule excludes 1 ip. it works fine.
iptables -t nat -A PREROUTING -p tcp -m multiport -s ! 192.168.1.9 --destination-port 80,465,995 -j DNAT --to-destination :3128
I want to exclude about 4 or 5 ips.
let's say 192.168.1.11, 192.168.1.19, 192.168.1.20,192.168.1.25
Is there a way to do it?
Not that I can think of. If these IP addresses were in a contiguous block, it might be able to be summarized by one or two subnet statements instead of individual rules for each.
Hope this helps.
Barry
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -j SNAT --to-source 1.2.3.4 -d www.centos.org
Any idea to achieve it?
The destination should be before the SNAT ... so try this:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -d www.centos.org -j SNAT --to-source 1.2.3.4
I did it once in the above way before posting this. it Did NOT work. Anyway,
Has it wokrd for you?
iptables -t nat -A PREROUTING -p tcp -m multiport -s ! 192.168.1.9 --destination-port 80,465,995 -j DNAT --to-destination :3128
I want to exclude about 4 or 5 ips.
let's say 192.168.1.11, 192.168.1.19, 192.168.1.20,192.168.1.25
Is there a way to do it?
Not that I can think of. If these IP addresses were in a contiguous block, it might be able to be summarized by one or two subnet statements instead of individual rules for each.
I will try, that means somwting like ! 192.168.1.9/29
On Thursday 04 December 2008 04:21, Indunil Jayasooriya wrote:
Hi,
I know these are a few iptbales questions. NOT CentOS, anyway, I am running a firewall on centos 5.x.
If you can response, it would be fine.
I want to add a SNAT rule for one user in LAN to access one particular destination on the internet.
Let's say www.centos.org
I added the below rule. But . it does NOT work Pls assume 1.2.3.4 is the real ip of the firewall. ip address 192.168.101.230 is the client PC
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -j SNAT --to-source 1.2.3.4 -d www.centos.org
Any idea to achieve it?
And Also,
the below rule excludes 1 ip. it works fine.
iptables -t nat -A PREROUTING -p tcp -m multiport -s ! 192.168.1.9 --destination-port 80,465,995 -j DNAT --to-destination :3128
I want to exclude about 4 or 5 ips.
let's say 192.168.1.11, 192.168.1.19, 192.168.1.20,192.168.1.25
Is there a way to do it?
Hope to hear from you.
I take it the firewall has 2 interfaces WAN and LAN. Without knowing how you have things setup now you could simple add the following:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -i <LAN> -s 192.168.1.11 -j DROP iptables -i <LAN> -s 192.168.1.19 -j DROP iptables -i <LAN> -s 192.168.1.25 -j DROP
Should any of these ip's need access to the firewall then you nedd to place those rules before these.
Hi,
If you want to allow one ip to access one destination then you can write the below rule in iptables.
iptables -t nat -A POSTROUTING -s 192.168.101.230 -d centosip -j MASQUERADE
iptables -t nat -A POSTROUTING -d 192.168.101.230 -s centosip -j MASQUERADE
For remianing ip you can write a simple drop rule to centos ip.
This is will work you out i am sure.
Regards, paps
On Thu, Dec 4, 2008 at 2:51 PM, Indunil Jayasooriya indunil75@gmail.com wrote:
Hi,
I know these are a few iptbales questions. NOT CentOS, anyway, I am running a firewall on centos 5.x.
If you can response, it would be fine.
I want to add a SNAT rule for one user in LAN to access one particular destination on the internet.
Let's say www.centos.org
I added the below rule. But . it does NOT work Pls assume 1.2.3.4 is the real ip of the firewall. ip address 192.168.101.230 is the client PC
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -j SNAT --to-source 1.2.3.4 -d www.centos.org
Any idea to achieve it?
And Also,
the below rule excludes 1 ip. it works fine.
iptables -t nat -A PREROUTING -p tcp -m multiport -s ! 192.168.1.9 --destination-port 80,465,995 -j DNAT --to-destination :3128
I want to exclude about 4 or 5 ips.
let's say 192.168.1.11, 192.168.1.19, 192.168.1.20,192.168.1.25
Is there a way to do it?
Hope to hear from you.
-- Thank you Indunil Jayasooriya _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos