Hi, I know these are a few iptbales questions. NOT CentOS, anyway, I am running a firewall on centos 5.x. If you can response, it would be fine. I want to add a SNAT rule for one user in LAN to access one particular destination on the internet. Let's say www.centos.org I added the below rule. But . it does NOT work Pls assume 1.2.3.4 is the real ip of the firewall. ip address 192.168.101.230 is the client PC iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -j SNAT --to-source 1.2.3.4 -d www.centos.org Any idea to achieve it? And Also, the below rule excludes 1 ip. it works fine. iptables -t nat -A PREROUTING -p tcp -m multiport -s ! 192.168.1.9 --destination-port 80,465,995 -j DNAT --to-destination :3128 I want to exclude about 4 or 5 ips. let's say 192.168.1.11, 192.168.1.19, 192.168.1.20,192.168.1.25 Is there a way to do it? Hope to hear from you. -- Thank you Indunil Jayasooriya
Indunil Jayasooriya wrote:> Hi, > > I know these are a few iptbales questions. NOT CentOS, anyway, I am > running a firewall on centos 5.x. > > If you can response, it would be fine. > > > I want to add a SNAT rule for one user in LAN to access one particular > destination on the internet. >May sound a little smug, but get Shorewall and use it to manage your iptables rules. It has worked well for me and many others.> Let's say www.centos.org > > I added the below rule. But . it does NOT work > Pls assume 1.2.3.4 is the real ip of the firewall. > ip address 192.168.101.230 is the client PC > > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -j SNAT > --to-source 1.2.3.4 -d www.centos.org > > Any idea to achieve it? > > And Also, > > the below rule excludes 1 ip. it works fine. > > iptables -t nat -A PREROUTING -p tcp -m multiport -s ! 192.168.1.9 > --destination-port 80,465,995 -j DNAT --to-destination :3128 > > I want to exclude about 4 or 5 ips. > > let's say 192.168.1.11, 192.168.1.19, 192.168.1.20,192.168.1.25 > > Is there a way to do it? > > Hope to hear from you. > > > >
> I want to add a SNAT rule for one user in LAN to access one particular > destination on the internet. > > Let's say www.centos.org > > I added the below rule. But . it does NOT work > Pls assume 1.2.3.4 is the real ip of the firewall. > ip address 192.168.101.230 is the client PC > > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -j SNAT > --to-source 1.2.3.4 -d www.centos.org > > Any idea to achieve it?The destination should be before the SNAT ... so try this: iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -d www.centos.org -j SNAT --to-source 1.2.3.4> the below rule excludes 1 ip. it works fine. > > iptables -t nat -A PREROUTING -p tcp -m multiport -s ! 192.168.1.9 > --destination-port 80,465,995 -j DNAT --to-destination :3128 > > I want to exclude about 4 or 5 ips. > > let's say 192.168.1.11, 192.168.1.19, 192.168.1.20,192.168.1.25 > > Is there a way to do it?Not that I can think of. If these IP addresses were in a contiguous block, it might be able to be summarized by one or two subnet statements instead of individual rules for each. Hope this helps. Barry
On Thursday 04 December 2008 04:21, Indunil Jayasooriya wrote:> Hi, > > I know these are a few iptbales questions. NOT CentOS, anyway, I am > running a firewall on centos 5.x. > > If you can response, it would be fine. > > > I want to add a SNAT rule for one user in LAN to access one particular > destination on the internet. > > Let's say www.centos.org > > I added the below rule. But . it does NOT work > Pls assume 1.2.3.4 is the real ip of the firewall. > ip address 192.168.101.230 is the client PC > > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -j SNAT > --to-source 1.2.3.4 -d www.centos.org > > Any idea to achieve it? > > And Also, > > the below rule excludes 1 ip. it works fine. > > iptables -t nat -A PREROUTING -p tcp -m multiport -s ! 192.168.1.9 > --destination-port 80,465,995 -j DNAT --to-destination :3128 > > I want to exclude about 4 or 5 ips. > > let's say 192.168.1.11, 192.168.1.19, 192.168.1.20,192.168.1.25 > > Is there a way to do it? > > Hope to hear from you.I take it the firewall has 2 interfaces WAN and LAN. Without knowing how you have things setup now you could simple add the following: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -i <LAN> -s 192.168.1.11 -j DROP iptables -i <LAN> -s 192.168.1.19 -j DROP iptables -i <LAN> -s 192.168.1.25 -j DROP Should any of these ip's need access to the firewall then you nedd to place those rules before these. -- Regards Robert It is not just an adventure. It is my job!! Linux User #296285 http://counter.li.org
Hi, If you want to allow one ip to access one destination then you can write the below rule in iptables. iptables -t nat -A POSTROUTING -s 192.168.101.230 -d centosip -j MASQUERADE iptables -t nat -A POSTROUTING -d 192.168.101.230 -s centosip -j MASQUERADE For remianing ip you can write a simple drop rule to centos ip. This is will work you out i am sure. Regards, paps On Thu, Dec 4, 2008 at 2:51 PM, Indunil Jayasooriya <indunil75 at gmail.com> wrote:> Hi, > > I know these are a few iptbales questions. NOT CentOS, anyway, I am > running a firewall on centos 5.x. > > If you can response, it would be fine. > > > I want to add a SNAT rule for one user in LAN to access one particular > destination on the internet. > > Let's say www.centos.org > > I added the below rule. But . it does NOT work > Pls assume 1.2.3.4 is the real ip of the firewall. > ip address 192.168.101.230 is the client PC > > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.101.230 -j SNAT > --to-source 1.2.3.4 -d www.centos.org > > Any idea to achieve it? > > And Also, > > the below rule excludes 1 ip. it works fine. > > iptables -t nat -A PREROUTING -p tcp -m multiport -s ! 192.168.1.9 > --destination-port 80,465,995 -j DNAT --to-destination :3128 > > I want to exclude about 4 or 5 ips. > > let's say 192.168.1.11, 192.168.1.19, 192.168.1.20,192.168.1.25 > > Is there a way to do it? > > Hope to hear from you. > > > > -- > Thank you > Indunil Jayasooriya > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >