forum.opennet.ru - "iptables" (3)

форумы

помощь

поиск

регистрация

майллист

ВХОД

слежка

"iptables"

Форумы OpenNET: Виртуальная конференция (Public)
Вариант для распечатки		Архивированная нить - только для чтения! Пред. тема \| След. тема
Изначальное сообщение		[Проследить за развитием треда]

"iptables"
Сообщение от wma on 18-Апр-03, 13:56 (MSK)
hi all Подскжите плиз !! никак не получается настроить iptables для того чтобы в моей локалки работал инет. на серваке которые подключён к инету через dialup я указал iptables -t nat -A POSTROUTING -s 192.168.10.1 --out-interface eth0 -j SNAT --to-source (мой ip в инете) а на компе 192.168.10.1 я указал: route -add default gw 192.168.10.10(ip cервака с инетом) eth0 и не ответа не привета при пинге dns сервака в инете!!
	Рекомендовать в FAQ \| Cообщить модератору \| Наверх

Оглавление

iptables, Понт, 14:24 , 18-Апр-03, (1)
- iptables, Dimez, 15:04 , 18-Апр-03, (2)
iptables, wma, 15:47 , 21-Апр-03, (3)

Индекс форумов | Темы | Пред. тема | След. тема

Сообщения по теме

1. "iptables"

Сообщение от Понт on 18-Апр-03, 14:24  (MSK)

<a href="http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html#toc4.1">
I just want masquerading! Help!
</a>
This is what most people want. If you have a dynamically allocated IP PPP dialup (if you don't know, this is you), you simply want to tell your box that all packets coming from your internal network should be made to look like they are coming from the PPP dialup box.

# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Note that you are not doing any packet filtering here: for that, see the Packet Filtering HOWTO: `Mixing NAT and Packet Filtering'.

<a href="http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html#toc6.1">
Source NAT
</a>
You want to do Source NAT; change the source address of connections to something different. This is done in the POSTROUTING chain, just before it is finally sent out; this is an important detail, since it means that anything else on the Linux box itself (routing, packet filtering) will see the packet unchanged. It also means that the `-o' (outgoing interface) option can be used.
Source NAT is specified using `-j SNAT', and the `--to-source' option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).

## Change source addresses to 1.2.3.4.
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
## Change source addresses to 1.2.3.4, ports 1-1023
# iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023

Masquerading
There is a specialized case of Source NAT called masquerading: it should only be used for dynamically-assigned IP addresses, such as standard dialups (for static IP addresses, use SNAT above).
You don't need to put in the source address explicitly with masquerading: it will use the source address of the interface the packet is going out from. But more importantly, if the link goes down, the connections (which are now lost anyway) are forgotten, meaning fewer glitches when connection comes back up with a new IP address.

## Masquerade everything out ppp0.
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Рекомендовать в FAQ | Cообщить модератору | Наверх

2. "iptables"

Сообщение от Dimez on 18-Апр-03, 15:04  (MSK)

Короче, если динамический IP, то надо пользовать маскарад :)
При статическом IP маскарад тоже можно использовать, но он даёт большую нагрузку на роутер(конкретно на процессор) и => его использовать нецелесообразно...

Рекомендовать в FAQ | Cообщить модератору | Наверх

3. "iptables"

Сообщение от wma on 21-Апр-03, 15:47  (MSK)

Отличная штука этот маскарад
всё заработало после команды
#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
всем большое спасибо

Рекомендовать в FAQ | Cообщить модератору | Наверх

Удалить

Индекс форумов | Темы | Пред. тема | След. тема

Пожалуйста, прежде чем написать сообщение, ознакомьтесь с данными рекомендациями.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "iptables"
Сообщение от Понт on 18-Апр-03, 14:24 (MSK)
<a href="http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html#toc4.1"> I just want masquerading! Help! </a> This is what most people want. If you have a dynamically allocated IP PPP dialup (if you don't know, this is you), you simply want to tell your box that all packets coming from your internal network should be made to look like they are coming from the PPP dialup box. # Load the NAT module (this pulls in all the others). modprobe iptable_nat # In the NAT table (-t nat), Append a rule (-A) after routing # (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to # MASQUERADE the connection (-j MASQUERADE). iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward Note that you are not doing any packet filtering here: for that, see the Packet Filtering HOWTO: `Mixing NAT and Packet Filtering'. <a href="http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html#toc6.1"> Source NAT </a> You want to do Source NAT; change the source address of connections to something different. This is done in the POSTROUTING chain, just before it is finally sent out; this is an important detail, since it means that anything else on the Linux box itself (routing, packet filtering) will see the packet unchanged. It also means that the `-o' (outgoing interface) option can be used. Source NAT is specified using `-j SNAT', and the `--to-source' option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only). ## Change source addresses to 1.2.3.4. # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 ## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 ## Change source addresses to 1.2.3.4, ports 1-1023 # iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 Masquerading There is a specialized case of Source NAT called masquerading: it should only be used for dynamically-assigned IP addresses, such as standard dialups (for static IP addresses, use SNAT above). You don't need to put in the source address explicitly with masquerading: it will use the source address of the interface the packet is going out from. But more importantly, if the link goes down, the connections (which are now lost anyway) are forgotten, meaning fewer glitches when connection comes back up with a new IP address. ## Masquerade everything out ppp0. # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
	Рекомендовать в FAQ \| Cообщить модератору \| Наверх


	2. "iptables"
	Сообщение от Dimez on 18-Апр-03, 15:04 (MSK)
	Короче, если динамический IP, то надо пользовать маскарад :) При статическом IP маскарад тоже можно использовать, но он даёт большую нагрузку на роутер(конкретно на процессор) и => его использовать нецелесообразно...
		Рекомендовать в FAQ \| Cообщить модератору \| Наверх

3. "iptables"
Сообщение от wma on 21-Апр-03, 15:47 (MSK)
Отличная штука этот маскарад всё заработало после команды #iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE всем большое спасибо
	Рекомендовать в FAQ \| Cообщить модератору \| Наверх