From: Peter F. <pe...@em...> - 2004-09-21 15:59:26
|
Dominic...take a deep breath. You are going to have to read a little. The line you have shown below tell me that you don't yet have a grasp on this. Who is 12.131? Who is 12.167? Did you subnet 172.16.12 into enough subclasses so that .131 is on one network card and .167 is on another? When you use the POSTROUTING rule, you are dealing with packets that are being passed THROUGH the gateway. Does the gateway have .167? If so, what is the subnet of the OTHER network card on the gateway? The line you typed does not make much sense lest the OTHER network card is on the same subnet as .131...In other words: Eth0: 172.16.12.129 in subnet 172.16.12.128/28 Eth1: 172.16.12.167 in subnet 172.16.12.160/28 And you would need a host on Eth0 with IP address 12.131 to make your rule valid. I will help you...tell me what you want to do, and I will give you the rules. That will help you learn. But seriously, you are getting stuck on how to use a $5000 super duper gas grill, when you have just figured out what fire is. You are going to have to learn the basics of TCP/IP. Learning NAT and basic routing can only come AFTER you understand ip address schemes, subnetting and routing. Don't be discouraged...None of us were born knowing this stuff. Peter On Tue, 2004-09-21 at 09:31, Dominic Iadicicco wrote: > I have been reading most of the documentation and just > started reading the netfilter docs. > > For an expirement I tried this. > > "iptables -t nat -A POSTROUTING -s 172.16.12.131 -o > eth0 -j SNAT --to 172.16.12.167" > > This is all on a 172.16.12.x subnet. > > from the same machine I then tried to ping > 172.16.12.200 and I got nowhere. When I deleted the > rule it worked fine. > > Now I got this right from the netfilter page. I > thought it was just supposed to change the source IP > address. > > I check an .167 is not being used. > > Thanks for all info in advance. > > > > --- Bruce Smith <bw...@ar...> wrote: > > > Also, I think this site is great for someone just > > starting with > > iptables: > > http://www.knowplace.org/netfilter/syntax.html > > > > IMO, the Packet Traversal picture on the front page > > is priceless > > for understanding how everything fits together. > > > > - BS > > > > > > > > > I would recommend > > http://www.netfilter.org/documentation/index.html > > > > > > Read Packet Filtering HOWTO, and Networking > > Concepts HOWTO > > > > > > also look at the /etc/init.d/firewall.rules and > > try to understand what every > > > command means. > > > If you can do that you basicly know iptables. > > > > > > Jonathan Gustafson > > > ----- Original Message ----- > > > From: "Bruce Smith" <bw...@ar...> > > > To: "Devil Linux" > > <dev...@li...> > > > Sent: Monday, September 20, 2004 9:40 PM > > > Subject: Re: [Devil-Linux-discuss] Using NAT > > > > > > > > > >> Sorry I ment 192. > > > >> > > > >> let me get this stright. If you on a 172 > > subnet > > > >> theres no way to access a 192 or a 10 and vice > > versa? > > > > > > > > No, that's not what I said or meant. > > > > > > > > _Private_ IP addresses are reserved for private > > use, > > > > which means they will never be used as a valid > > IP on > > > > the Internet. There are only certain IP ranges > > > > assigned for private usage. > > > > > > > > If you use public IP(s) internally, then you > > stand the > > > > risk of not being able to reach certain sites on > > the > > > > Internet because they could be using the same IP > > that > > > > you are using internally. > > > > > > > > Only 192.168.*.* are private. NOT 192.*.*.*. > > > > > > > > Neither 172.*.*.* (what you said before), or > > > > 192.*.*.* (what you meant) are entirely > > _private_. > > > > That was my point. Nothing to do with routing. > > > > > > > > - BS > > > > > > > > > > > >> --- Bruce Smith <bw...@ar...> wrote: > > > >> > > > >> > > Well, you are right, I did route from one > > IP to > > > >> > > another. 10.0.0.120 to 192.168.1.150 and I > > could > > > >> > ping > > > >> > > it from the router itself but not from a > > connected > > > >> > > machine. Then I thought about it, I guess > > this is > > > >> > not > > > >> > > what I want to do. Basically I want to > > create a > > > >> > > 10.0.0.0 subnet and I need to it be able to > > access > > > >> > > IP's on a 172.0.0.0 subnet. So I think my > > router > > > >> > is > > > >> > > about to become a gw as well as a > > router/firewall. > > > >> > > > > >> > > Does this sound right? > > > >> > > > > >> > Sounds OK, except for the "172.0.0.0 subnet" > > part. > > > >> > > > > >> > I don't know if you really meant "192" since > > you > > > >> > never mentioned > > > >> > a 172 subnet before, or if 172 is right. > > Either way > > > >> > it's not > > > >> > correct because neither one is a private > > class A > > > >> > subnet (like 10). > > > >> > > > > >> > 172.[16-31].*.* are private class B subnets, > > > >> > > > > >> > and 192.168.*.* are private class C subnets > > > >> > (or you could make it one non-standard > > private class > > > >> > B). > > > >> > > > > >> > And 10.*.*.* is the only private class A > > subnet. > > > >> > (or a bunch of private class B's or A's ... > > :) > > > >> > > > > >> > - BS > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------- > > > > This SF.Net email is sponsored by: YOU BE THE > > JUDGE. Be one of 170 > > > > Project Admins to receive an Apple iPod Mini > > FREE for your judgement on > > > > who ports your project to Linux PPC the best. > > Sponsored by IBM. > > > > Deadline: Sept. 24. Go here: > > http://sf.net/ppc_contest.php > > > > _______________________________________________ > > > > Devil-linux-discuss mailing list > > > > Dev...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email is sponsored by: YOU BE THE > > JUDGE. Be one of 170 > > > Project Admins to receive an Apple iPod Mini FREE > > for your judgement on > > > who ports your project to Linux PPC the best. > > Sponsored by IBM. > > > Deadline: Sept. 24. Go here: > > http://sf.net/ppc_contest.php > > > _______________________________________________ > > > Devil-linux-discuss mailing list > > > Dev...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: YOU BE THE JUDGE. > > Be one of 170 > > Project Admins to receive an Apple iPod Mini FREE > > for your judgement on > > who ports your project to Linux PPC the best. > > Sponsored by IBM. > > Deadline: Sept. 24. Go here: > > http://sf.net/ppc_contest.php > > _______________________________________________ > > Devil-linux-discuss mailing list > > Dev...@li... > > > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > > > > > _______________________________ > Do you Yahoo!? > Declare Yourself - Register online to vote today! > http://vote.yahoo.com > > > ------------------------------------------------------- > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 > Project Admins to receive an Apple iPod Mini FREE for your judgement on > who ports your project to Linux PPC the best. Sponsored by IBM. > Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |