Re: [Fwbuilder-discussion] Iptables and NAT
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] Iptables and NAT
|
From: Vadim K. ✎ <va...@vk...> - 2008-05-22 05:52:00
|
I do not think there is a clear way to avoid "-o interface" clause, but if the address used for SNAT --to-source does not belong to any interface, compiler should use something like "-o eth+" (that is, match all egress interfaces). If the address you use for SNAT --to-source belongs to one of the interfaces of the firewall, but outgoing packets get routed through another interface, then you can use trick described in the Firewall Builder Cookbook under "SNAT using address of "wrong" interface". http://www.fwbuilder.org/guides/firewall_builder_cookbook.html --vk On May 21, 2008, at 4:21 PM, Graham Johnston wrote: > Hello, > > First off fwbuilder is a great product, this is the first time I > think I > have really found a problem with it. > > I was attempted to setup SNAT for some RFC1918 addressed devices where > the SNAT address wasn't bound to the output interface of the firewall > and it didn't work until i removed the "-o <interface>' from the > iptables command, see the second iptables command of each block below > for the difference. > > My question is: is there a way to have the "-o" not appear in the > first > place, or some other fix that doesn't require me to update the .fw > after > compile? > > thanks in advance > > ---Original---- > # > # Rule 0 (NAT) > # > echo "Rule 0 (NAT)" > # > # > $IPTABLES -t nat -N Cid45DF645212055.0 > $IPTABLES -t nat -A POSTROUTING -o bond1.98 -s 172.17.0.0/24 -j > Cid45DF645212055.0 > $IPTABLES -t nat -A Cid45DF645212055.0 -d 216.36.132.80/28 -j RETURN > $IPTABLES -t nat -A Cid45DF645212055.0 -d 172.17.0.0/24 -j RETURN > $IPTABLES -t nat -A Cid45DF645212055.0 -d 216.36.132.160/28 -j > RETURN > $IPTABLES -t nat -A Cid45DF645212055.0 -j SNAT --to-source > 216.36.132.81 > > ---Update---- > # > # Rule 0 (NAT) > # > echo "Rule 0 (NAT)" > # > # > $IPTABLES -t nat -N Cid45DF645212055.0 > $IPTABLES -t nat -A POSTROUTING -s 172.17.0.0/24 -j Cid45DF645212055.0 > $IPTABLES -t nat -A Cid45DF645212055.0 -d 216.36.132.80/28 -j RETURN > $IPTABLES -t nat -A Cid45DF645212055.0 -d 172.17.0.0/24 -j RETURN > $IPTABLES -t nat -A Cid45DF645212055.0 -d 216.36.132.160/28 -j > RETURN > $IPTABLES -t nat -A Cid45DF645212055.0 -j SNAT --to-source > 216.36.132.81 > > > > Graham Johnston > Manager, Network Services > Westman Communications Group > 204.571.7225 > joh...@we... > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > |