[NTLUG:Discuss] How to masq a static IP with iptables?

Neil Aggarwal neil at JAMMConsulting.com
Sat Mar 16 00:51:20 CST 2002 

Paul:

Here is my configuration:

My RedHat 7.2 Linux box has eth0 which is connected to my 
DSL line and eth1 that is connected to an IP switch for my
internal network.

The new machine has this configuration:
IP: 66.76.52.105
Netmask: 255.255.255.0
Gateway: 66.76.52.1
Broadcast: 66.76.52.255

I plugged the new machine into my internal network.

I tried to create the additional interface on my Linux
box using this line, which is translated from yours:
ifcfg eth1:1 66.76.52.1 netmask 255.255.255.0 broadcast 66.76.52.255
I got back these error messages:
Forwarding is ON or its state is unknown (5). OK, No RDISC.
Error: an inet prefix is expected rather than "inet".
Error: failed to add 66.76.52.1 peer inet on eth1.

So, I tried just typing:
ifcfg eth1:1 66.76.52.1
I got this message:
Forwarding is ON or its state is unknown (5). OK, No RDISC.

The I typed the route command:
route -vF add -net 66.76.52.0 netmask 255.255.255.0 eth1
This did not report anything back, so I assumed it was OK.

At this point, from the new machine, I can ping machines in my
internal network, but nothing outside.  It does not seem link
the Linux box is masquerading the new machine.

As a matter of fact, now none of my internal machines can get 
out to the external network.  It is fine if I reboot the Linux
box (since it clears the additional interface and the route), but
this is definitely not the desired result.

Any suggestions?

Thanks,
	Neil.

--
Neil Aggarwal
JAMM Consulting, Inc.    (972) 612-6056, http://www.JAMMConsulting.com
Custom Internet Development    Websites, Ecommerce, Java, databases


> -----Original Message-----
> From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
> Of Paul Ingendorf
> Sent: Thursday, March 07, 2002 8:52 PM
> To: discuss at ntlug.org
> Subject: RE: [NTLUG:Discuss] How to masq a static IP with iptables?
> 
> 
> Create a interface with the gateway ip of the gateway for the 
> network the machine will be on then create a default route from 
> your Linux machine to that machine subnet and allow MASQing trough it.
> 
> 
> Like so
> Your Gateway 192.168.0.1
> Your Primary Interface eth0
> New Machines ip 10.0.0.2
> New Machine netmask
> New Machines Gateway 10.0.0.1
> 
> ifconfig eth0:1 10.0.0.2 netmask 255.0.0.0 broadcast 10.255.255.255
> route -vF add -net 10.0.0.0 netmask 255.0.0.0 eth0
> 
> This should allow you to work everything like your asking and it 
> will allow it to perform almost exactly the way it would at the 
> clients site.
> 
> -----Original Message-----
> From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
> Of Neil Aggarwal
> Sent: Thursday, March 07, 2002 6:55 PM
> To: NTLUG
> Subject: [NTLUG:Discuss] How to masq a static IP with iptables?
> 
> 
> Hello:
> 
> I have the following config:
> 
> DSL -----  Linux server -----  Hub ----  Multiple Internal machines
> 
> I have a static IP from the DSL Connection.
> 
> The Linux server is running dhcpd so it assigns internal
> network numbers (192.168.1.x) to the internal machines.
> It is also running masquerade so the internal machines
> have Internet access.  Here are the commands I used
> to get the masquerade up:
> 	/sbin/modprobe ipt_MASQUERADE
>       /sbin/modprobe ip_conntrack_ftp
>       /sbin/modprobe ip_nat_ftp
>       /sbin/iptables -F
>       /sbin/iptables -t nat -F
>       /sbin/iptables -t mangle -F
>       /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> Everything works fine.
> 
> Now, I need to set-up a machine with a static IP for a client.
> Since I want to configure and test it before shipping it out
> to them, I need to be able to set-up the machine exactly as
> it would be in their network yet test it when it is connected
> to my internal network.
> 
> I think there should be a way to masquerade it, probably with
> a NAT command, but after reading the HOWTOs, I am confused.
> 
> Do I need to do SNAT for packets coming from the machine
> and DNAT for packets going to of the machine?
> 
> I cant even begin to construct the iptables commands to accomplish
> this.
> 
> Can anyone shed some light on this?
> 
> Thanks,
> 	Neil.
> 
> --
> Neil Aggarwal
> JAMM Consulting, Inc.    (972) 612-6056, http://www.JAMMConsulting.com
> Custom Internet Development    Websites, Ecommerce, Java, databases
> 
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
> 
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list