[sanniolug] Re: NAT

  • From: Massimiliano Mirra <mmirra@xxxxxxxxx>
  • To: sanniolug@xxxxxxxxxxxxx
  • Date: Fri, 13 Jun 2003 23:36:31 +0200

"Aladdin" <aladdin@xxxxxxxx> writes:

> qualcuno ha una pratica guida sul NAT?

Dal Masquerading-Simple-HOWTO:


2. Summary: (I like doing summaries first)

Assuming external internet card is eth0, and external IP is 123.12.23.43 and
the internal network card is eth1, then:
+---------------------------------------------------------------------------+
|$> modprobe ipt_MASQUERADE # If this fails, try continuing anyway          |
|$> iptables -F; iptables -t nat -F; iptables -t mangle -F                  |
|$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43        |
|$> echo 1 > /proc/sys/net/ipv4/ip_forward                                  |
+---------------------------------------------------------------------------+

Or for a dial-up connection:
+---------------------------------------------------------------------------+
|$> modprobe ipt_MASQUERADE # If this fails, try continuing anyway          |
|$> iptables -F; iptables -t nat -F; iptables -t mangle -F                  |
|$> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE                    |
|$> echo 1 > /proc/sys/net/ipv4/ip_forward                                  |
+---------------------------------------------------------------------------+

Then to secure it:
+---------------------------------------------------------------------------+
|$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT        |
|$> iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT              |
|$> iptables -P INPUT DROP   #only if the first two are succesful           |
|$> iptables -A FORWARD -i eth0 -o eth0 -j REJECT                           |
+---------------------------------------------------------------------------+

Or for a dial-up connection (with eth0 as the internal network card):
+---------------------------------------------------------------------------+
|$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT        |
|$> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT              |
|$> iptables -P INPUT DROP   #only if the first two are succesful           |
|$> iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT                           |
+---------------------------------------------------------------------------+

And thats it! To view the rules do "iptables -t nat -L"
-----------------------------------------------------------------------------


Other related posts: