[Gllug] working with postrouting and iptables - thanks

andy at mac1systems.com andy at mac1systems.com
Sat Aug 23 13:07:47 UTC 2003


Snip
>
> I'm not quite sure what you win by doing this over the (IMHO) simpler
> and definitely working solution of just configuring it as one big
> classless (CIDR) network 192.168.24.0/22 with a network address
> 192.168.24.0 and broadcast 192.168.27.255 and a single address for the
> router.
Its going to be on 4 seperate wireless segments with their own router, but
at present the wireless is acting as a bridge with the linux box talking to
all of them directly.  When the wireless segments are seperated I'll remove
the IP aliases and talk only to the routers on a 28 network.

>
> The one thing I think you'll have trouble with is broadcasts: some IP
> stacks won't respond to a broadcast if it is inconsistent with the
> device config - for example:
Each segment is using a /24 mask so broadcasts etc work ok (or appear to
anyway!).

snip
>> Connections from 192.168.27.x to a public get correctly SNATed and it
>> works a treat (and from the others).
>>
>> But also connections from 192.168.27.x to 192.168.25.x are also being
>> SNATed and look like they are coming from the gateway, which I don't
>> want.
snip
> You need to be looking at another "table". Packet filtering is done in
> the "filter" table (there is a presumption that "iptables -A..." means
> "iptables -t filter -A ..."), but nat is done in the nat table, and you
> can also do stuff in the mangle table. To get completely full listings
> of every rule in your config you could do:
>
>
> # iptables -t nat -nvL POSTROUTING
> Chain POSTROUTING (policy ACCEPT 3839 packets, 261K bytes)
> pkts bytes target     prot opt in     out     source
> destination
> 7094  417K SNAT       all  --  *      ppp+    10.0.0.0/8
> 0.0.0.0/0          to:111.222.333.444

Thanks for helping me find my way through the trees.  Once I'd seen this I
could see a heap of old rules that I hadn't flushed!  I put the flush in my
script its working a treat.

Snip
> Simon
>
Many thanks from deepest darkest Africa (next door to Liberia!!)

Andy




-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list