router/nat with only one NIC

Tim Wunder tim
Sat Sep 25 09:34:39 PDT 2004 

On Saturday 25 September 2004 9:28 am, someone claiming to be Tim Wunder 
wrote:
> On Wednesday 08 September 2004 8:14 pm, someone claiming to be David A.
> Bandel
>
> wrote:
> > On Wed, 08 Sep 2004 09:21:14 -0400
> >
> > Tim Wunder <tim at thewunders.org> wrote:
> > > Is it possible to route internal internet traffic through a server
> > > that has only one NIC?
> > >
> > > I've only had one PC connected to the internet for quite some time and
> > >
> > > have it configured to route all internet traffic through squid,
> > > squidguard and dansguardian. I want to add a second PC and have its
> > > internet traffic routed the same way. The server that runs squid and
> > > dansguardian currently has only one NIC. So far, the information I've
> > > found on the 'net through googling indicates that I need to have a
> > > second NIC in order to do this.
> > >
> > > Is there a way to do it without adding a second NIC?
> >
> > Yes, just get a second IP from your provider (and configure the first
> > server as your proxy) or:
> >
> > ifconfig eth0:1 192.168.31.1
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirect
> > add any firewall stuff you want, plus you'll need:
> > iptables -t nat -I POSTROUTING -s 192.168.31.0/24 -j SNAT --to-source
> > xxx.xxx.xxx.xxx
>
> <snip>
>
> OK, finally getting around to trying this...
>
> This is what I've done on my server/desktop PC running
> squid/dansguardian:
> # cat  /proc/sys/net/ipv4/ip_forward
> 1
> # cat /proc/sys/net/ipv4/conf/eth0/send_redirects
> 0
>
<snip ifconfig>

> nat requests from 10.0.0.0/24 thru 192.168.1.2 (eth0 on the server):
> # iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source
> 192.168.1.2
>

Shouldn't these be DNAT rules? Aren't I trying to change the DESTINATION of 
the packets? 
> redirect http requests thru dansguardian:
> # iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT -p tcp --sport 80
> --to-source 192.168.1.2:3129
>
> redirect squid requests thru dansguardian:
> # iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT -p tcp --sport 3128
> --to-source 192.168.1.2:3129
>

I want http and squid (ports 80 and 3128) packets sent from 10.0.0.0/24 to go 
to thru dansguardian (port 3129) on 192.168.1.2 via transparent proxy. All 
other packets I want to have go through the router located on 192.168.1.254.

Now 192.168.1.254 also does NAT, but it's only NAT'ing packets from 
192.168.1.2

So... I'm doing SNAT for ports other than 80 and 3128 and DNAT for 80 and 
3128. Is that right?

I'll have to play around some more, but any suggestions/guidance would be 
welcome. Off to take car of some "honey-do's"...

Regards, 
Tim


-- 
Fedora Core 2, Kernel 2.6.7-1.494.2.2,  KDE 3.3.0, Xorg 6.7.0
 10:50:00 up 7 days, 57 min, 11 users,  load average: 0.36, 0.15, 0.11
It's what you learn after you know it all that counts

More information about the Linux-users mailing list