router/nat with only one NIC

David Bandel david.bandel
Sat Sep 25 18:01:25 PDT 2004 

On Sat, 25 Sep 2004 10:59:11 -0400, Tim Wunder <tim at thewunders.org> wrote:
> On Saturday 25 September 2004 9:28 am, someone claiming to be Tim Wunder
> wrote:
> > On Wednesday 08 September 2004 8:14 pm, someone claiming to be David A.
> > Bandel
[snip]
> 
> > nat requests from 10.0.0.0/24 thru 192.168.1.2 (eth0 on the server):
> > # iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source
> > 192.168.1.2
> >
> 
> Shouldn't these be DNAT rules? Aren't I trying to change the DESTINATION of
> the packets?
> > redirect http requests thru dansguardian:
> > # iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT -p tcp --sport 80
> > --to-source 192.168.1.2:3129
> >
> > redirect squid requests thru dansguardian:
> > # iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT -p tcp --sport 3128
> > --to-source 192.168.1.2:3129
> >

SNAT changes source (from) address
DNAT changes destination (to) address/port

SNAT:  POSTROUTING
DNAT:  PREROUTING

OK, I'm confused.  You have a router/NAT box 192.168.1.254.  It should
redirect all packets on port 80 that _don't_ come from 192.168.1.2
back to 1.2 port 3128.

Remind me what 10.x.x.x is for?  Why not part of 192.168.1.0/24?

> 
> I want http and squid (ports 80 and 3128) packets sent from 10.0.0.0/24 to go
> to thru dansguardian (port 3129) on 192.168.1.2 via transparent proxy. All
> other packets I want to have go through the router located on 192.168.1.254.

Don't you mean port 3128?  And where does 10.0.0.x come from?

> 
> Now 192.168.1.254 also does NAT, but it's only NAT'ing packets from
> 192.168.1.2

Seems kinda silly, but OK.  So where is 10.x.x.x hanging out?  Which
system/ethernet port?

> 
> So... I'm doing SNAT for ports other than 80 and 3128 and DNAT for 80 and
> 3128. Is that right?
> 
> I'll have to play around some more, but any suggestions/guidance would be
> welcome. Off to take car of some "honey-do's"...

Sounds like some of what you want might be better served with a VLAN,
at least for the10.x.x.x stuff.  But somewhere I'm still not clear.

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
            - Nemesis Air Racing Team motto

More information about the Linux-users mailing list