NAT implemation
Adalbert Prokop
adalbert.prokop at gmx.de
Wed Jul 25 19:10:33 UTC 2007
yogesh at banasdairy.coop wrote on Wednesday 25 July 2007:
First of all: are you sure that you are not mixing things up? Squid is a
proxy. The intended use of a web-proxy is to cache web-pages to speed
things up the next time someone calls the same page and to reduce
outgoing internet traffic.
NAT stands for Network Adress Translation and is commonly used on routers
to hide the private network behind the router and to allow computers
behind the router to use the internet, exposing only the routers IP.
> eth0=10.1.1.32(local)
> eth1=203.199.40.4(global)--for internet
> i want to make NAT for 10.1.1.53(local) from where i can ping
> yahoo.com/google.com directly can any one help me
This can be done by some iptable rules. First you have to allow IP
forwarding on the router. In your case it is 10.1.1.32.
echo 1 > /proc/sys/net/ipv4/ip_forward
will allow forwarding for the current session, as long as your router
stays powered up. To make this change permanent edit /etc/sysctl.conf and
change the entry of IP forwarding to
net.ipv4.ip_forward = 1
The following command will rewrite all outgoing traffic local network to
eth1 to your routers IP, allowing it to cross the net.
iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/24 -j SNAT --to-source
203.199.40.4
If your have a dynamic external IP address (in opposite to static IP
address) use this line instead
iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/24 -j MASQUERADE
Finally you have to specify the traffic which is allowed to pass through.
The following lines will allow established connections, outgoing
connections from the box you mentioned and drop everyting else.
iptables -P FORWARD drop
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.1.1.53 -o eth1 -j ACCEPT
See also http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html
--
bye,
Adalbert
Real Programmers don't write in PL/I. PL/I is for programmers who can't
decide whether to write in COBOL or FORTRAN.
More information about the fedora-list
mailing list