NAT implemation

Adalbert Prokop adalbert.prokop at gmx.de
Wed Jul 25 19:10:33 UTC 2007 

yogesh at banasdairy.coop wrote on Wednesday 25 July 2007:

First of all: are you sure that you are not mixing things up? Squid is a 
proxy. The intended use of a web-proxy is to cache web-pages to speed 
things up the next time someone calls the same page and to reduce 
outgoing internet traffic.

NAT stands for Network Adress Translation and is commonly used on routers 
to hide the private network behind the router and to allow computers 
behind the router to use the internet, exposing only the routers IP.

> eth0=10.1.1.32(local)
> eth1=203.199.40.4(global)--for internet

> i want to make NAT for 10.1.1.53(local) from where i can ping
> yahoo.com/google.com directly can any one help me

This can be done by some iptable rules. First you have to allow IP 
forwarding on the router. In your case it is 10.1.1.32.

echo 1 > /proc/sys/net/ipv4/ip_forward

will allow forwarding for the current session, as long as your router 
stays powered up. To make this change permanent edit /etc/sysctl.conf and 
change the entry of IP forwarding to

net.ipv4.ip_forward = 1

The following command will rewrite all outgoing traffic local network to 
eth1 to your routers IP, allowing it to cross the net.

iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/24 -j SNAT --to-source 
203.199.40.4

If your have a dynamic external IP address (in opposite to static IP 
address) use this line instead

iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/24 -j MASQUERADE

Finally you have to specify the traffic which is allowed to pass through. 
The following lines will allow established connections, outgoing 
connections from the box you mentioned and drop everyting else.

iptables -P FORWARD drop
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.1.1.53 -o eth1 -j ACCEPT

See also http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html

-- 
bye,
Adalbert

Real Programmers don't write in PL/I. PL/I is for programmers who can't 
decide whether to write in COBOL or FORTRAN.

More information about the fedora-list mailing list