Welcome to David Sandor Sign in | Join | Help
in Search
Home Blogs

Professional Software Architecture

IpCop (IP Chains) mapping an internal IP to an external alias for outbound masquerading

The issue is this: 

You configure an IP Tables firewall with multiple static public IP's.  By default all outbound trafic masquerades as the DEFAULT ip.  In some cases you want outbound traffic to be mapped out from a particular external static IP other than the default IP.

I found the answer in the post at this link, but I wanted to republish it here so that it is easier for me to find ;)

http://www.the-scream.co.uk/forums/showthread.php?t=11460


Code:
cd /etc/rc.d
cp rc.firewall rc.firewall_original
vi rc.firewall

look for the 'MASQUERADE' line, it's prolly around line 82 and looks like

Code:
         # Allow IPSec
         /sbin/iptables -A RED -p 47  -i $IFACE -j ACCEPT
         /sbin/iptables -A RED -p 50  -i $IFACE -j ACCEPT
         /sbin/iptables -A RED -p 51  -i $IFACE -j ACCEPT
         /sbin/iptables -A RED -p udp -i $IFACE --sport 500 --dport 500 -j ACCEPT

         # Outgoing masquerading
          /sbin/iptables -t nat -A RED -o $IFACE -j MASQUERADE

the fix we need to do is put specific rules in before the

/sbin/iptables -t nat -A RED -o $IFACE -j MASQUERADE

line,.

something like

Code:
/sbin/iptables -t nat -A RED -s aa.bb.cc.dd -o $IFACE -j SNAT --to-source ee.ff.gg.hh

where aa.bb.cc.dd is the internal IP and ee.ff.gg.hh is one of your owned alias IPs, of course you can add multiple of these snat lines before the 'default' MASQ thing

I am not an iptables expert but I would guess you can futher refine the matching for the snat

file should look something like

Code:
         # Allow IPSec
         /sbin/iptables -A RED -p 47  -i $IFACE -j ACCEPT
         /sbin/iptables -A RED -p 50  -i $IFACE -j ACCEPT
         /sbin/iptables -A RED -p 51  -i $IFACE -j ACCEPT
         /sbin/iptables -A RED -p udp -i $IFACE --sport 500 --dport 500 -j ACCEPT

#silver made me doit http://www.the-scream.co.uk/forums/t11460.html

/sbin/iptables -t nat -A RED -s aa.bb.cc.dd -o $IFACE -j SNAT --to-source ee.ff.gg.hh

         # Outgoing masquerading
          /sbin/iptables -t nat -A RED -o $IFACE -j MASQUERADE

some referances so you can see where I went wrong

http://www.siliconvalleyccie.com/lin...m#_Toc57743584

http://www.mandrakesecure.net/en/doc...inuxdoc-6.html

once you are happy reboot the box,. if it breaks then put back the original file or re-install IPCop..

Published Friday, January 25, 2008 4:31 AM by david

Comments

No Comments
Anonymous comments are disabled

This Blog

Syndication
(C) David Sandor 2008
Powered by Community Server (Personal Edition), by Telligent Systems