netstat on RedHat 7.2, IP MASQ
Brian Densmore
DensmoreB at ctbsonline.com
Tue Apr 9 13:39:17 CDT 2002
> -----Original Message-----
> From: Jonathan Hutchins [mailto:hutchins at opus1.com]
> Sent: Monday, April 08, 2002 8:07 PM
> To: Brian Densmore; Jonathan Hutchins; kclug at kclug.org
> Subject: RE: netstat on RedHat 7.2, IP MASQ
>
>
> > -----Original Message-----
> > From: Brian Densmore [mailto:DensmoreB at ctbsonline.com]
>
> > Iptables doesn't do ip_masquerade. ip_masquerade was a
> > partial solution hack to do NAT. Masquerading is accomplished
> > by using the NAT rules.
>
> Which are done with commands that begin "iptables", so I think you're
> arguing a fine point of semantics without a clear
> understanding yourself.
This much is certain! ;')
Although I have a much better grasp on this than I do on certificate
authorities.
[And I do have a rather thick and complete reference book on iptables]
>
>
> > You need these rules if you want to masquerade your LAN
> connections to
> > the internet. iptables -A FORWARD blah
>
> Yeah. Iptables. Doing NAT/Masq. Up and running.
>
> So am I supposed to try "netstat -NAT?"
Not sure that would work, can't answer that.
I'd use iptables -L NAT
if you're trying to view the NAT rules.
If you're trying to create them, you need a single
iptables -t nat -A POSTROUTING -o <outer interface> ... -j MASQUERADE
[--to-ports <port>[-<port>]]
and at least one pair of
iptables -A FORWARD -o <outer interface> ... -j ACCEPT
iptables -A FORWARD -o <LAN interface> ... -j ACCEPT
This is for Source NAT
DNAT is an animal of a different flavor.
HTH,
Brian
More information about the Kclug
mailing list