IP Masquerading on linux

I read some of the info and I need to do Masquerading on eth0 since it is the one connected to public network.  Am  I right?

Masquerading IP will be the public IP address?

Thank you for the info.  What I'm doing is that connecting internet to eth0 interface and eth1 interface to private network.


I checked the link you have given and trying to get clear understanding.

>>>  /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The packets are leaving from eth0 source address will be changed  because of the above command. If I'm wrong correct me


/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
Any packets come to  etho will be forwarded to eth1, but only related and established and if  there is a new packet, what will happen?


/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Any packets coming to eth1 will be forwarded to eth0


If there is a external request from private network, packet will go through eth1 to eth0, once the connection is established, when packet come back, etho interface will accpet since we put established on iptables command.

I'm trying to get clear understanding..........

thanks in advance

Thank you very much. I'm almost there.  Also, I believe before it transfer the packets, it store the packet's source IP and send the packet. I believe it is storing locally. Can we able to check that table?

Also, if I want to test the box from eth1 to private network, I need the cross over cable right?

Hi,
Something that might help if iptables makes you sick :)
Install "shorewall" (there's a package for that). It's, let say, a easier tool to write iptables rules.

With shorewall, masquerading is easy as writing "eth1    eth0" in the "/etc/shorewall/masq" configuration file.
This means: trafic from eth0 (my LAN) has masquerading enabled through eth1 (my public interface)

Then, some examples of a simple rule in /etc/shorewall/rules :
ACCEPT      net       fw     tcp    25 # will allow incoming traffic from your interNET interface to your local FireWall
ACCEPT      loc        net   tcp 80,443 # allow your LAN to go to http[s] (however, a bit stupid, you might want to use a proxy ; just an example)

On the web site (or in the documentation), you'll have pre-configured configuration files for 1-, 2-, 3-interfaces server. "3" in your case : net, loc and the fw itself.

bye bye iptables complex rules. shorewall will generate them for you.
This was a quick example. You can really write awesome things easily with shorewall.

I hope it'll help you

Thank you very much. I really wanted to do it in command line since at work are not allowed to download any third party RPM. Now, I understood most of the part and I can play around with the rule.  Also, I need to use cross over cable from eth1 to private box right?

Also, if  private  linux box needs web access, then following command should work  right?


iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED  -j ACCEPT
 
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535  -m state --state  ESTABLISHED    -j ACCEPT


iptables -A OUTPUT -p udp -i eth0 --dport 80  --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state  ESTABLISHED -j ACCEPT

This is for my personal use and testing purpose. I might going to work on one of the IPtables project that's why I'm testing at my hours.l  Sorry, private box mean which is under private network.

Thanks a lot. I will try and if there is any questions let you know.