Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
I'm confused... (IPTables, nat'ing, saving rules, etc)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
nasaiya
Apprentice
Apprentice


Joined: 17 May 2007
Posts: 152

PostPosted: Fri Jan 14, 2011 10:07 pm    Post subject: I'm confused... (IPTables, nat'ing, saving rules, etc) Reply with quote

So I have a gentoo box that I'm using as a router/firewall for my lan. I have one NIC for wan which unfortunately gets it's IP from dhcp, and a couple lan subnets on seperate NICs. After some reading, it's come to my attention that the way I'm adding my rules to iptables (a shell script that runs at boot right after all the eth's start) is bad because packets could be processed by an incomplete firewall amongst other issues...

Ideally I'd like to just have my script add the rules once, run "/etc/init.d/iptables save" and let the iptables init script handle loading it...

My problem is the way some of my rules are written I need to know the IP of eth0 (WAN).
eg.
Code:
$IPTABLES -t nat -A POSTROUTING -o $WANIF -j SNAT --to-source $WANIP

Since the ip of my $WANIF comes from dhcp I can't figure out how this could be done.

Since there doesn't appear to be an "--to-source {whatever the IP is at the moment}" option I don't know what to do.

Am I missing something obvious here?

The only idea I've come up with so far is let the init script save all the other rules and put ip based rules like these in a separate script that runs after the nic's are up but that seems a little hackish to me...

There's gotta be a better way -- please enlighten me :)
_________________
If it ain't broke - fix it till it is!
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15985

PostPosted: Fri Jan 14, 2011 11:02 pm    Post subject: Reply with quote

You should use MASQUERADE rather than SNAT if your external IP address is dynamically configured. This handles the address lookup for you. You may still have to resort to unclean tricks if you use the WAN IP anywhere else.
Back to top
View user's profile Send private message
nasaiya
Apprentice
Apprentice


Joined: 17 May 2007
Posts: 152

PostPosted: Fri Jan 14, 2011 11:52 pm    Post subject: Reply with quote

Thanks! That was exactly what I was looking for!
_________________
If it ain't broke - fix it till it is!
Back to top
View user's profile Send private message
eulogious
n00b
n00b


Joined: 18 Feb 2008
Posts: 35

PostPosted: Mon Jan 17, 2011 6:43 am    Post subject: Reply with quote

This is the command I use to get my IP on my external network card:

Code:
`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`


I then use this in a script to start and stop my firewall, then I have another script that checks my ip every min, and if it changes, it restarts my firewall, which then updates with the new ip address as well and everything starts working again.

I then have no-ip setup to register my domain name for free, and they have a linux client that updates my ip to them for me automatically, so I have that setup to check every 5 min, so that combined with my other scripts means that if comcast changes my IP on me, within 5 min max, I will be back on the web, including my domain name and all. This combo has worked great for years, through several IP changes. Hope it helps :D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum