...
Our net is 10.6.4.0/22. You will want to change this to whatever IPv4 scheme you use. Also change 45.32.69.220 in the SNAT line to the public IP of the gateway.
If your "router" doesn't not have a public IP address, you may use masquerade instead of SNAT. See the end of the article.
The /etc/sysconfig/iptables
file depends on the iptables-services
package on CentOS/Fedora:
...
Much more sophisticated configurations are possible. For example you could insert specific rules allowing specific kinds of inbound traffic like ssh (22), http (80), or https (443) by adding these rules ahead of the stateful one. Unfortunately documentation on the Internet on ip6tables is significantly more sparse than for IPv4 iptables.
Appendix
MASQUERADE
Masquerade let's you specify an interface instead of an address. From the MAN page:
This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway).
Code Block | ||||
---|---|---|---|---|
| ||||
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i $ZT_IFACE -o $WAN_IFACE -j ACCEPT
-A FORWARD -i $WAN_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT |
Related articles
Filter by label (Content by label) | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...