[TriLUG] IPTables - disable NAT for a specific source/destination

Aaron Joyner via TriLUG trilug at trilug.org
Wed Jun 6 11:05:11 EDT 2018 

There's a simple answer to your question, but read on, because there is
another problem you are likely to stumble on.  Packages traverse an
iptables chain until they hit a terminating action, typically one of
ACCEPT, DROP, or RETURN.  You can use this behavior to stop processing of
the NAT table's POSTROUTING chain before it encounters the target which
would apply the MASQUERADE behavior, only for that host.  Site-unseen, you
can probably put insert a rule in position 1 to achieve that effect:

$ SRCIP = 192.168.100.42 # The IP in 192.168.100.0/24 that should not be
translated
$ iptables -I POSTROUTING 1 -s $SRCIP -j RETURN

Assuming you want $SRCIP to also be able to reach the internet through this
NAT gatweay, you likely also want to add "-d 172.16.100.0/24" to that
command, so that it doesn't NAT only when talking to hosts in that subnet.

This will get your packet from $SRCIP to the hosts in the 172.16.100.0/24
subnet... but it's unlikely they know how to route back to $SRCIP.  You'll
also need a route on hosts in the 172.16.100.0/24 subnet to direct their
traffic to 192.168.100.0/24 (including response packets) to the gateway
IP.  Assuming the gateway's IP is 172.16.100.1, that would look like this:

$ ip route add 192.168.100.0/24 via 172.16.100.1

Aaron S. Joyner

On Wed, Jun 6, 2018 at 9:14 AM, Brian Henning via TriLUG <trilug at trilug.org>
wrote:

> I think there may be some confusion of terms going on here.
>
> A "firewall" decides what packets to allow through or not.
> A "router" handles modifying envelope data to get packets along to the
> next hop.
>
> NAT is a routing function.  iptables does both firewalling and routing.
>
> Perhaps Huan is guessing your intent correctly (a DMZ), but that's not
> what I'm getting from your description.
>
> Can you describe the intent some more, perhaps give an example situation
> where NAT is not what you want?
>
> Cheers,
> -Brian
>
>
> -----Original Message-----
> From: TriLUG [mailto:trilug-bounces+bhenning=pineresearch.com at trilug.org]
> On Behalf Of Ron Kelley via TriLUG
> Sent: Wednesday, June 06, 2018 8:24 AM
> To: Triangle Linux Users Group General Discussion <trilug at trilug.org>
> Subject: [TriLUG] IPTables - disable NAT for a specific source/destination
>
> Greetings all,
>
> I have a test bed running using IPTables on a RHEL 7 server (a “firewall”
> machine).  This machine provides NAT services for an inside network to an
> outside network.  For my test, the outside network has the IP space of
> 172.16.100/0/24, and the inside network has the IP space of
> 192.168.100.0/24.  The firewall has two IP Addresses:  172.16.100.10
> (outside) and 192.168.100.1 (inside).
>
> As you might expect, all VMs on the inside network go through the
> firewall, and their source IP gets NAT’d to the 172.16.100.10 IP.  All
> working well.
>
> However, I have a unique requirement for one of the inside VMs to go
> through the firewall w/out a NAT address.  Essentially, this particular
> machine needs a “no nat” statement in the IPTables rules.  In this case,
> the firewall is simply a router.
>
> I have searched google for any sort of “no nat” example but can’t find
> it.  Does anyone have a sample they can share?
>
>
> Thanks,
>
> -Ron
> --
> This message was sent to: Brian <bhenning at pineresearch.com> To
> unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : https://www.trilug.org/
> mailman/options/trilug/bhenning%40pineresearch.com
> Welcome to TriLUG: https://trilug.org/welcome
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : https://www.trilug.org/
> mailman/options/trilug/aaron%40joyner.ws
> Welcome to TriLUG: https://trilug.org/welcome
>

More information about the TriLUG mailing list