[K12OSN] NAT and connections through it.

Les Mikesell lesmikesell at gmail.com
Tue Feb 3 14:42:06 UTC 2009 

Doug Simpson wrote:
> 
>>> I know how to turn nat on and off. . . my question is how to let them access a computer outside the NAT.
> 
>> What do you mean by 'outside the NAT'?  NAT should let machines on the 
>> inside subnet access anything the server itself can.
> 
> computers in the lab need to access a single computer outside the lab (outside the nat)

NAT (in this case) refers to rewriting the packet source address to 
appear to be from the outside interface of the server.  You should able 
to reach anything the server itself can reach, and get reply packets 
from anything that can reach the server.

>>> Will read over what you sent again and see if I can make heads or tails out of it. . .
> 
>> I thought you wanted to limit then NAT to one destination.  Maybe you 
>> have some other problem.
> 
> This is what I want.

Then turning on NAT should allow this connection, and you can restrict 
it to this connection only by adding a -d ip_address to the iptables 
entry in the nat script.

> 
>>> Squid didn't do it. . . unless I didn't do it right. . .
>>>
>>> Doesn't squid only to web proxying?
> 
>> Squid handles http and ftp protcols - which is what most virus scanners 
>> would use to download updates.   Can the server itself access the 
>> address you want to reach?
> 
> The virus updater runs on a computer on the 10.40.x.x network, and I think either http or windows UNC paths will work, but I couldn't get the http to go using squid.
> 
> Yes the server itself can reach the destination. It is on the 10.40.x.x network. The computers in the lab are on a 192.168.100.x network.

Squid has a large configuration file that has to be set up properly to 
permit connection.  You can see if it is blocking access by looking in 
the logfile under /var/log/squid.  Normally you would have to explicitly 
set the proxy up on the clients, but it is also possible to intercept 
port 80 transparently and let squid handle it.


> On a side note, when I did get into it (now I can't and that is a different discussion) I was told to add a route and after I did that, it brought the rest of the Internet traffic to a screeching halt whenever NAT was running. As a result, I had to completely take the NAT server out of the equation until I can get that fixed, but I can't get back into the system-config-network with a GUI so I have the route add options. (do you know of a way to do that from a text console?)
> 
> I may just rebuild that server from scratch. . . it has been running fine until a few days ago when I started mucking with it to get those computers to see out.. .
> 
> But that is another day's project. . .  I would like to get it working anyway, though. . .

It should have already worked, with the only problem being that you can 
access the rest of the world as well - if that is a problem in this 
situation.

-- 
   Les Mikesell

More information about the K12OSN mailing list