IPTABLES Time Limits

karlp at ourldsfamily.com karlp at ourldsfamily.com
Sun Oct 3 18:18:52 UTC 2004 

>> 2. what would the best method be of using NAT on the server. The Cisco
>> already does NAT, but the parts of it that translate to the 10.0.0.0
>> network now fails. All the services that are translated to the server
>> work fine. That's because it's on the same subnet as the Cisco
>> (172.20.20.0).
>>
>
> You didn't show us the topology of the network itself.  If you're on a
> cable modem, the WAN (cable) side is some IP from your ISP (generally
> DHCPd), the LAN side is 192.168.100.1 or something of that nature and
> the cable modem does NAT between the two sides (actually, most cable
> modems use 192.168.100.0/24 on the LAN side).

DSL with a Cisco 675, public IP 198.60.114.90, private IP 172.20.20.1
RH v8 server for email, web, ssh, etc. eth0 10.0.0.1, eth1 172.20.20.2

PCs on the network: 2x XP Pro, 1x RH v9, 1x win98se. IPs: Static (rh9) or
DHCP mapped by MAC. 10.0.0.2-10.0.0.98...

> If you're trying to subdivide the 10.24.0.0/16 (router LAN side) into
> yet another network (172.20.20.N) by using the Linux box as a
> router/NAT, then you have some figuring to do.

What figuring? It's working now, I just want to use iptables to forward
ports through the network to a specific PC.

> Personally, I wouldn't do it.  Unless you have some specific reasons to
> segment your network as you are, you're better off just having a
> monolithic LAN (10.24.0.0/16) on the LAN side of the router.  Use the
> router's firewall and NAT rules to do your dirty work.  You'll find it's
> easier to manage a single network segment rather than a bunch of them.
> Remember, this is coming from a guy who manages several /19 and /22
> network segments with VLANs and lots of other stuff (we have 8 Cisco
> GRX [12000-series] routers and who peer with Wiltel, Level 3 and several
> other tier-1 Internet providers).

I have a very specific reason to do this, which my initial question
indicated was limiting outbound access during nights and parts of the
weekend. It's a pretty important thing for me to be able to accomplish...
In an ideal situation, I'd be able to limit it by IP address, too.

I've made some attempts but get time outs. At first, I got connection
refused...

Thanks,

Karl

> ----------------------------------------------------------------------
> - Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
> - VitalStream, Inc.                       http://www.vitalstream.com -
> -                                                                    -
> -                 IGNORE that man behind the keyboard!               -
> -                                                - The Wizard of OS  -
> ----------------------------------------------------------------------
>
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
>

More information about the Redhat-install-list mailing list