Page Comparison

The Masquerade property allows devices on one interface to appear as if they existed on a different interface. This is often used, for instance, where devices on a local Ethernet interface need to make outbound IP connections using a public cellular/PPP interface. The local interface is "masqueraded" to the public network side of the interface. 

Enter one or more rows in the Masquerade table to use this feature:

Output Interface – Select the Linux network interface name, which is the network on which devices should be made to appear. 

Source Network – Enter the IP address range of addresses on one of the other network interfaces which should be allowed to masquerade on the other interface. IP address range should be entered in a format of "IP_network/mask_bits", such as: "192.168.1.0/24". 

Following are examples of a Masquerade command. In these examples, devices on the 192.168.1.x network are masquerated to the 'eth2' interface, and addresses 172.1.1.5-6 appear on the 'ppp0' interface:

iptables -t nat -A POSTROUTING -o eth2 --source 192.168.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 --source 172.1.1.5/30 -j MASQUERADE

When using masquerading, the following rule is added by default to enable packet forwarding between interfaces:

echo 1 > /proc/sys/net/ipv4/ip_forward 

The Forwarding by Interface option allows all packets to be freely forwarded between two Linux interfaces, which are selected from a drop-down list. There should always be two rows defined, which will forward packets in both directions. Some examples of 'iptables' commands generated by this option are:

iptables -A FORWARD -o eth0 -i ppp0
iptables -A FORWARD -o ppp0 -i eth0 

The DNAT Pre-routing option allows IP packets to be modified as they arrive at an input interface. By checking the packet's "destination port", the packet can be modified by being assigned a new TCP/IP destination address and port number.

Enter one or more rows in the DNAT Pre-routing table:

Interface Name – Select the Linux interface name on which the IP packets will be arriving. 

Protocol – Select the protocol of packets to be routed (TCP, UDP, or ICMP).

Dest Port – Enter the numeric IP port number of the incoming packets to be listening for.

New IP AndOr Port – Enter the new IP address and optional port number. This should be entered as "IP_address:port", such as "10.10.10.2:161" (this field is limited to 20 characters). Some examples of 'iptables' commands generated by this option are:

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8080 -j DNAT --to-destination 10.10.10.2:80

The SNAT Post-Routing option allows IP packets to be modified before they leave an output interface. By checking the packet's source address and destination port, the packet can then be modified by assigning a new TCP/IP source address and destination port number. 

Enter one or more rows in the SNAT Post-routing table:

Interface Name – Select the Linux interface name on which the IP packets will be arriving. 

Protocol – Select the protocol of packets to be routed (TCP, UDP, or ICMP). 

Source IP – Enter the IP address of the outgoing packets to be modified. 

Dest Port – Enter the numeric destination IP port number of the incoming packets to be modified. Use only a colon instead of a number to exclude the port setting from the 'iptables' command. 

New IP AndOr Port – Enter the new IP address and port number. This should be entered as "IP_address:port", such as "10.10.10.2:161" (this field is limited to 20 characters). Some examples of 'iptables' commands generated by this option are:

iptables -t nat -A POSTROUTING -o ppp0 -p udp -s 10.10.10.2 --dport 161 -j SNAT --to-source 192.168.55.22:1661 

This property allows for any other INPUT packets that were not caught in previous 'iptables' rules on a given interface to be dropped. Select the Interface Name to drop packets. An example of this rule is:

iptables -A INPUT -i ppp0 -j DROP 

Finally, the Custom IPTABLES option allows you to configure any other 'iptables' commands that the previous Firewall object properties didn't support. The 'iptables' utility has many options and variations that might be needed for certain networking situations. These custom rules are added to the firewall.sh script verbatim, with one qualifier:

The free format table entry only allows a maximum of 80 characters per line. If the command requires more than 80 characters, use a tilde (~
use a backslash (\) character at the end of a line to indicate that the next line contains a continuation of the command. The tilde character in the script to perform the continuation. (A tilde character ~ can also be used, which will be converted to a backslash (\) character in the script to perform the continuation. .) Here are two recommended examples of custom entries allowing incoming and outgoing 'ping' traffic:

iptables -A INPUT -p icmp -m state --state ~\
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state ~\
NEW,ESTABLISHED,RELATED -j ACCEPT

See RediGate Firewall Configuration for additional security options when configuring the firewall.