22 July 2008

How the hell do I use SNAT on IPCOP?

Damn it... the SnatGUI is broken as per its new version, and can't be used on the latest version of IPCOP. I got these instructions and modified it as necessary but it's still not working!


* The first IP address on the firewall is x.x.x.226
* The second IP address on the firewall is x.x.x.227 and is the IP address configured with our ISP to do reverse DNS to our mail server.
* The mail server has an internal IP address of 192.168.x.254

First, I created a function in /etc/rc.d/rc.firewall.local called custom_nat

custom_nat() {

# Accept PING traffic (we needed this to allow our external site monitors to ping the mail server)

/sbin/iptables -A CUSTOMFORWARD -p icmp -d 192.168.x.254 -j ACCEPT

# Do source natting for the mail server. Change 192.168.x.254 to x.x.x.227

/sbin/iptables -t nat -A CUSTOMPOSTROUTING -s 192.168.x.254 -j SNAT —to-source x.x.x.227

# Do source natting for the rest of the network.
/sbin/iptables -t nat -A CUSTOMPOSTROUTING -s 192.168.x.0/24 -j SNAT —to-source x.x.x.226


Second, I added this call to start case in rc.firewall.local

case “$1” in
## add your ‘start’ rules here
#Added for zerina start - BEGIN
/usr/local/bin/openvpnctrl —create-chains-and-rules
#Added for zerina start - END