1

I'm using the entire 10.0.0.0/8 subnet on the private side.

I want to allow a certain section of the subnet (say 10.0.0.2 - 10.0.31.254) to access the internet via linux router but not the rest of the network(10.0.32.1 - 10.255.255.254)

I have tried iptables -t nat -A POSTROUTING -s 10.0.0.0/19 -o eth0 -j MASQUERADE 10.0.0.0/19 is 10.0.0.2 - 10.0.31.254 but with that none of the workstations can access the net

I know the entire 10.0.0.0/8 is 16,777,214 ip addresses but I have my reasons

Thankyou

BrierMay
  • 259
  • 1
  • 3
  • 8
  • 2
    Your problem description is not helpful for two reasons. First, you only show a portion of the `iptables` rule that didn't work. Second, you don't tell us exactly what went wrong when you tried it, just that it didn't work. – David Schwartz May 29 '13 at 07:16
  • 2
    Can you give us the full iptables rule(s) you are using? `iptables -t nat -A POSTROUTING -s 10.0.0.0/19` is incomplete. – Zoredache May 29 '13 at 07:16
  • the full rule was: iptables -t nat -A POSTROUTING -s 10.0.0.0/19 -o eth0 -j MASQUERADE as for not working all i can elaborate on is the workstations no longer could access the internet – BrierMay May 29 '13 at 07:24
  • Is eth0 the WAN-facing interface? – Michael Hampton May 29 '13 at 07:25
  • yes eth0 is wan eth1 is lan – BrierMay May 29 '13 at 07:26
  • I;m trying to figure out how to allow my wrkstations (current 27 of them) to access the net through my backbone but not clients who vpn in and are on the lan (to access servers for maintenence etc) – BrierMay May 29 '13 at 07:27

3 Answers3

6

I figured it out via this question How to allow a range of IP's with IPTABLES?

its:

iptables -t nat -A POSTROUTING -m iprange --src-range (start ip)-(end ip) -o eth0 -j MASQUERADE

example: iptables -t nat -A POSTROUTING -m iprange --src-range 10.0.0.2-10.0.31.255 -o eth0 -j MASQUERADE

Community
  • 1
BrierMay
  • 259
  • 1
  • 3
  • 8
0

Slightly different syntax on ubuntu 22.04 that worked for me

sudo iptables -t nat -A POSTROUTING -s <network eg 192.168.0.0/16> -o <interface eg ens160> -j MASQUERADE
snn1024a
  • 1
  • 1
-5

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. 

  http://www.squid-cache.org/

You can write ACL in squid and allow/disallow on the basis of your requirement.

Abhishek Anand Amralkar
  • 1,979
  • 12
  • 16
  • 1
    I am not against squid, but it isn't a NAT tool. If he needs to use applications that cannot operate via a HTTP/TCP proxy, then squid will not be the answer he needs. His question was about iptables, and what he wants should be trivial, but he hasn't povided enough information. – Zoredache May 29 '13 at 07:18
  • 1
    I need full nat – BrierMay May 29 '13 at 07:28
  • 1
    and I'm a she not a he :) – BrierMay May 29 '13 at 07:29