Scott Forsyth's questions

I would like to remove some NAT POSTROUTING rules in an automated fashion based on the source or destination IP address.

I know the source and destination IP but I don't necessarily know which policies are already there.

For example, I may have this:

-A POSTROUTING -s 10.10.10.10/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 1.2.3.4
-A POSTROUTING -s 10.10.10.10/32 -p tcp -m tcp --dport 443 -j SNAT --to-source 1.2.3.4
-A POSTROUTING -s 10.10.10.10/32 -j ACCEPT

or I may just have this:

-A POSTROUTING -s 10.10.10.10/32 -j SNAT --to-source 1.2.3.4

I want to unassign that NAT address from the old computer and assign it to a new computer. This is all automated so I can't manually look for it.

What's the best way to remove the old polices for just that IP? Could I use a list + grep command? I normally hang out in the Windows world so I'm not sure the best way to handle this here.

I want to set up some NAT policies so that certain machines will only have outbound access to http/https. They should not be able to do port scans or anything else from their machine.

Currently my NAT rules are:

-A PREROUTING -d 1.2.3.4 -j DNAT --to-destination 10.10.1.10
-A POSTROUTING -s 10.10.1.10 -j SNAT --to-source 1.2.3.4

And I have this shared rule:

-A POSTROUTING -o eth0 -j MASQUERADE

1.2.3.4 is a public IP, and 10.10.1.10 is an internal IP.

This allows all inbound and outbound access to NAT directly through.

I tried the following POSTROUTING rule instead of the one above:

-A POSTROUTING -s 10.10.1.10 -p tcp --dport 80 -j SNAT --to-source 1.2.3.4:80

However, that didn't seem to work. After adding that rule I could still use RDP from the workstation.

To recap, my goal is to allow certain workstations to only have http/https access to the Internet. All other outbound traffic should be blocked. All traffic should be allowed. I want all other workstations in the network to use the existing NAT policy to allow all outbound traffic to be NAT'ed.

Update Based on @Zoredache's reply, I now have the following Postrouting rules.

-A POSTROUTING -s 10.10.1.10/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 1.2.3.4:80
-A POSTROUTING -s 10.10.1.10/32 -p tcp -m tcp --dport 443 -j SNAT --to-source 1.2.3.4:443
-A POSTROUTING -s 10.10.1.10/32 -p tcp -m tcp --dport 53 -j SNAT --to-source 1.2.3.4:53
-A POSTROUTING -s 10.10.1.10/32 -p tcp -m udp --dport 53 -j SNAT --to-source 1.2.3.4:53
-A POSTROUTING -s 10.10.1.10/32 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE

They don't quite work yet but they are getting close. More in my reply to @Zoredache below.

I'm setting up a test lab situation where multiple computers will have the same IP addresses, so they need vlan separation. For example, a group of virtual machines will have IPs 192.168.1.200, 192.168.1.201, etc. And another group of virtual machines will also have the same IPs.

I want to provide NAT mappings to each of the virtual machines so that each of them can be publicly accessible. I'm using Ubuntu 11.04 with iptables.

Note: I'm normally a Windows admin, but Linux was the better solution here.

So basically I want the iptables NAT mapping to point to a specific interface and allow multiple duplicate IPs to co-exist.

Is this possible with a single Ubuntu device? I'm using virtual networking fabric so I don't have a physical network device in-between all of these.

Here's a diagram to represent it:

My NAT rules may be something like this:

iptables -t nat -I PREROUTING -d 72.73.74.75 -j DNAT --to-destination 192.168.1.200 -o eth1.5
iptables -t nat -I POSTROUTING -s 192.168.1.200 -j SNAT --to-source 72.73.74.75 -i eth1.5

It's the -i and -o that seem to only work with the public NIC so that's the part that I couldn't quite get working. For example, using -i in the POSTROUTING (SNAT) gives this error: Can't use -i with POSTROUTING. -o does the same with DNAT.

Any suggestions on which way to go to achieve this?

I'm using iptables on Ubuntu server to route a public IP to a private IP. I want to nat all traffic, including 80, 443 and ICMP.

However, it appears that ICMP isn't routing. I have a steady ping going to the public IP and it never stops, even with NAT pointing to a bogus IP.

Here are the rules that I'm using:

iptables -t nat -I PREROUTING -d 206.72.119.76 -j DNAT --to-destination 10.240.5.5  
iptables -t nat -I POSTROUTING  -s 10.240.5.5 -j SNAT --to-source 206.72.119.76

I tried with rules for ICMP specifically, but no such luck:

iptables -t nat -I PREROUTING -d 206.72.119.76 - icmp --icmp-type echo-request -j DNAT --to-destination 10.240.5.5

Any ideas?

I would like to set the IE security zone to Medium-high for all new users on a server.

This is a standalone machine and ultimately I'll need to script it. I don't mind making a registry change or updating the local security policy.

I've had some success updating HKCU

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel

but that only applies to the current user. I see that it's possible to set IE to only use HKLM for all users, but I would rather not change that. I want to allow it to continue to use HKCU.

Where is the default key that is used when creating a new user? Or, can I use Local Security Policy, something like: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\something?

I would like to have sysprep make a call out to a server somewhere (SCCM, MDT, etc) that provides an answer during bootup to get the computer name and IP address to use. Any pointers on which technology or method to use?

Further info: I want to be able to create a base golden image on a VHD and sysprep it so that it powers down. Then differencing disks will point to this sleeping sysprepped image. However, while booting up each new vm, I want a way to set the computer name and IP uniquely, preferably by MAC address.

I can mount the VHD and edit unattend.xml before powering on, but it appears that unattend.xml has already been run on the previous shutdown and isn't used on boot-up.

My failback plan is to have a script run after booting up that will rename it, set the IP and reboot. However, I would like to avoid that extra reboot if at all possible.