Multiple source question

Multiple source question

[Benny Butler]

Ok, after much hacking together the rule below I finally get the machine
at 192.168.2.70 to access 10.46.210.5.  Great, but if I run the same
rule on any more internal IP addresses, still only 2.70 works.  I'm
pretty sure after reading the docs that my problem is because my rule is
being matched and it's not allowing anything after the first.  I got
desperate and tried -A PREROUTING and -A FORWARD and -j ACCEPT, none of
which helped (usually made it worse.)

I also tried multiple source addresses in one rule, but either that's
not acceptable or it's not , or ; delimited.

And you may ask why sudo, it's cause this whole thing runs out of a php
script as the apache user.

Does anyone have any tips for this?

Thanks


sudo /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.70 -d /
10.46.210.5 -p tcp --dport 80 -j MASQUERADE



[root@localhost html]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  tcp  --  192.168.2.70         10.46.210.5        tcp
dpt:http

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@localhost html]#




 
_______________________
Benny Butler
334-340-8345
http://www.nexusitg.com

Re: Multiple source question

[Antony Stone]

On Wednesday 19 June 2002 2:31 pm, Benny Butler wrote:

> Ok, after much hacking together the rule below I finally get the machine
> at 192.168.2.70 to access 10.46.210.5.  Great, but if I run the same
> rule on any more internal IP addresses, still only 2.70 works.
>
> sudo /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.70 -d /
> 10.46.210.5 -p tcp --dport 80 -j MASQUERADE

1. Why do you need to use Source NAT at all in order to access the machine on 
10.46.210.5 ?   What is there in the routing tables which prevents 
192.168.2.70 from accessing 10.46.210.5 and the replies going back again 
without any NAT involved ?

2. I think you should be using -j SNAT --to a.b.c.d instead of -j MASQUERADE.

You must surely have a fixed address on eth0 (ie it's not DHCP) therefore 
SNAT is the way to do it - it's much clearer what the rule is doing, and it's 
(marginally) more efficient in operation.

3. Maybe I've missed something earlier that you've posted (?) but please can 
you explain your network setup what you're trying to do / what doesn't work ?

 

Antony.

RE: Multiple source question

[Benny Butler]

Ok, lemme explain the setup a bit.

This machine sits between a doctors office's network and the hospital's
network. Eth1 (192.168.2.2) is static on the doctor's side, and eth0
(10.46.1.254 I believe) is on the hospital's side.  We've told the local
router that anything trying to get to the hospital should go through the
linux box, and not use it's default gw.  We've also added a route to the
linux box so it can get to 10.46.210.5.

Now, the rules.  The hospital will only let the users access this web
based X-ray viewing system across the network if they can control how
many IP's come from each office because they bought so many licenses
from GE and only allow so many connects from each office.  That's where
my box comes in.  By default the firewall denies access to each doctors
office computer.  To get access they go to the webpage on 192.168.2.2,
this php looks at their IP address and compares it to a list of IP's in
a mysql dbase.  If they are in it, it just lets them through.  If they
aren't in it it looks to see how many spaces are left.  If there's a
space left it ads them to the database, then runs the rule below to
allow their IP address to get through.  Like I said, it only allows the
first person to get through, no one else (btw, if anyone wants the php
I'll share it, it's nothing impressive)

That should answer #1 and #3



#2 sounds great.  I missed that before because I copied a rule off of my
home firewall which is a dhcp slave to comcast.  Do you think that will
fix the problem or just make the system run better?






-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
Sent: Wednesday, June 19, 2002 8:42 AM
To: netfilter@lists.samba.org
Subject: Re: Multiple source question


On Wednesday 19 June 2002 2:31 pm, Benny Butler wrote:

> Ok, after much hacking together the rule below I finally get the
machine
> at 192.168.2.70 to access 10.46.210.5.  Great, but if I run the same
> rule on any more internal IP addresses, still only 2.70 works.
>
> sudo /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.70 -d /
> 10.46.210.5 -p tcp --dport 80 -j MASQUERADE

1. Why do you need to use Source NAT at all in order to access the
machine on 
10.46.210.5 ?   What is there in the routing tables which prevents 
192.168.2.70 from accessing 10.46.210.5 and the replies going back again

without any NAT involved ?

2. I think you should be using -j SNAT --to a.b.c.d instead of -j
MASQUERADE.

You must surely have a fixed address on eth0 (ie it's not DHCP)
therefore 
SNAT is the way to do it - it's much clearer what the rule is doing, and
it's 
(marginally) more efficient in operation.

3. Maybe I've missed something earlier that you've posted (?) but please
can 
you explain your network setup what you're trying to do / what doesn't
work ?

 

Antony.

Re: Multiple source question

[Antony Stone]

On Wednesday 19 June 2002 3:01 pm, Benny Butler wrote:

> Ok, lemme explain the setup a bit.
>
> This machine sits between a doctors office's network and the hospital's
> network. Eth1 (192.168.2.2) is static on the doctor's side, and eth0
> (10.46.1.254 I believe) is on the hospital's side.  We've told the local
> router

What do you mean by "local" ?   Which network are you talking about here - 
192.168.... or 10.46..... ?

> that anything trying to get to the hospital should go through the
> linux box, and not use it's default gw.  We've also added a route to the
> linux box so it can get to 10.46.210.5.

What are the default routes on the client and server systems - ie the two 
endpoints which are communicating with each other (192.168.2.70 and 
10.46.210.5) ?   Do they know how to contact each other's networks via the 
Linux machine ?

> That should answer #1 and #3

Okay, I understand the php setup etc, and I don't see any problem with that.  
However, I still don't quite understand what is the answer to my question #1 
- why do you need to do Source NAT at all in order to get these machines 
talking to each other ?   Maybe it's the same as the answer to my new 
questions above....

> #2 sounds great.  I missed that before because I copied a rule off of my
> home firewall which is a dhcp slave to comcast.  Do you think that will
> fix the problem or just make the system run better?

It won't fix the problem (although I don't quite understand why the problem 
exists - if you can get it to work with one machine, why can't it work with 
severalof them?), but it will make the ruleset clearer and will be a bit more 
efficient in operation (because each packet which gets Source NATted simple 
gets a static value substituted, instead of having to look up the address of 
the interface first every time).

Tell us the routing tables on machine 192.168.2.70, the linux box we're 
talking about, and machine 10.46.210.5.   Also show me the extra rule you 
added for another machine in addition to 192.168.2.70 so I can see what 
didn't work.

 

Antony.