RE: Multiple source question

["Benny Butler" <benny.butler@nexusitg.com>]

Ok, lemme explain the setup a bit.

This machine sits between a doctors office's network and the hospital's
network. Eth1 (192.168.2.2) is static on the doctor's side, and eth0
(10.46.1.254 I believe) is on the hospital's side.  We've told the local
router that anything trying to get to the hospital should go through the
linux box, and not use it's default gw.  We've also added a route to the
linux box so it can get to 10.46.210.5.

Now, the rules.  The hospital will only let the users access this web
based X-ray viewing system across the network if they can control how
many IP's come from each office because they bought so many licenses
from GE and only allow so many connects from each office.  That's where
my box comes in.  By default the firewall denies access to each doctors
office computer.  To get access they go to the webpage on 192.168.2.2,
this php looks at their IP address and compares it to a list of IP's in
a mysql dbase.  If they are in it, it just lets them through.  If they
aren't in it it looks to see how many spaces are left.  If there's a
space left it ads them to the database, then runs the rule below to
allow their IP address to get through.  Like I said, it only allows the
first person to get through, no one else (btw, if anyone wants the php
I'll share it, it's nothing impressive)

That should answer #1 and #3



#2 sounds great.  I missed that before because I copied a rule off of my
home firewall which is a dhcp slave to comcast.  Do you think that will
fix the problem or just make the system run better?






-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
Sent: Wednesday, June 19, 2002 8:42 AM
To: netfilter@lists.samba.org
Subject: Re: Multiple source question


On Wednesday 19 June 2002 2:31 pm, Benny Butler wrote:

> Ok, after much hacking together the rule below I finally get the
machine
> at 192.168.2.70 to access 10.46.210.5.  Great, but if I run the same
> rule on any more internal IP addresses, still only 2.70 works.
>
> sudo /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.70 -d /
> 10.46.210.5 -p tcp --dport 80 -j MASQUERADE

1. Why do you need to use Source NAT at all in order to access the
machine on 
10.46.210.5 ?   What is there in the routing tables which prevents 
192.168.2.70 from accessing 10.46.210.5 and the replies going back again

without any NAT involved ?

2. I think you should be using -j SNAT --to a.b.c.d instead of -j
MASQUERADE.

You must surely have a fixed address on eth0 (ie it's not DHCP)
therefore 
SNAT is the way to do it - it's much clearer what the rule is doing, and
it's 
(marginally) more efficient in operation.

3. Maybe I've missed something earlier that you've posted (?) but please
can 
you explain your network setup what you're trying to do / what doesn't
work ?

 

Antony.