WAP11 host behind Netfilter Router

WAP11 host behind Netfilter Router

[Ryan Beisner]

[-- Attachment #1: Type: text/plain, Size: 1236 bytes --]

Hi All!


I have a Linksys WAP11 behind a high speed connection.

Currently doing simple NAT with:

    iptables -t nat -A POSTROUTING -o $extdev -j MASQUERADE
        (other rules to accept certain protocols for ssh, webmin, etc)
        and then:
    iptables -A INPUT -i $extdev -m state --state NEW,INVALID -j DROP
    iptables -A FORWARD -i $extdev -m state --state NEW,INVALID -j DROP
        as a simple block to unwanted traffic on an already protected ext. network

Here's the scenario:

    INT (eth0) IP Range ( 192.168.168.1 class C )
    EXT (eth1) IP Range also private ( 10.20.0.3 class B )
    EXT (eth1:1) Virtual IP is 10.20.0.4

I want to map everything from Virt IP (Eth1:1) 10.20.0.4 (all ports) to internal 192.168.168.178 (the Linksys WAP 11).  FYI this is for remote management of my access point.

Where in the world do I start? All help is appreciated in advance.

Here was my first attempt, which did not work.  I explicitly allow all traffic in/out/fwd for 10.20.0.4 to make sure I wasn't kicking myself here.  Still no go.  Suggestions?

    ""iptables -A PREROUTING -t nat -d 10.20.0.4 -j DNAT --to 192.168.168.178""


-Ryan Beisner

ryanb -at-nosp@m- thedataarc () com



[-- Attachment #2: Type: text/html, Size: 2927 bytes --]

WAP11 host behind Netfilter Router

[Ryan Beisner]

[-- Attachment #1: Type: text/plain, Size: 1242 bytes --]


Hi All!


I have a Linksys WAP11 behind a high speed connection.

Currently doing simple NAT with:

    iptables -t nat -A POSTROUTING -o $extdev -j MASQUERADE
        (other rules to accept certain protocols for ssh, webmin, etc)
        and then:
    iptables -A INPUT -i $extdev -m state --state NEW,INVALID -j DROP
    iptables -A FORWARD -i $extdev -m state --state NEW,INVALID -j DROP
        as a simple block to unwanted traffic on an already protected ext. network
 
Here's the scenario:

    INT (eth0) IP Range ( 192.168.168.1 class C )
    EXT (eth1) IP Range also private ( 10.20.0.3 class B )
    EXT (eth1:1) Virtual IP is 10.20.0.4

I want to map everything from Virt IP (Eth1:1) 10.20.0.4 (all ports) to internal 192.168.168.178 (the Linksys WAP 11).  FYI this is for remote management of my access point.
 
Where in the world do I start? All help is appreciated in advance.
 
Here was my first attempt, which did not work.  I explicitly allow all traffic in/out/fwd for 10.20.0.4 to make sure I wasn't kicking myself here.  Still no go.  Suggestions?
 
    ""iptables -A PREROUTING -t nat -d 10.20.0.4 -j DNAT --to 192.168.168.178""


-Ryan Beisner

ryanb -at-nosp@m- thedataarc () com



[-- Attachment #2: Type: text/html, Size: 3021 bytes --]

Re: WAP11 host behind Netfilter Router

[Antony Stone]

On Wednesday 18 September 2002 9:44 pm, Ryan Beisner wrote:

> Hi All!
>
> I have a Linksys WAP11 behind a high speed connection.
>
> Here's the scenario:
>
>     INT (eth0) IP Range ( 192.168.168.1 class C )
>     EXT (eth1) IP Range also private ( 10.20.0.3 class B )
>     EXT (eth1:1) Virtual IP is 10.20.0.4
>
> I want to map everything from Virt IP (Eth1:1) 10.20.0.4 (all ports) to
> internal 192.168.168.178 (the Linksys WAP 11).  FYI this is for remote
> management of my access point.
>
> Here was my first attempt, which did not work.  I explicitly allow all
> traffic in/out/fwd for 10.20.0.4 to make sure I wasn't kicking myself here.
>  Still no go.  Suggestions?
>
>     ""iptables -A PREROUTING -t nat -d 10.20.0.4 -j DNAT --to
> 192.168.168.178""

The PREROUTING rule looks good.

However, remember that by the time packets reach the FORWARD chain, the 
PREROUTING rule has already NATted them, so you need to allow packets for 
192.168.168.178 through netfilter, not packets for 10.20.0.4.....

Also, you say you want to do this for "remote management of the access 
point", so why do you want to map *all* ports ?   Surely there's only a very 
few ways of managing the AP: telnet, snmp, http - any others ?

Antony.

-- 

If at first you don't succeed, destroy all the evidence that you tried.