re: WAP11 through router

All of lore.kernel.org
 help / color / mirror / Atom feed

* re: WAP11 through router
@ 2002-09-18 21:31 Ryan Beisner
  0 siblings, 0 replies; only message in thread
From: Ryan Beisner @ 2002-09-18 21:31 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 2080 bytes --]

How about this:

    Ext IF eth1 IP 10.20.0.3 (insignificant unnecessary info for this config)
    Ext IF eth1:1 Virtual IP 10.20.0.4
    Int IF eth0 IP 192.168.168.1    

I want a one-to-one bidirectional NAT map from 10.20.0.4 to 192.168.168.178 for all ports.  I will explicitly allow and deny protocols later.  Again, this is already behind a firewall in my corporation.  The goal is to make 10.20.0.4 a full "representative" of my WAP11.  Security is taken care of elsewhere with the firebox.    =  )

Using IPTRAF, I can see the request coming through, but the answer doesn't make it out.  I'm just not figuring that out.  Thanks again, I really appreciate any help you can provide.

-Ryan Beisner

On Wednesday 18 September 2002 9:44 pm, Ryan Beisner wrote:

> Hi All!
>
> I have a Linksys WAP11 behind a high speed connection.
>
> Here's the scenario:
>
>     INT (eth0) IP Range ( 192.168.168.1 class C )
>     EXT (eth1) IP Range also private ( 10.20.0.3 class B )
>     EXT (eth1:1) Virtual IP is 10.20.0.4
>
> I want to map everything from Virt IP (Eth1:1) 10.20.0.4 (all ports) to
> internal 192.168.168.178 (the Linksys WAP 11).  FYI this is for remote
> management of my access point.
>
> Here was my first attempt, which did not work.  I explicitly allow all
> traffic in/out/fwd for 10.20.0.4 to make sure I wasn't kicking myself here.
>  Still no go.  Suggestions?
>
>     ""iptables -A PREROUTING -t nat -d 10.20.0.4 -j DNAT --to
> 192.168.168.178""

The PREROUTING rule looks good.

However, remember that by the time packets reach the FORWARD chain, the 
PREROUTING rule has already NATted them, so you need to allow packets for 
192.168.168.178 through netfilter, not packets for 10.20.0.4.....

Also, you say you want to do this for "remote management of the access 
point", so why do you want to map *all* ports ?   Surely there's only a very 
few ways of managing the AP: telnet, snmp, http - any others ?

Antony.

-- 

If at first you don't succeed, destroy all the evidence that you tried.

[-- Attachment #2: Type: text/html, Size: 3523 bytes --]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2002-09-18 21:31 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-09-18 21:31 WAP11 through router Ryan Beisner

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.