RE: Is this correct?

RE: Is this correct?

[George Vieira]

Why/How would the linux box broadcast it's ARP response to 10.0.0.1 when the IP doesn't belong to the firewall.. it just has a rule saying what to do if the packet arrives to it asking it to forward to that host... ARP is on different IP layer to netfilter.
The rule doesn't make it respond to arp requests.

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Shawn [mailto:core@enodev.com]
Sent: Friday, June 20, 2003 12:29 PM
To: George Vieira
Cc: netfilter@lists.netfilter.org
Subject: RE: Is this correct?


I get confused because I picture other 10.0.0.0/24 hosts arping for
10.0.0.1 and getting the MAC for linux-router/eth0. How is this not the
case?

Thank you all so much for the help!

RE: Is this correct?

[Shawn]

I must apologize, as my original scenario probably is not representative
of the problem.

In my original scenario, hosts trying to reach 10.0.0.1 thought they
were also on the 10.0.0.0/24 network, meaning they think there's no
router involved.

This means their stack tries to ARP for 10.0.0.1 (who has 10.0.0.1 out
onto the wire) and the linux-router would respond with it's MAC for eth0
if I were to bind 10.0.0.1 to eth0 as you suggested. ("ip addr add
10.0.0.1/8 dev eth0")

I wonder if my original scenario would work at all given this problem...

On Thu, 2003-06-19 at 21:39, George Vieira wrote:
> Why/How would the linux box broadcast it's ARP response to 10.0.0.1 when the IP doesn't belong to the firewall.. it just has a rule saying what to do if the packet arrives to it asking it to forward to that host... ARP is on different IP layer to netfilter.
> The rule doesn't make it respond to arp requests.
> 
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
> 
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
> 
> Phone   : +61 2 9955 2644
> HelpDesk: +61 2 9955 2698
>  
> 
> -----Original Message-----
> From: Shawn [mailto:core@enodev.com]
> Sent: Friday, June 20, 2003 12:29 PM
> To: George Vieira
> Cc: netfilter@lists.netfilter.org
> Subject: RE: Is this correct?
> 
> 
> I get confused because I picture other 10.0.0.0/24 hosts arping for
> 10.0.0.1 and getting the MAC for linux-router/eth0. How is this not the
> case?
> 
> Thank you all so much for the help!

is this correct ?

[Aleksandr Guidrevitch]

Hi All !

I'm a newbie in iptables.
I have a linux box with ppp connection to internet (dynamic IP),
eth0 192.168.0.1 and a Windows box 192.168.0.3 connected to eth0.
I strive to allow *everything* from my home network,
and disallow anyone to connect to my home network, eg.
drop all the incoming connections to my ppp0 interface.

Can anyone say if my config below is correct (/etc/sysconfig/iptables) ?
Well, it seems to work as expected, but it is so simple,
may be I'm missing some important security points ?


------
*nat
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT

*mangle
COMMIT

*filter
-A INPUT -i ppp0 -p icmp -j ACCEPT

# disabling not established and not related connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i ppp0 -j DROP

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

Re: is this correct ?

[Antony Stone]

On Friday 06 February 2004 12:01 pm, Aleksandr Guidrevitch wrote:

> Can anyone say if my config below is correct (/etc/sysconfig/iptables) ?
> Well, it seems to work as expected, but it is so simple,
> may be I'm missing some important security points ?

You are certainly missing some important security.

Take a look at some of the documentation for netfilter, referenced from the 
netfilter website, such as Oskar Andreasson's excellent tutorial at 
http://iptables-tutorial.frozentux.net/iptables-tutorial.html and pay 
particular attention to the meaning of the INPUT, FORWARD and OUTPUT chains.   
Specifically, packets being routed *through* the firewall from your LAN to 
the Internet (or vice versa) do *not* go through INPUT or OUTPUT.....

Regards,

Antony.

> ------
> *nat
> -A POSTROUTING -o ppp0 -j MASQUERADE
> COMMIT
>
> *mangle
> COMMIT
>
> *filter
> -A INPUT -i ppp0 -p icmp -j ACCEPT
>
> # disabling not established and not related connections
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -i ppp0 -j DROP
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
>
> COMMIT

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Is this correct?

[George Vieira]

OK, well the 10.23.4.209 machine is coming from a network that's not the 10.0.0.0/24 because of the netmask, and it is routed to the 10.0.0.254 via the eth0 device. This tells me there's 2+ networks on eth0 somewhere.

The 10.23.4.209 would find the 10.0.0.1 machine quite fine with the DNAT rule, BUT machines that are on the 10.0.0.0/24 will NOT because the machine actually doesn't exist unless they have a host route or the firewall uses the ip addr add command.. but the 10.23.x.x would work fine as is...

OK, did I get that clear now? if not, better draw something as this seems to simple to solve yet so much confusion ;)

In the end, adding a second IP and still using he DNAT rule fixes all networks as far as I can see..

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Shawn [mailto:core@enodev.com]
Sent: Friday, June 20, 2003 1:13 PM
To: Alistair@nerdnet.ca
Cc: netfilter@lists.netfilter.org
Subject: Re: Is this correct?

RE: Is this correct?

[George Vieira]

If it had a route then it would throw it if it had no DNAT rule, but you do so it'll translate the DEST IP to 192.168.0.1 before it dropped it. And if you had a route then you wouldn't require the "ip addr add" command either..

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Shawn [mailto:core@enodev.com]
Sent: Friday, June 20, 2003 12:30 PM
To: Daniel Chemko
Cc: netfilter@lists.netfilter.org
Subject: RE: Is this correct?


It wouldn't throw it away if it had a route for it, would it?

Since linux-router/eth1 has 10.0.0.250/24 assigned, wouldn't it forward
out that one?

RE: Is this correct?

[George Vieira]

PREROUTING happens before INPUT so when PREROUTING change the Destination IP, the IP no loner belongs to the firewall and then routing stage occurs which then is forward to eth1 destined to the IP of 192.168.0.1.
make sense?

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Shawn [mailto:core@enodev.com]
Sent: Friday, June 20, 2003 1:20 PM
To: George Vieira
Cc: netfilter@lists.netfilter.org
Subject: RE: Is this correct?


So anyway, assign 10.0.0.1 to linux-router/eth0:1 so the host would
actually get all the packets intended for 10.0.0.1[192.168.0.1]...

I guess it's surprising to me if this works, because at what point does
linux-router decide if a packet if to be forwarded or accepted as it's
own? If eth0 has 10.0.0.1, would DNATing the packet in PREROUTING to
192.168.0.1 keep linux-router from owning the packet?

Anyway, my original scenario is bogus. The hosts needing to reach
10.0.0.1[192.168.0.1] would likely be routing through something, and not
on 10.0.0.0/24.

Really sorry for being confusing. I can see why my original scenario
would be dubious.

On Thu, 2003-06-19 at 21:49, George Vieira wrote:
> I have to correct that line I mentioned below.. it should've been as a previous users post which showed the netmask as 255.255.255.0 (/24) not 255.0.0.0 (/8) , that's if ALL hosts are on a C class network with a A class address..
> If they are all on 10.0.0.X/255.255.255.0 and they want to talk to 10.0.0.1 and that machine doesn't exist it'll fail unless:
> 
> 1. you add the IP to the firewall so it'll respond to the ARP requests and then your rule will work.
> 2. Add a host route to all machines to go via the firewall even when it has not got that IP.. bloody big job if there's alot of hosts.. and ugly.
> 
> If the source IP is not 10.0.0.X and the default gateway IS the firewall then it'll work.. but from what your saying about the network structure it won't without some more changes..
> 
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
> 
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
> 
> Phone   : +61 2 9955 2644
> HelpDesk: +61 2 9955 2698
>  
> 
> -----Original Message-----
> From: Shawn [mailto:core@enodev.com]
> Sent: Friday, June 20, 2003 12:42 PM
> To: George Vieira
> Cc: netfilter@lists.netfilter.org
> Subject: RE: Is this correct?
> 
> 
> Do you say add 10.0.0.1 to eth0 because you figure I lack an external
> routing reference making packets arrive at my host?
> 
> Come to think of it, there probably wouldn't be a router that could do
> that in my scenario. Sorry if I was confusing. It's probably more
> accurate to say that some host "10.23.4.209" is going to try to reach
> 10.0.0.1, and 10.0.0.250 is the last hop on the way there.
> 
> Now does that sound better?
> 
> On Thu, 2003-06-19 at 17:10, George Vieira wrote:
> > The only way I know of to do that is use iproute2 (or ifconfig) and add that IP to the firewalls eth0 device and fix your rule (lowercase J).
> > 
> > ip addr add 10.0.0.1/8 dev eth0
> > iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -j DNAT \
> >  --to 192.168.0.1
> > 
> > I think that'll work OK..
> > 
> > Thanks,
> > ____________________________________________
> > George Vieira
> > Systems Manager
> > georgev@citadelcomputer.com.au
> > 
> > Citadel Computer Systems Pty Ltd
> > http://www.citadelcomputer.com.au
> > 
> > Phone   : +61 2 9955 2644
> > HelpDesk: +61 2 9955 2698
> >  
> > 
> > -----Original Message-----
> > From: Shawn [mailto:core@enodev.com]
> > Sent: Friday, June 20, 2003 7:07 AM
> > To: netfilter@lists.netfilter.org
> > Subject: Is this correct?
> > 
> > 
> > I have a, iptables statement I would just like someone to say if I have
> > it right.
> > 
> > Let's say I have a linux box with eth0=10.0.0.250 and
> > eth1=192.168.0.250, and there's a host (192.168.0.1) connected to eth1.
> > I want to route connections from hosts in 10.0.0.0/24 land to 10.0.0.1
> > onto the linux box's eth0, and have them NATed to 192.168.0.1
> > 
> > Will the following statement do that?
> > 
> > iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \
> > 	--to 192.168.0.1
> > 
> > 
> > 

RE: Is this correct?

[George Vieira]

I have to correct that line I mentioned below.. it should've been as a previous users post which showed the netmask as 255.255.255.0 (/24) not 255.0.0.0 (/8) , that's if ALL hosts are on a C class network with a A class address..
If they are all on 10.0.0.X/255.255.255.0 and they want to talk to 10.0.0.1 and that machine doesn't exist it'll fail unless:

1. you add the IP to the firewall so it'll respond to the ARP requests and then your rule will work.
2. Add a host route to all machines to go via the firewall even when it has not got that IP.. bloody big job if there's alot of hosts.. and ugly.

If the source IP is not 10.0.0.X and the default gateway IS the firewall then it'll work.. but from what your saying about the network structure it won't without some more changes..

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Shawn [mailto:core@enodev.com]
Sent: Friday, June 20, 2003 12:42 PM
To: George Vieira
Cc: netfilter@lists.netfilter.org
Subject: RE: Is this correct?


Do you say add 10.0.0.1 to eth0 because you figure I lack an external
routing reference making packets arrive at my host?

Come to think of it, there probably wouldn't be a router that could do
that in my scenario. Sorry if I was confusing. It's probably more
accurate to say that some host "10.23.4.209" is going to try to reach
10.0.0.1, and 10.0.0.250 is the last hop on the way there.

Now does that sound better?

On Thu, 2003-06-19 at 17:10, George Vieira wrote:
> The only way I know of to do that is use iproute2 (or ifconfig) and add that IP to the firewalls eth0 device and fix your rule (lowercase J).
> 
> ip addr add 10.0.0.1/8 dev eth0
> iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -j DNAT \
>  --to 192.168.0.1
> 
> I think that'll work OK..
> 
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
> 
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
> 
> Phone   : +61 2 9955 2644
> HelpDesk: +61 2 9955 2698
>  
> 
> -----Original Message-----
> From: Shawn [mailto:core@enodev.com]
> Sent: Friday, June 20, 2003 7:07 AM
> To: netfilter@lists.netfilter.org
> Subject: Is this correct?
> 
> 
> I have a, iptables statement I would just like someone to say if I have
> it right.
> 
> Let's say I have a linux box with eth0=10.0.0.250 and
> eth1=192.168.0.250, and there's a host (192.168.0.1) connected to eth1.
> I want to route connections from hosts in 10.0.0.0/24 land to 10.0.0.1
> onto the linux box's eth0, and have them NATed to 192.168.0.1
> 
> Will the following statement do that?
> 
> iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \
> 	--to 192.168.0.1
> 
> 
> 

RE: Is this correct?

[Shawn]

So anyway, assign 10.0.0.1 to linux-router/eth0:1 so the host would
actually get all the packets intended for 10.0.0.1[192.168.0.1]...

I guess it's surprising to me if this works, because at what point does
linux-router decide if a packet if to be forwarded or accepted as it's
own? If eth0 has 10.0.0.1, would DNATing the packet in PREROUTING to
192.168.0.1 keep linux-router from owning the packet?

Anyway, my original scenario is bogus. The hosts needing to reach
10.0.0.1[192.168.0.1] would likely be routing through something, and not
on 10.0.0.0/24.

Really sorry for being confusing. I can see why my original scenario
would be dubious.

On Thu, 2003-06-19 at 21:49, George Vieira wrote:
> I have to correct that line I mentioned below.. it should've been as a previous users post which showed the netmask as 255.255.255.0 (/24) not 255.0.0.0 (/8) , that's if ALL hosts are on a C class network with a A class address..
> If they are all on 10.0.0.X/255.255.255.0 and they want to talk to 10.0.0.1 and that machine doesn't exist it'll fail unless:
> 
> 1. you add the IP to the firewall so it'll respond to the ARP requests and then your rule will work.
> 2. Add a host route to all machines to go via the firewall even when it has not got that IP.. bloody big job if there's alot of hosts.. and ugly.
> 
> If the source IP is not 10.0.0.X and the default gateway IS the firewall then it'll work.. but from what your saying about the network structure it won't without some more changes..
> 
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
> 
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
> 
> Phone   : +61 2 9955 2644
> HelpDesk: +61 2 9955 2698
>  
> 
> -----Original Message-----
> From: Shawn [mailto:core@enodev.com]
> Sent: Friday, June 20, 2003 12:42 PM
> To: George Vieira
> Cc: netfilter@lists.netfilter.org
> Subject: RE: Is this correct?
> 
> 
> Do you say add 10.0.0.1 to eth0 because you figure I lack an external
> routing reference making packets arrive at my host?
> 
> Come to think of it, there probably wouldn't be a router that could do
> that in my scenario. Sorry if I was confusing. It's probably more
> accurate to say that some host "10.23.4.209" is going to try to reach
> 10.0.0.1, and 10.0.0.250 is the last hop on the way there.
> 
> Now does that sound better?
> 
> On Thu, 2003-06-19 at 17:10, George Vieira wrote:
> > The only way I know of to do that is use iproute2 (or ifconfig) and add that IP to the firewalls eth0 device and fix your rule (lowercase J).
> > 
> > ip addr add 10.0.0.1/8 dev eth0
> > iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -j DNAT \
> >  --to 192.168.0.1
> > 
> > I think that'll work OK..
> > 
> > Thanks,
> > ____________________________________________
> > George Vieira
> > Systems Manager
> > georgev@citadelcomputer.com.au
> > 
> > Citadel Computer Systems Pty Ltd
> > http://www.citadelcomputer.com.au
> > 
> > Phone   : +61 2 9955 2644
> > HelpDesk: +61 2 9955 2698
> >  
> > 
> > -----Original Message-----
> > From: Shawn [mailto:core@enodev.com]
> > Sent: Friday, June 20, 2003 7:07 AM
> > To: netfilter@lists.netfilter.org
> > Subject: Is this correct?
> > 
> > 
> > I have a, iptables statement I would just like someone to say if I have
> > it right.
> > 
> > Let's say I have a linux box with eth0=10.0.0.250 and
> > eth1=192.168.0.250, and there's a host (192.168.0.1) connected to eth1.
> > I want to route connections from hosts in 10.0.0.0/24 land to 10.0.0.1
> > onto the linux box's eth0, and have them NATed to 192.168.0.1
> > 
> > Will the following statement do that?
> > 
> > iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \
> > 	--to 192.168.0.1
> > 
> > 
> > 

RE: Is this correct?

[George Vieira]

The only way I know of to do that is use iproute2 (or ifconfig) and add that IP to the firewalls eth0 device and fix your rule (lowercase J).

ip addr add 10.0.0.1/8 dev eth0
iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -j DNAT \
 --to 192.168.0.1

I think that'll work OK..

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Shawn [mailto:core@enodev.com]
Sent: Friday, June 20, 2003 7:07 AM
To: netfilter@lists.netfilter.org
Subject: Is this correct?


I have a, iptables statement I would just like someone to say if I have
it right.

Let's say I have a linux box with eth0=10.0.0.250 and
eth1=192.168.0.250, and there's a host (192.168.0.1) connected to eth1.
I want to route connections from hosts in 10.0.0.0/24 land to 10.0.0.1
onto the linux box's eth0, and have them NATed to 192.168.0.1

Will the following statement do that?

iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \
	--to 192.168.0.1

RE: Is this correct?

[Shawn]

I get confused because I picture other 10.0.0.0/24 hosts arping for
10.0.0.1 and getting the MAC for linux-router/eth0. How is this not the
case?

Thank you all so much for the help!

On Thu, 2003-06-19 at 17:10, George Vieira wrote:
> The only way I know of to do that is use iproute2 (or ifconfig) and add that IP to the firewalls eth0 device and fix your rule (lowercase J).
> 
> ip addr add 10.0.0.1/8 dev eth0
> iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -j DNAT \
>  --to 192.168.0.1
> 
> I think that'll work OK..
> 
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
> 
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
> 
> Phone   : +61 2 9955 2644
> HelpDesk: +61 2 9955 2698
>  
> 
> -----Original Message-----
> From: Shawn [mailto:core@enodev.com]
> Sent: Friday, June 20, 2003 7:07 AM
> To: netfilter@lists.netfilter.org
> Subject: Is this correct?
> 
> 
> I have a, iptables statement I would just like someone to say if I have
> it right.
> 
> Let's say I have a linux box with eth0=10.0.0.250 and
> eth1=192.168.0.250, and there's a host (192.168.0.1) connected to eth1.
> I want to route connections from hosts in 10.0.0.0/24 land to 10.0.0.1
> onto the linux box's eth0, and have them NATed to 192.168.0.1
> 
> Will the following statement do that?
> 
> iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \
> 	--to 192.168.0.1
> 
> 
> 

RE: Is this correct?

[Shawn]

Do you say add 10.0.0.1 to eth0 because you figure I lack an external
routing reference making packets arrive at my host?

Come to think of it, there probably wouldn't be a router that could do
that in my scenario. Sorry if I was confusing. It's probably more
accurate to say that some host "10.23.4.209" is going to try to reach
10.0.0.1, and 10.0.0.250 is the last hop on the way there.

Now does that sound better?

On Thu, 2003-06-19 at 17:10, George Vieira wrote:
> The only way I know of to do that is use iproute2 (or ifconfig) and add that IP to the firewalls eth0 device and fix your rule (lowercase J).
> 
> ip addr add 10.0.0.1/8 dev eth0
> iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -j DNAT \
>  --to 192.168.0.1
> 
> I think that'll work OK..
> 
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
> 
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
> 
> Phone   : +61 2 9955 2644
> HelpDesk: +61 2 9955 2698
>  
> 
> -----Original Message-----
> From: Shawn [mailto:core@enodev.com]
> Sent: Friday, June 20, 2003 7:07 AM
> To: netfilter@lists.netfilter.org
> Subject: Is this correct?
> 
> 
> I have a, iptables statement I would just like someone to say if I have
> it right.
> 
> Let's say I have a linux box with eth0=10.0.0.250 and
> eth1=192.168.0.250, and there's a host (192.168.0.1) connected to eth1.
> I want to route connections from hosts in 10.0.0.0/24 land to 10.0.0.1
> onto the linux box's eth0, and have them NATed to 192.168.0.1
> 
> Will the following statement do that?
> 
> iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \
> 	--to 192.168.0.1
> 
> 
> 

RE: Is this correct?

[Daniel Chemko]

You have to bind 10.0.0.1 to the network interface, or else the OS may
throw it away.

ip addr add dev eth0 10.0.0.1 netmask 255.<whatever>

Something like that.

-----Original Message-----
From: Shawn [mailto:core@enodev.com] 
Sent: Thursday, June 19, 2003 2:07 PM
To: netfilter@lists.netfilter.org
Subject: Is this correct?

I have a, iptables statement I would just like someone to say if I have
it right.

Let's say I have a linux box with eth0=10.0.0.250 and
eth1=192.168.0.250, and there's a host (192.168.0.1) connected to eth1.
I want to route connections from hosts in 10.0.0.0/24 land to 10.0.0.1
onto the linux box's eth0, and have them NATed to 192.168.0.1

Will the following statement do that?

iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \
	--to 192.168.0.1

RE: Is this correct?

[Shawn]

It wouldn't throw it away if it had a route for it, would it?

Since linux-router/eth1 has 10.0.0.250/24 assigned, wouldn't it forward
out that one?

On Thu, 2003-06-19 at 17:06, Daniel Chemko wrote:
> You have to bind 10.0.0.1 to the network interface, or else the OS may
> throw it away.
> 
> ip addr add dev eth0 10.0.0.1 netmask 255.<whatever>
> 
> Something like that.
> 
> -----Original Message-----
> From: Shawn [mailto:core@enodev.com] 
> Sent: Thursday, June 19, 2003 2:07 PM
> To: netfilter@lists.netfilter.org
> Subject: Is this correct?
> 
> I have a, iptables statement I would just like someone to say if I have
> it right.
> 
> Let's say I have a linux box with eth0=10.0.0.250 and
> eth1=192.168.0.250, and there's a host (192.168.0.1) connected to eth1.
> I want to route connections from hosts in 10.0.0.0/24 land to 10.0.0.1
> onto the linux box's eth0, and have them NATed to 192.168.0.1
> 
> Will the following statement do that?
> 
> iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \
> 	--to 192.168.0.1
> 
> 
> 

RE: Is this correct?

[Shawn]

Err.. No, duh... linux-router/eth0 has 10.0.0.250...

But if the packet becomes destined for 192.168.0.1 in PREROUTING, would
then the routing decision be based on the 192.168.0.1 address, and since
eth1 has an IP of 192.268.0.250/24, would the packet not get forwarded
out there?

On Thu, 2003-06-19 at 21:30, Shawn wrote:
> It wouldn't throw it away if it had a route for it, would it?
> 
> Since linux-router/eth1 has 10.0.0.250/24 assigned, wouldn't it forward
> out that one?

Is this correct?

[Shawn]

I have a, iptables statement I would just like someone to say if I have
it right.

Let's say I have a linux box with eth0=10.0.0.250 and
eth1=192.168.0.250, and there's a host (192.168.0.1) connected to eth1.
I want to route connections from hosts in 10.0.0.0/24 land to 10.0.0.1
onto the linux box's eth0, and have them NATed to 192.168.0.1

Will the following statement do that?

iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \
	--to 192.168.0.1

Re: Is this correct?

[Alistair Tonner]

On June 19, 2003 05:07 pm, Shawn wrote:
> I have a, iptables statement I would just like someone to say if I have
> it right.
>
> Let's say I have a linux box with eth0=10.0.0.250 and
> eth1=192.168.0.250, and there's a host (192.168.0.1) connected to eth1.
> I want to route connections from hosts in 10.0.0.0/24 land to 10.0.0.1
> onto the linux box's eth0, and have them NATed to 192.168.0.1
>
> Will the following statement do that?
>
> iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \
> 	--to 192.168.0.1

	Ummm .
             Where is 10.0.0.1? (since the network is /24)
	   If eth0's ip is 10.0.0.250 why would any packets for 10.0.0.1 end up 
there?  Unless there is an *external* routing reference that puts 10.0.0.1 
through 10.0.0.250 this cannot work.  If there is such a routing, the rule 
should work.
	

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

Re: Is this correct?

[Shawn]

> > iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \
> > 	--to 192.168.0.1
> 
> 	Ummm .
>              Where is 10.0.0.1? (since the network is /24)
> 	   If eth0's ip is 10.0.0.250 why would any packets for 10.0.0.1 end up 
> there?  Unless there is an *external* routing reference that puts 10.0.0.1 
> through 10.0.0.250 this cannot work.  If there is such a routing, the rule 
> should work.

My scenario was bogus. Sorry! It's probably more accurate to say that
some host "10.23.4.209" is going to try to reach 10.0.0.1, and
10.0.0.250 is the last hop on the way there, and should DNAT those
packets to 192.168.0.1.

The problem with my original scenario was that since the hosts needing
to reach 10.0.0.1/24 (which is really 192.168.0.1) were on the
10.0.0.1/24 network themselves. Why would they need to look up a route
for a host that's supposed to be on the same network as them?

So, others were saying to assign 10.0.0.1 to linux-router/eth0:1 (I
guess) so the host would actually get all the packets intended for
10.0.0.1. I guess it's surprising to me if this works, because at what
point does linux-router decide if a packet if to be forwarded or
accepted as it's own? If eth0 has 10.0.0.1, would DNATing the packet to
192.168.0.1 keep linux-router from owning the packet?

Hmmm...

Re: Is this correct?

[Alistair Tonner]

	George's later mail is quite correct.
		
	10.0.0.0\24 
	     should contain the ip 10.0.0.1, therefor hosts on the 10.0.0.x segement 
expect to see it directly
	  10.23.4.209 will(should) have a route to the 10.0.0.x network, therefor 
will eventually find 10.0.0.1 ... 

	Point to be made if the objects on 10.0.0.0\24 *know* about 192.168.x.x as 	
	10.0.0.1 this tells me that there is likely nothing *using* 10.0.0.1  
therefor, you can ADD the 10.0.0.1 address to the eth interface of the linux 
iptables box, and simply add in the PREROUTING chain a rule to dnat 
everything to its intended destination.  Since the 10.0.0.1 address is NOT 
used by the linux iptables firewall, it wont NEED to accept any of those 
packets. -- it will be getting IT's packets on the 10.0.0.250 address ... 

	Its all as clear as mud .. but it will work.


On June 19, 2003 11:13 pm, Shawn wrote:
> > > iptables -t nat -I PREROUTING -i eth0 -d 10.0.0.1 -J DNAT \
> > > 	--to 192.168.0.1
> >
> > 	Ummm .
> >              Where is 10.0.0.1? (since the network is /24)
> > 	   If eth0's ip is 10.0.0.250 why would any packets for 10.0.0.1 end up
> > there?  Unless there is an *external* routing reference that puts
> > 10.0.0.1 through 10.0.0.250 this cannot work.  If there is such a
> > routing, the rule should work.
>
> My scenario was bogus. Sorry! It's probably more accurate to say that
> some host "10.23.4.209" is going to try to reach 10.0.0.1, and
> 10.0.0.250 is the last hop on the way there, and should DNAT those
> packets to 192.168.0.1.
>
> The problem with my original scenario was that since the hosts needing
> to reach 10.0.0.1/24 (which is really 192.168.0.1) were on the
> 10.0.0.1/24 network themselves. Why would they need to look up a route
> for a host that's supposed to be on the same network as them?
>
> So, others were saying to assign 10.0.0.1 to linux-router/eth0:1 (I
> guess) so the host would actually get all the packets intended for
> 10.0.0.1. I guess it's surprising to me if this works, because at what
> point does linux-router decide if a packet if to be forwarded or
> accepted as it's own? If eth0 has 10.0.0.1, would DNATing the packet to
> 192.168.0.1 keep linux-router from owning the packet?
>
> Hmmm...

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

Is this correct ?

[Frank R Callaghan]

Hi,

Is this output indicating an error codition ?


# /sbin/erase /dev/mtd0
MTD_open
Erase Total 1 UnMTD_ioctl
its
MTD_ioctl
Performing FlasMTD_ioctl
h Erase of lengtMTD do_erase_oneblock(): ERASE 0x00000000
h 65536 at offseMTD do_erase_oneblock(): Check 0x00000044 0x00000004
t 0x0MTD do_erase_oneblock(): Check 0x0000004c 0x0000000c
MTD do_erase_oneblock(): Check 0x0000005c 0x0000001c
MTD do_erase_oneblock(): Check 0x0000005c 0x0000001c
MTD do_erase_oneblock(): Check 0x00000058 0x0000001c
MTD do_erase_oneblock(): Check 0x0000005c 0x0000001c
MTD do_erase_oneblock(): Check 0x0000005c 0x0000001c
MTD do_erase_oneblock(): Check 0x00000058 0x0000001c
MTD do_erase_oneblock(): Check 0x00000058 0x0000001c
MTD do_erase_oneblock(): Check 0x000000ff 0x000000ff
MTD do_erase_oneblock(): Check 0x000000ff 0x000000ff
MTD do_erase_oneblock(): Check 0x000000ff 0x000000ff
 doneMTD_close

I did a 'mount -t jffs2 /dev/mdtblock2 /mnt/ffs2' that went away for
a very long time <more that miniutes> but the next day it was mounted, I
could even create a file on it - which cat'ed ok.

Any help please ?

 If I can get this working I will submit the info back to the card
 manufacture so they can add it to there linux/sbc docs.

TIA,
	Frank.

ps. Thanks Jörn CONFIG_MTD_CHAR = yes fixed my last problem

Re: Is this correct ?

[Frank R Callaghan]

More information !

When copying a jffs2 filesystem to the device I get the
following ioctl error

# cp /myapp/jffs2_file_sys.img /dev/mtd0
MTD_open
MTD_ioctl
Invalid ioctl 5401 (MEMGETINFO = 80204d01)
MTD_write
MTD_close
#
# mount -t jffs2 /dev/mtdblock0 /var/fixed_flash/
mtdblock_open
ok

<wait forever>

What can I do to find the problem ?

-------------------------
kernel 2.4.19 +
uClibc.0.9.19 +
rtai-24.1.11 +
mtd from CVS (today)
-------------------------