iptables configuration help

All of lore.kernel.org
 help / color / mirror / Atom feed

* iptables configuration help
@ 2004-11-05 15:41 Vijay Kumar
  2004-11-05 15:42 ` Jason Opperisano
  2004-11-05 15:45 ` John A. Sullivan III
  0 siblings, 2 replies; 3+ messages in thread
From: Vijay Kumar @ 2004-11-05 15:41 UTC (permalink / raw)
  To: netfilter

Hello,

I have a firewall with three nic ( external ip, DMZ ip, LAN ip ) 
I have added a subinterface on the external interface ( public ip with a public ip address ) 

There is 1 machine on the internal LAN and I want it to go out using the IP of the sub interface,
i.e access the internet using the exteral sub interface IP which I have added. 

I have done the following : 

iptables -t nat -I POSTROUTING -s 172.16.0.119 -o eth1:0 -j SNAT --to-source <external_ip> 

After adding this I also added the below mentioned rules : 

iptables -A INPUT -s 172.16.0.119 -d 0.0.0.0/0.0.0.0 -j ACCEPT 
iptables -I FORWARD -s 172.16.0.119 -j ACCEPT 

When I addded the rules iptables gave me an Warning stating :" Weird character in interface eth0:0, no ! : "

Where am I going wrong ? Are sub interface allowed in iptables ? 

What iptables rule should  add so that the LAN machine uses the subinterface to reach the internet ? 

What i need is something like static nat ?

Kindly help.

Vijay. 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: iptables configuration help
  2004-11-05 15:41 iptables configuration help Vijay Kumar
@ 2004-11-05 15:42 ` Jason Opperisano
  2004-11-05 15:45 ` John A. Sullivan III
  1 sibling, 0 replies; 3+ messages in thread
From: Jason Opperisano @ 2004-11-05 15:42 UTC (permalink / raw)
  To: netfilter

On Fri, Nov 05, 2004 at 09:11:24PM +0530, Vijay Kumar wrote:
> Hello,
> 
> I have a firewall with three nic ( external ip, DMZ ip, LAN ip ) 
> I have added a subinterface on the external interface ( public ip with a public ip address ) 
> 
> There is 1 machine on the internal LAN and I want it to go out using the IP of the sub interface,
> i.e access the internet using the exteral sub interface IP which I have added. 
> 
> I have done the following : 
> 
> iptables -t nat -I POSTROUTING -s 172.16.0.119 -o eth1:0 -j SNAT --to-source <external_ip> 

i really wish this question would come up more often...

add your secondary IP address to eth1 like so:

  ip addr add <external_ip> dev eth1

and write your NAT rule like so:

  iptables -t nat -I POSTROUTING -s 172.16.0.119 -o eth1 \
    -j SNAT --to-source <external_ip>

> After adding this I also added the below mentioned rules : 
> 
> iptables -A INPUT -s 172.16.0.119 -d 0.0.0.0/0.0.0.0 -j ACCEPT 

INPUT is only for packets who's destination IP is local to the firewall
itself--so this will allow you to access the firewall machine from
172.16.0.119.

> iptables -I FORWARD -s 172.16.0.119 -j ACCEPT 

ok.  make sure you've also enabled IP forwarding:

  sysctl -w net.ipv4.ip_forward=1

and make sure you're allowing reply packets back through your FORWARD
chain:

  iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

<snip>

if only there were a way to search the archives of this mailing list to
see how people have solved this riddle of the sphinx in the past...oh
wait...

  http://marc.theaimsgroup.com/?l=netfilter&r=1&w=2

-j

--
"Lisa, if the Bible has taught us nothing else, and it hasn't, it's
 that girls should stick to girls sports, such as hot oil wrestling
 and foxy boxing and such and such."
        --The Simpsons


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: iptables configuration help
  2004-11-05 15:41 iptables configuration help Vijay Kumar
  2004-11-05 15:42 ` Jason Opperisano
@ 2004-11-05 15:45 ` John A. Sullivan III
  1 sibling, 0 replies; 3+ messages in thread
From: John A. Sullivan III @ 2004-11-05 15:45 UTC (permalink / raw)
  To: vijay; +Cc: Netfilter users list

On Fri, 2004-11-05 at 10:41, Vijay Kumar wrote:
> Hello,
> 
> I have a firewall with three nic ( external ip, DMZ ip, LAN ip ) 
> I have added a subinterface on the external interface ( public ip with a public ip address ) 
> 
> There is 1 machine on the internal LAN and I want it to go out using the IP of the sub interface,
> i.e access the internet using the exteral sub interface IP which I have added. 
> 
> I have done the following : 
> 
> iptables -t nat -I POSTROUTING -s 172.16.0.119 -o eth1:0 -j SNAT --to-source <external_ip> 
> 
> After adding this I also added the below mentioned rules : 
> 
> iptables -A INPUT -s 172.16.0.119 -d 0.0.0.0/0.0.0.0 -j ACCEPT 
> iptables -I FORWARD -s 172.16.0.119 -j ACCEPT 
> 
> When I addded the rules iptables gave me an Warning stating :" Weird character in interface eth0:0, no ! : "
> 
> Where am I going wrong ? Are sub interface allowed in iptables ? 
> 
> What iptables rule should  add so that the LAN machine uses the subinterface to reach the internet ? 
> 
> What i need is something like static nat ?
> 
> Kindly help.
> 
> Vijay.
I'm not sure about the aliases because I always use iproute2 instead to
bind a second address to the same interface.

I would you suggest that, instead of creating an alias, you do something
like"
ip address add <2nd external IP>/<mask length> dev eth0 brd +

then replace your -o eth0:1 with simply -o eth0

>  
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-11-05 15:45 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-05 15:41 iptables configuration help Vijay Kumar
2004-11-05 15:42 ` Jason Opperisano
2004-11-05 15:45 ` John A. Sullivan III

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.