From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
To: Stephen Beck <becks@marietta.edu>
Cc: netfilter@lists.netfilter.org
Subject: Re: help with netmap.
Date: Wed, 08 Feb 2006 09:35:31 -0500 [thread overview]
Message-ID: <1139409331.2969.42.camel@localhost> (raw)
In-Reply-To: <Pine.GSO.4.58.0602080912470.26810@mcnet.marietta.edu>
That sounds like a very dangerous setup. Nonetheless, if you are indeed
allowing all inbound access and you are NETMAPped, it should work except
for those protocols which embed IP address information in the upper
layers and do not have a nat helper.
For example, NetBIOS browsing includes the IP address in the NetBIOS
header. There is not yet a helper in iptables to rewrite the NetBIOS
portion of the packet so this application breaks when NAT'd with
iptables. This could explain why a particular application does not
work.
It could also be the result of personal firewalls running on the end
points.
Perhaps you could put a protocol analyzer on the line (e.g., ethereal -
http://www.ethereal.com) to see where the packets are stopping. Good
luck - John
On Wed, 2006-02-08 at 09:15 -0500, Stephen Beck wrote:
> well at the moment mo FORWARD table blocks a few virus ports
> and protects a few of my on campus servers. otherwise has a blanket
> Accept at the bottom, so ime not perventing outside connections there.
> but they dont seem to be working across the netmap. should netmap pervent
> outside connections or have I broken it somehow.
>
>
> On Wed, 8 Feb 2006, John A. Sullivan III wrote:
>
> > On Wed, 2006-02-08 at 08:35 -0500, Stephen Beck wrote:
> > > I have several dorm firewalls with nearly 250 users behind each.
> > > I nat the inside ip's using netmap. this has been up and running for
> > > 6 months and for the inside users its working fine. for the most part
> > > I dont want connections orginating from the outside and netmap seems
> > > to be perventing this. However I now have an application that needs to
> > > be able to orginate a stream from the outside to any inside
> > > ip( CopySense ).
> > >
> > > ime really not shure:
> > > if netmap alone should block incomming connections ?
> > > how to go about allowing them?
> > >
> > > from what i see the folling is a start:
> > > existing netmap lines on one router:
> > >
> > > Chain POSTROUTING (policy ACCEPT 6 packets, 300 bytes)
> > > 362 20370 NETMAP all -- * * 10.0.20.0/24
> > > 0.0.0.0/0 205.133.141.0/24
> > > 75 4208 NETMAP all -- * * 10.0.21.0/25
> > > 0.0.0.0/0 205.133.140.0/25
> > > 223 10925 NETMAP all -- * * 10.0.22.0/25
> > > 0.0.0.0/0 205.133.140.128/25
> > >
> > > to allow the outside connection for my laptop this works:
> > >
> > > Chain PREROUTING (policy ACCEPT 1620 packets, 92093 bytes)
> > > target prot opt in out source
> > > destination
> > > DNAT all -- * * 0.0.0.0/0
> > > 205.133.141.42 to:10.0.20.42
> > >
> > > ile tighten up that rule once i get it working ;-)
> > >
> > > however I neet to allow that rule to work for all 255 ip's
> > > and i cant seem to get the syntax right ???
> > >
> > >
> > > Stephen Beck, Marietta College, 740-376-4366
> > >
> > You've hit upon an important distinction -- the nat table does not
> > handle access control. That will be handled by your filter table and,
> > in this case, the FORWARD chain.
> >
> > I would suggest a FORWARD policy of DROP and only allow outbound traffic
> > and inbound from the specific socket you want to allow.
> >
> > If you need more information on using nat and filter, Oskar Andreasson
> > has a great tutorial at
> > http://iptables-tutorial.frozentux.net/iptables-tutorial.html and there
> > are some slightly dated training slide shows in the training section of
> > the ISCS network security management project at
> > http://iscs.sourceforge.net. Hope this helps - John
> > --
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> >
> > If you would like to participate in the development of an open source
> > enterprise class network security management system, please visit
> > http://iscs.sourceforge.net
> >
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
next prev parent reply other threads:[~2006-02-08 14:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-08 13:35 help with netmap Stephen Beck
2006-02-08 14:08 ` John A. Sullivan III
2006-02-08 14:15 ` Stephen Beck
2006-02-08 14:35 ` John A. Sullivan III [this message]
2006-02-08 15:20 ` Stephen Beck
2006-02-08 16:04 ` John A. Sullivan III
2006-02-09 17:25 ` Stephen Beck
2006-02-09 17:52 ` John A. Sullivan III
2006-02-09 17:30 ` R. DuFresne
2006-02-09 17:40 ` Stephen Beck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1139409331.2969.42.camel@localhost \
--to=jsullivan@opensourcedevel.com \
--cc=becks@marietta.edu \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.