IP forwarding

IP forwarding

[Ricardo J. Méndez]

Hi,

I've got a network setup where the internal router is a Linux box
running iptables.  External interface is eth0, internal eth1.  I'm
attempting to forward an external IP address (say, 1.2.3.4) to an
internal machine.

The rule I added is:

iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
--to 192.168.1.202

However, attempting to 

telnet 1.2.3.4 80

does not work.  It's clear that the rule is being applied, because the
web server running on the external machine is not responding unless I
telnet from the router itself, but unfortunately I'm not getting into
192.168.1.202 either.  Attempting to

telnet 192.168.1.202 80

does work as expected.

What am I missing?  Any pointers are welcome.  Thanks,



Ricardo J. Méndez
http://ricardo.strangevistas.net/

RE: IP forwarding

[Gömöri Zoltán]

Hi, 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> Ricardo J. Méndez
> Sent: Thursday, August 04, 2005 3:38 AM
> To: netfilter@lists.netfilter.org
> Subject: IP forwarding
> 
> Hi,
> 
> I've got a network setup where the internal router is a Linux box
> running iptables.  External interface is eth0, internal eth1.  I'm
> attempting to forward an external IP address (say, 1.2.3.4) to an
> internal machine.
> 
> The rule I added is:
> 
> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
> --to 192.168.1.202

The roule should look like this:

iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
--to-destination 192.168.1.202

> 
> However, attempting to 
> 
> telnet 1.2.3.4 80
> 
> does not work.  It's clear that the rule is being applied, because the
> web server running on the external machine is not responding unless I
> telnet from the router itself, but unfortunately I'm not getting into
> 192.168.1.202 either.  Attempting to
> 
> telnet 192.168.1.202 80
> 
> does work as expected.
> 
> What am I missing?  Any pointers are welcome.  Thanks,
> 
> 
> 
> Ricardo J. Méndez
> http://ricardo.strangevistas.net/
> 
> 

Zoltán

Re: IP forwarding

[curby .]

On 8/3/05, Gömöri Zoltán <suf@freemail.hu> wrote:
> Hi,
> 
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of
> > Ricardo J. Méndez
> > Sent: Thursday, August 04, 2005 3:38 AM
> > To: netfilter@lists.netfilter.org
> > Subject: IP forwarding
> >
> > Hi,
> >
> > I've got a network setup where the internal router is a Linux box
> > running iptables.  External interface is eth0, internal eth1.  I'm
> > attempting to forward an external IP address (say, 1.2.3.4) to an
> > internal machine.
> >
> > The rule I added is:
> >
> > iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
> > --to 192.168.1.202
> 
> The roule should look like this:
> 
> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
> --to-destination 192.168.1.202

Actually, I believe that --to is a valid unique prefix for
--to-destination.  The fact that it didn't flag as a syntax error
supports this.

The problem is that locally generated packets (from the firewall
itself) to 1.2.3.4 never pass through filter.PREROUTING.  Each
forwarded port may need up to four rules to NAT all access.  The
script I use (at http://www.curby.net/doc/curbywall ) is an example of
using all four, though it may be difficult to understand.  The general
principle but applied to the SNAT-ed network as opposed to localhost 
is described in

http://netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html

Other folks here are proponents of running a local DNS server so you
don't have to do such NAT contortions.

--Curby

Re: IP forwarding

[Ricardo J. Méndez]

> > The roule should look like this:
> >
> > iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
> > --to-destination 192.168.1.202
> 
> Actually, I believe that --to is a valid unique prefix for
> --to-destination.  The fact that it didn't flag as a syntax error
> supports this.

Agreed.  Webmin's IPTables interface displays the rule properly as
well, so --to is a valid substitute.

> The problem is that locally generated packets (from the firewall
> itself) to 1.2.3.4 never pass through filter.PREROUTING.  

But I 'm testing this from a desktop on the network, not the firewall
itself. PREROUTING should apply to those packets, correct?


> Each
> forwarded port may need up to four rules to NAT all access.  The
> script I use (at http://www.curby.net/doc/curbywall ) is an example of
> using all four, though it may be difficult to understand.  

From what I can see from the script, besides creating 1 PRE DNAT and
up to 2 POST SNAT rules (one for the internal network and one for the
de-militarized zone),  cw_forwardin is creating also an OUT rule for
the destination IP.    It also seems that the SNAT rule for the
internal network is using the ip address for the iptables machine as
the source.

Assuming that last one is correct, would that still be the IP address
used for SNAT on the scenario I'm faced with?  IE, doing DNAT/SNAT for
a machine internal to the network, redirecting to it the requests that
come from our network to a web server outside of it.

(Am I missing something?  It's a bit difficult to read, now having
that much experience with bash scripts)


> 
> Other folks here are proponents of running a local DNS server so you
> don't have to do such NAT contortions.

Indeed, it's an approach we considered, but we need this to work with
some internal apps that access the IP address directly.

Thanks,



Ricardo J. Méndez
http://ricardo.strangevistas.net/

Re: IP forwarding

[curby .]

On 8/4/05, Ricardo J. Méndez <mendezster@gmail.com> wrote:
> But I 'm testing this from a desktop on the network, not the firewall
> itself. PREROUTING should apply to those packets, correct?

In that case, the problem you're seeing is exactly that which is
discussed in the HOWTO link I posted last time.  It's also explained
by Jason's link.  The idea is that packets TO the server are indeed
being correctly mangled by the router, but return packets go directly
from server to client.  The client expects the reply from the router,
sees some spurious traffic from the server, and drops the traffic.

The netfilter list sees some variation of this question once every
week or so.  You're definitely not alone. =)

Another attempt to explain it:
https://lists.netfilter.org/pipermail/netfilter/2005-July/061636.html

Re: IP forwarding

[Ricardo J. Méndez]

Thanks for the pointer, it's working now.  It was indeed the SNAT that
was missing.


-- R.

On 8/4/05, curby . <curby.public@gmail.com> wrote:
> On 8/4/05, Ricardo J. Méndez <mendezster@gmail.com> wrote:
> > But I 'm testing this from a desktop on the network, not the firewall
> > itself. PREROUTING should apply to those packets, correct?
> 
> In that case, the problem you're seeing is exactly that which is
> discussed in the HOWTO link I posted last time.  It's also explained
> by Jason's link.  The idea is that packets TO the server are indeed
> being correctly mangled by the router, but return packets go directly
> from server to client.  The client expects the reply from the router,
> sees some spurious traffic from the server, and drops the traffic.
> 
> The netfilter list sees some variation of this question once every
> week or so.  You're definitely not alone. =)
> 
> Another attempt to explain it:
> https://lists.netfilter.org/pipermail/netfilter/2005-July/061636.html
> 


-- 


Ricardo J. Méndez
http://ricardo.strangevistas.net/

RE: IP forwarding

[Jan Engelhardt]

>> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
>> --to 192.168.1.202
>
>The roule should look like this:
>
>iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
>--to-destination 192.168.1.202

Or just --to-dest ;-)



Jan Engelhardt
-- 

Re: IP forwarding

[Patrick Nelson]

Ricardo J. Méndez wrote:

>Hi,
>
>I've got a network setup where the internal router is a Linux box
>running iptables.  External interface is eth0, internal eth1.  I'm
>attempting to forward an external IP address (say, 1.2.3.4) to an
>internal machine.
>
>The rule I added is:
>
>iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
>--to 192.168.1.202
>
>However, attempting to 
>
>telnet 1.2.3.4 80
>
>does not work.  It's clear that the rule is being applied, because the
>web server running on the external machine is not responding unless I
>telnet from the router itself, but unfortunately I'm not getting into
>192.168.1.202 either.  Attempting to
>
>telnet 192.168.1.202 80
>
>does work as expected.
>
>What am I missing?  Any pointers are welcome.  Thanks,
>
>
>
>Ricardo J. Méndez
>http://ricardo.strangevistas.net/
>
>  
>
Whats the Gateway set to on 192.168.1.202 80?

Re: IP forwarding

[Ricardo J. Méndez]

On 8/4/05, Patrick Nelson <pnelson@neatech.com> wrote:
> >
> Whats the Gateway set to on 192.168.1.202 80?
> 
> 

192.168.1.202's gateway is the same as the rest of the network - the
linux box doing the routing.



Ricardo J. Méndez
http://ricardo.strangevistas.net/

Re: IP forwarding

[Patrick Nelson]

Ricardo J. Méndez wrote:

>192.168.1.202's gateway is the same as the rest of the network - the
>linux box doing the routing
>  
>
Is that the 1.2.3.4 system?  I think it would need to be.

Re: IP forwarding

[Jason Opperisano]

On Wed, Aug 03, 2005 at 07:37:43PM -0600, Ricardo J. Méndez wrote:
> Hi,
> 
> I've got a network setup where the internal router is a Linux box
> running iptables.  External interface is eth0, internal eth1.  I'm
> attempting to forward an external IP address (say, 1.2.3.4) to an
> internal machine.
> 
> The rule I added is:
> 
> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
> --to 192.168.1.202
> 
> However, attempting to 
> 
> telnet 1.2.3.4 80
> 
> does not work.  It's clear that the rule is being applied, because the
> web server running on the external machine is not responding unless I
> telnet from the router itself, but unfortunately I'm not getting into
> 192.168.1.202 either.  Attempting to
> 
> telnet 192.168.1.202 80
> 
> does work as expected.
> 
> What am I missing?  Any pointers are welcome.  Thanks,

http://marc.theaimsgroup.com/?l=netfilter&m=112110769302639&w=2

-j

-- 
Jason Opperisano <opie@817west.com>

IP forwarding

[Prashant Batra (prbatra)]

[-- Attachment #1.1: Type: text/plain, Size: 1366 bytes --]

Hi,

 

I am trying to establish an IPSec tunnel to protect a subnet behind a
linux machine and a subnet behind some other gateway.

Lefsubnet - 172.17.0.0/16 (behind linux gateway)

Rightsubnet - 172.16.0.0/16

 

>From a host on left subnet, I am trying to ping to a host on right
subnet-

ping 172.16.60.1 -I 172.17.70.87

 

tcpdump capture on linux machine connected to left subnet-

04:27:09.939598 IP 172.17.70.87 > 172.16.60.1: icmp 64: echo request seq
170

 

Tcpdump capture on linux machine connected on right subnet-

04:26:32.941624 IP 1.1.0.1 > 192.168.101.101:
ESP(spi=0x020000c3,seq=0x16d)                 //Outer IPs

04:26:32.943940 IP 192.168.101.101 > 1.1.0.1:
ESP(spi=0x10000102,seq=0x16d)

04:26:32.943940 IP 172.16.60.1 > 172.17.70.87: icmp 64: echo reply seq
133

 

So, it's clear that linux gateway is able to protect the data and send
to the connected gateway (ESP packets to outer IPs).

And the second gateway is responding with ESP packet which is decoded on
linux gateway and sent to the ip stack again by linux kernel (ICMP
reply).

But the reply doesn't reach the host on left subnet.

 

I enabled ip_forwarding through /proc/sys/net/ipv4/ip_forwarding.

 

Please let me know, if I am missing something.

 

Any help would be appreciated.

 

Regards,

Prashant


[-- Attachment #1.2: Type: text/html, Size: 4087 bytes --]

[-- Attachment #2: Type: text/plain, Size: 377 bytes --]

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

IP Forwarding

[Jerry Alexander]

Dear NF:

          I cannot get IPTABLES FORWARDing to work when the machines are 
directly
connected via a twisted cable.
         Does FORWARDing only work with a router between the machines in 
question?
         If not, how can I get it to work?   I see the packets coming 
into the box(ethereal)
but none going out.
         Can someone give me a quick overview of how, at the kernel code 
level,
how FORWARDing works and how to modify it to get two machines who are 
directly
connected to work.


                                                                                     
Jerry

Re: IP Forwarding

[Henrik Nordstrom]

On Fri, 21 Oct 2005, Jerry Alexander wrote:

>         I cannot get IPTABLES FORWARDing to work when the machines are 
> directly
> connected via a twisted cable.

What should be forwarded from where?

>        Does FORWARDing only work with a router between the machines in 
> question?

No, but it only works when YOU act as a router for something going from 
somewhere to somewhere else via you.

>        If not, how can I get it to work?   I see the packets coming into the 
> box(ethereal)
> but none going out.

Does it work if you don't load any iptables rules?

If not your basic networking is not properly set up/configured.

If it works without iptables then your iptables ruleset is not properly 
constructed, most likely dropping the traffic.

Regards
Henrik

Re: IP Forwarding

[Aseem Rastogi]

did you enable ip forwarding ?

try "echo 1> /proc/sys/net/ipv4/ip_forward".

regards,
aseem.

Jerry Alexander wrote:

> Dear NF:
>
>          I cannot get IPTABLES FORWARDing to work when the machines 
> are directly
> connected via a twisted cable.
>         Does FORWARDing only work with a router between the machines 
> in question?
>         If not, how can I get it to work?   I see the packets coming 
> into the box(ethereal)
> but none going out.
>         Can someone give me a quick overview of how, at the kernel 
> code level,
> how FORWARDing works and how to modify it to get two machines who are 
> directly
> connected to work.
>
>
>                                                                                     
> Jerry
>
>
>


-- 
The end is always good. If it's not good, it's not the end.

Re: Ip Forwarding

[Jason Opperisano]

On Thu, Oct 28, 2004 at 12:23:50PM -0500, Joe Wright wrote:
> Hi, I'm new to iptables and am trying to set up a firewall for my hosting
> company. We have a block of 128 public ips starting at 207.145.24.128 with a
> mask of 255.255.255.192. I have a redhat 9 box set up with 2 nics. My goal
> is to have it between the router and my network.

is your current configuration that "my network" is 207.145.24.128/26 and
all hosts point to the inside interface of the router as their default
gateway?  and now you want to wedge a firewall between "my network" and
the router?

> It should allow connections
> to port 80 for all ips behind it

  iptables -A FORWARD -i $outsideIF -o $insideIF -p tcp --syn \
    --dport 80 -j ACCEPT

  (assumes you are using connection tracking)

> and I would also like to specify certain
> ports for certain ips for dns, ftp, remote desktop, etc.

mport/multiport is useful for this (i prefer mport, but most distros
ship with multiport):

  iptables -A FORWARD -i $outsideIF -o $insideIF -p tcp --syn \
    -d $server001 -m multiport --dports 21,3389 -j ACCEPT

> I've found tons of
> info on using iptables with nat but not much on just blocking ports for ips
> passing through it. I'm also not quite sure of how to configure the second
> nic that connects to my internal network. Any help would be greatly
> appreciated.

if my description of your scenario above was correct, you have a couple
of options:

(a) get an additional /30 public IP space to use between the outside of
the firewall and the inside of your router

(b) subnet your existing /26 and steal a /30 out of it from the beginning
or end of the range for the network between the firewall and router

(c) use an RFC 1918 network for the network between the firewall and
router

the "best" solution is A, but will cost some extra $$$.  C can cause
problems if certain situations.  B is a nice compromise, basically it
would involve:

  router:
	inside interface:  207.145.24.129/30
	static route:      207.145.24.128/26 via 207.145.24.130

  firewall:
	outside interface:  207.145.24.130/30
	inside interface:   207.145.24.190/26
	default gateway:    207.145.24.129

default gateway of hosts on the 207.145.24.128/26 network:
207.145.24.190

or some variant of the above, depending on how much readdressing you do
or do not want to do.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Ip Forwarding

[Nick Drage]

On Thu, Oct 28, 2004 at 02:26:03PM -0400, Jason Opperisano wrote:
> On Thu, Oct 28, 2004 at 12:23:50PM -0500, Joe Wright wrote:
> > Hi, I'm new to iptables and am trying to set up a firewall for my hosting
> > company. We have a block of 128 public ips starting at 207.145.24.128 with a
> > mask of 255.255.255.192. I have a redhat 9 box set up with 2 nics. My goal
> > is to have it between the router and my network.

If you've got 128 public IPS doesn't that mean you want a netmask of
255.255.255.128?  Alternatively 255.255.255.192 is a /26, giving you
207.145.24.129 to 207.145.24.190?

http://jodies.de/ipcalc

is your friend :)

<snip>

> > It should allow connections
> > to port 80 for all ips behind it
> 
>   iptables -A FORWARD -i $outsideIF -o $insideIF -p tcp --syn \
>     --dport 80 -j ACCEPT
> 
>   (assumes you are using connection tracking)

I think the original poster meant connections outbound... at least I
hope so, inbound port 80 connections to all hosts is probably a bad
idea.

> > and I would also like to specify certain
> > ports for certain ips for dns, ftp, remote desktop, etc.

Then again - OP, any chance for some clarification?

<snip>

> if my description of your scenario above was correct, you have a couple
> of options:
> 
> (a) get an additional /30 public IP space to use between the outside of
> the firewall and the inside of your router
> 
> (b) subnet your existing /26 and steal a /30 out of it from the beginning
> or end of the range for the network between the firewall and router
> 
> (c) use an RFC 1918 network for the network between the firewall and
> router

Is there any chance of

d) use something like PPPoE on the external interface of the firewall,
which would mean you could use the existing IP ranges without
modification?

Not that I really know if/how this would work, asking the question to
learn rather than to advise....

> the "best" solution is A, but will cost some extra $$$.

How come?  Do ISPs tend to charge for IP space these days?

> C can cause problems if certain situations.  B is a nice compromise,
> basically it would involve:
> 
>   router:
> 	inside interface:  207.145.24.129/30
> 	static route:      207.145.24.128/26 via 207.145.24.130

Will the router support this?  You're telling it that 207.145.24.130 is
on the local network on the other side of its inside interface, and on
the other side of 207.145.24.130... in a way.  I'm not sure, this just
looks, well, icky.

>   firewall:
> 	outside interface:  207.145.24.130/30
> 	inside interface:   207.145.24.190/26
> 	default gateway:    207.145.24.129

Yes, but where's 207.145.24.129?  It falls within the network on both
interfaces.  I expect the firewall will route traffic the correct way
because its the most specific route, but I don't like the idea of doing
this with directly connected networks.

> default gateway of hosts on the 207.145.24.128/26 network:
> 207.145.24.190

This will work... except no internal hosts will be able to talk to the
router directly... which might be OK, but for management and monitoring
everything will have to come from the firewall.  As all the hosts think
that everything from 207.145.24.129-190 is on the local network they
will arp for 207.145.24.129 - the router - rather than sending the
traffic to the firewall.

-- 
Recedite, plebes! Gero rem imperialem!

Re: Ip Forwarding

[Jason Opperisano]

On Sat, 2004-10-30 at 06:55, Nick Drage wrote:
> If you've got 128 public IPS doesn't that mean you want a netmask of
> 255.255.255.128?  Alternatively 255.255.255.192 is a /26, giving you
> 207.145.24.129 to 207.145.24.190?
> 
> http://jodies.de/ipcalc
> 
> is your friend :)

typo.  then i continued to use it for the rest of my example.  sorry for
the confusion.

> I think the original poster meant connections outbound... at least I
> hope so, inbound port 80 connections to all hosts is probably a bad
> idea.

depends whether you read minds better than i do.  since he said "hosting
company" i assumed all the traffic he was trying to allow was inbound.

> > > and I would also like to specify certain
> > > ports for certain ips for dns, ftp, remote desktop, etc.
> 
> Then again - OP, any chance for some clarification?
> 
> <snip>
> 
> Is there any chance of
> 
> d) use something like PPPoE on the external interface of the firewall,
> which would mean you could use the existing IP ranges without
> modification?

that would probably fall under C.  not sure why PPPoE would be necessary
for that.

> Not that I really know if/how this would work, asking the question to
> learn rather than to advise....
> 
> > the "best" solution is A, but will cost some extra $$$.
> 
> How come?  Do ISPs tend to charge for IP space these days?

yes.  nobody rides for free.

> > C can cause problems if certain situations.  B is a nice compromise,
> > basically it would involve:
> > 
> >   router:
> > 	inside interface:  207.145.24.129/30
> > 	static route:      207.145.24.128/26 via 207.145.24.130
> 
> Will the router support this?  You're telling it that 207.145.24.130 is
> on the local network on the other side of its inside interface, and on
> the other side of 207.145.24.130... in a way.  I'm not sure, this just
> looks, well, icky.

icky as it may look, it's called Variable Length Subnet Masking (VLSM):

  http://www.tcpipguide.com/free/t_IPVariableLengthSubnetMaskingVLSM.htm

> >   firewall:
> > 	outside interface:  207.145.24.130/30
> > 	inside interface:   207.145.24.190/26
> > 	default gateway:    207.145.24.129
> 
> Yes, but where's 207.145.24.129?  It falls within the network on both
> interfaces.  

it's on the outside interface.  longest prefix length route always win. 
both the firewall and router know this.  the hosts on the inside will be
the ones that assume 129 - 131 are on the same network as them.  this
would be the "icky" part.

> I expect the firewall will route traffic the correct way
> because its the most specific route, but I don't like the idea of doing
> this with directly connected networks.
> 
> > default gateway of hosts on the 207.145.24.128/26 network:
> > 207.145.24.190
> 
> This will work... except no internal hosts will be able to talk to the
> router directly... 

um--that the point.  i'm not sure if i actually understood the OP's
question--i was answering "how do i stick a layer 3 firewall into an
existing network where all hosts use the router as the default gateway."

if the hosts could talk to the router directly--there wouldn't be much
point in having the firewall.

> which might be OK, but for management and monitoring
> everything will have to come from the firewall.

why?

>   As all the hosts think
> that everything from 207.145.24.129-190 is on the local network they
> will arp for 207.145.24.129 - the router - rather than sending the
> traffic to the firewall.

the firewall is their default gateway (190)--they don't need to talk to
the router.  if something needs to talk to the router directly (for SNMP
mgmt or something) add a static route to it that points
207.145.24.128/30 via 207.145.24.190.

again--i was only trying to explain the option that actually required a
lengthy explanation.  the best solution is still A.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Ip Forwarding

[Nick Drage]

On Sat, Oct 30, 2004 at 11:25:57AM -0400, Jason Opperisano wrote:
> On Sat, 2004-10-30 at 06:55, Nick Drage wrote:
> > If you've got 128 public IPS doesn't that mean you want a netmask of
> > 255.255.255.128?  Alternatively 255.255.255.192 is a /26, giving you
> > 207.145.24.129 to 207.145.24.190?

<snip>

> typo.  then i continued to use it for the rest of my example.  sorry for
> the confusion.

The original poster said 255.255.255.192 for his netwask but said he has
128 public IPs... so the typo wasn't yours, I should have been clearer.

> > I think the original poster meant connections outbound... at least I
> > hope so, inbound port 80 connections to all hosts is probably a bad
> > idea.
> 
> depends whether you read minds better than i do.  since he said "hosting
> company" i assumed all the traffic he was trying to allow was inbound.

That's a very good point :)

<snip>

> > d) use something like PPPoE on the external interface of the firewall,
> > which would mean you could use the existing IP ranges without
> > modification?
> 
> that would probably fall under C.  not sure why PPPoE would be necessary
> for that.

I've probably misunderstood PPPoE.  I thought it was possible to have

      <----- External IP
Router
  | 
  |  Some kind of layer two magic where all traffic that isn't for the
  |  hosts themselves is passed between the router and the firewall
  |
Firewall
  |   <-----Internal IP
  |
Internal network

Where "PPPoE" is the "layer two magic", effectively the Router and
Firewall are one device as far as layer 3 is concerned, and pass all
traffic not meant for themselves to the other device.

<snip>

> > > C can cause problems if certain situations.  B is a nice compromise,
> > > basically it would involve:
> > > 
> > >   router:
> > > 	inside interface:  207.145.24.129/30
> > > 	static route:      207.145.24.128/26 via 207.145.24.130
> > 
> > Will the router support this?  You're telling it that 207.145.24.130 is
> > on the local network on the other side of its inside interface, and on
> > the other side of 207.145.24.130... in a way.  I'm not sure, this just
> > looks, well, icky.
> 
> icky as it may look, it's called Variable Length Subnet Masking (VLSM):
> 
>   http://www.tcpipguide.com/free/t_IPVariableLengthSubnetMaskingVLSM.htm

Heh, I'm familiar with VLSM, but I've never seen overlapping subnets
before... well, not overlapping subnets relating to networks directly
connected to a device.

> > This will work... except no internal hosts will be able to talk to
> > the router directly... 
> 
> um--that the point.  i'm not sure if i actually understood the OP's
> question--i was answering "how do i stick a layer 3 firewall into an
> existing network where all hosts use the router as the default
> gateway."
> 
> if the hosts could talk to the router directly--there wouldn't be much
> point in having the firewall.
> 
> > which might be OK, but for management and monitoring everything will
> > have to come from the firewall.
> 
> why?

Sorry, as you point out, this is a hosting company, so I would expect
that none of the servers need to talk to the router, any hosts set up to
monitor it will be elsewhere.

As for the last bit, "will have to come from the firewall" should be
"will have to come from a host that is not behind the firewall", which
does open up the range of possible hosts rather a lot.

> > As all the hosts think that everything from 207.145.24.129-190 is on
> > the local network they will arp for 207.145.24.129 - the router -
> > rather than sending the traffic to the firewall.
> 
> the firewall is their default gateway (190)--they don't need to talk
> to the router.  if something needs to talk to the router directly (for
> SNMP mgmt or something) add a static route to it that points
> 207.145.24.128/30 via 207.145.24.190.
> 
> again--i was only trying to explain the option that actually required
> a lengthy explanation.  the best solution is still A.

Thanks for the explanation, it makes sense to me now... Joe?

-- 
Recedite, plebes! Gero rem imperialem!

Ip Forwarding

[Joe Wright]

Hi, I'm new to iptables and am trying to set up a firewall for my hosting
company. We have a block of 128 public ips starting at 207.145.24.128 with a
mask of 255.255.255.192. I have a redhat 9 box set up with 2 nics. My goal
is to have it between the router and my network. It should allow connections
to port 80 for all ips behind it and I would also like to specify certain
ports for certain ips for dns, ftp, remote desktop, etc. I've found tons of
info on using iptables with nat but not much on just blocking ports for ips
passing through it. I'm also not quite sure of how to configure the second
nic that connects to my internal network. Any help would be greatly
appreciated.

 

Joe

Ip Forwarding

[William Olbrys]

[-- Attachment #1: Type: text/plain, Size: 318 bytes --]

Is it possible to just forward the IP addresses? That way my
iptables/gateway box WONT change the ips and JUST act like a firewall?
Using SNAT and DNAT is too complicated with windows.
 
Thanks
Will Olbrys.


 E2-O: The presence of this footer indicates the message has been scanned for viruses by the WebShield e500.

[-- Attachment #2: Type: text/html, Size: 3309 bytes --]

Re: Ip Forwarding

[Willi Dyck]

On Fri, Feb 21, 2003 at 06:46:03PM -0500, William Olbrys wrote:
> Is it possible to just forward the IP addresses?

Yes.

> That way my iptables/gateway box WONT change the ips and JUST act like
> a firewall? Using SNAT and DNAT is too complicated with windows.

Please provide more detailed information, so we can help.

Regards

-- 
Willi Dyck

RE: Ip Forwarding

[William Olbrys]

Well I want to put a windows 2000 domain controller behind my
iptables-enabled redhat 8 box. The domain controller had a static ip
before it went behind the firewall and for Active Directory to work
correctly it HAS to stay that way. I spent days and days trying
otherwise but windows is far too stubborn. AD plus legacy support for
WINS makes nat translation a living hell. So I simply set up all my
rules as default accept and let it fly, hoping that the forwarding would
take care of itself. Essentially it did! I could perform simple function
like connecting to the internet but I couldn't do more important
functions like cruise the windows network or have things join/leave/see
the domain behind this iptables enabled box.  I thought it had something
to do with routers not seeing the right ip address as it leaves the
iptables box or the routers not being able to find its way back to this
box behind the firewall.

It struck that while I wrote this complicated email I may have come up
with a solution. Since the static IP of the win2k box is the same and
only the gateway has changed, then the data it sends will be legitimate
concerning it's IP address(not an internal IP). Could I create an alias
at the outbound NIC level for the win2k's IP address and SNAT packets
leaving the outbound NIC that originated from the win2k box?

Thank you for any help.

P.S. I'm sorry to ask such a complicated question. I am new to Linux for
the most part and have a very basic understanding of networking. No I am
not a Hotmail employee :)
 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Willi Dyck
Sent: Friday, February 21, 2003 7:28 PM
To: netfilter@lists.netfilter.org
Subject: Re: Ip Forwarding

On Fri, Feb 21, 2003 at 06:46:03PM -0500, William Olbrys wrote:
> Is it possible to just forward the IP addresses?

Yes.

> That way my iptables/gateway box WONT change the ips and JUST act like
> a firewall? Using SNAT and DNAT is too complicated with windows.

Please provide more detailed information, so we can help.

Regards

-- 
Willi Dyck





 E2-I: The presence of this footer indicates the message has been
scanned for viruses by the WebShield e500.







 E2-O: The presence of this footer indicates the message has been scanned for viruses by the WebShield e500.

RE: Ip Forwarding

[William Olbrys]

Was this too complicated? Heh that's why I wrote such a generic
questions

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of William Olbrys
Sent: Friday, February 21, 2003 7:48 PM
To: netfilter@lists.netfilter.org
Subject: RE: Ip Forwarding

Well I want to put a windows 2000 domain controller behind my
iptables-enabled redhat 8 box. The domain controller had a static ip
before it went behind the firewall and for Active Directory to work
correctly it HAS to stay that way. I spent days and days trying
otherwise but windows is far too stubborn. AD plus legacy support for
WINS makes nat translation a living hell. So I simply set up all my
rules as default accept and let it fly, hoping that the forwarding would
take care of itself. Essentially it did! I could perform simple function
like connecting to the internet but I couldn't do more important
functions like cruise the windows network or have things join/leave/see
the domain behind this iptables enabled box.  I thought it had something
to do with routers not seeing the right ip address as it leaves the
iptables box or the routers not being able to find its way back to this
box behind the firewall.

It struck that while I wrote this complicated email I may have come up
with a solution. Since the static IP of the win2k box is the same and
only the gateway has changed, then the data it sends will be legitimate
concerning it's IP address(not an internal IP). Could I create an alias
at the outbound NIC level for the win2k's IP address and SNAT packets
leaving the outbound NIC that originated from the win2k box?

Thank you for any help.

P.S. I'm sorry to ask such a complicated question. I am new to Linux for
the most part and have a very basic understanding of networking. No I am
not a Hotmail employee :)
 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Willi Dyck
Sent: Friday, February 21, 2003 7:28 PM
To: netfilter@lists.netfilter.org
Subject: Re: Ip Forwarding

On Fri, Feb 21, 2003 at 06:46:03PM -0500, William Olbrys wrote:
> Is it possible to just forward the IP addresses?

Yes.

> That way my iptables/gateway box WONT change the ips and JUST act like
> a firewall? Using SNAT and DNAT is too complicated with windows.

Please provide more detailed information, so we can help.

Regards

-- 
Willi Dyck





 E2-I: The presence of this footer indicates the message has been
scanned for viruses by the WebShield e500.







 E2-O: The presence of this footer indicates the message has been
scanned for viruses by the WebShield e500.







 E2-I: The presence of this footer indicates the message has been
scanned for viruses by the WebShield e500.







 E2-O: The presence of this footer indicates the message has been scanned for viruses by the WebShield e500.

RE: Ip Forwarding

[Bjorn Ruberg]

On Sat, 2003-02-22 at 15:57, William Olbrys wrote:
> Was this too complicated? Heh that's why I wrote such a generic
> questions
> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of William Olbrys
> Sent: Friday, February 21, 2003 7:48 PM
> To: netfilter@lists.netfilter.org
> Subject: RE: Ip Forwarding
> 
> Well I want to put a windows 2000 domain controller behind my
> iptables-enabled redhat 8 box. The domain controller had a static ip
> before it went behind the firewall and for Active Directory to work
> correctly it HAS to stay that way. I spent days and days trying
> otherwise but windows is far too stubborn. AD plus legacy support for
> WINS makes nat translation a living hell. So I simply set up all my
> rules as default accept and let it fly, hoping that the forwarding would
> take care of itself. Essentially it did! I could perform simple function
> like connecting to the internet but I couldn't do more important
> functions like cruise the windows network or have things join/leave/see
> the domain behind this iptables enabled box.  I thought it had something
> to do with routers not seeing the right ip address as it leaves the
> iptables box or the routers not being able to find its way back to this
> box behind the firewall.
> 
> It struck that while I wrote this complicated email I may have come up
> with a solution. Since the static IP of the win2k box is the same and
> only the gateway has changed, then the data it sends will be legitimate
> concerning it's IP address(not an internal IP). Could I create an alias
> at the outbound NIC level for the win2k's IP address and SNAT packets
> leaving the outbound NIC that originated from the win2k box?

Generic questions get generic answers, and that is not what you need.

Your questions are not complicated (and the email is definitely not),
just obscure.

To cut to the chase:

You do not say anything about what kind of network you use behind your
Linux firewall.

If we assume you use a private network (192.168.*.*, 172.16.*.*,
10.*.*.* or similar) of course nothing on the outside will be able to
connect to your Windows server - simply because they don't know they
need to connect to it through your Linux server. This is a routing
issue. A significant fact about NATed networks is that there are no way
anything on the outside will know that given resources are behind the
NATing firewall.

If you are still using an IP dedicated to your Windows server but on
another IP network, consider it pure luck that anything works at all.

If you want to get serious answers from this list, you need to distinct
between what matters (e.g. your IP network and your routing tables) and
what does not matter at all (e.g. how many days you tried beating sense
into Microsoft products). Provide a network diagram explaining your
configuration and any problems related to it. Trying to parse your
message, however, makes me think that you need to read up on IP routing
before you try anything more complicated.

And, by the way, please read the netfilter documentation. It's available
on http://www.netfilter.org/documentation/.

Bjørn

Re: Ip Forwarding

[Willi Dyck]

On Sun, Feb 23, 2003 at 04:43:03AM +0100, Bjorn Ruberg wrote:
> Generic questions get generic answers, and that is not what you need.
> 
> Your questions are not complicated (and the email is definitely not),
> just obscure.

[...snip...]

Couldn't have said it a better way! :)

-- 
NT is the OS of the future. The main engine is the 16-bit Subsystem
(also called MS-DOS Subsystem). Above that, there is the windoze 95/98
16-bit Subsystem. Anyone can see that 16+16=32, so windoze NT is a
*real* 32-bit system.

IP forwarding

[SB CH]

Hello, all

I would like to forward one IP to another IP.

for example, 
eth0 IP is 211.1.1.1 and eth0:1 is 211.1.1.2
and I would like to forward all request to 211.1.1.2
toward 61.1.2.3 which is another network or not.
Is it possible?

I did like this to do, but it is not work.

# ifconfig eth0:1 211.1.1.2
# iptables -t nat -A  PREROUTING -d 211.1.1.2 -i eth0 j DNAT --to 61.1.2.3

Any idea?

Thanks in advance.



_________________________________________________________________
보다 빠르고 보기 편한 뉴스. 오늘의 화제는 MSN 뉴스에서 확인하세요. 
http://www.msn.co.kr/news/

Re: IP forwarding

[Antony Stone]

On Saturday 28 September 2002 5:22 am, SB CH wrote:

> Hello, all
>
> I would like to forward one IP to another IP.
>
> for example,
> eth0 IP is 211.1.1.1 and eth0:1 is 211.1.1.2
> and I would like to forward all request to 211.1.1.2
> toward 61.1.2.3 which is another network or not.
> Is it possible?
>
> I did like this to do, but it is not work.
>
> # ifconfig eth0:1 211.1.1.2
> # iptables -t nat -A  PREROUTING -d 211.1.1.2 -i eth0 j DNAT --to 61.1.2.3

I assume it was just a typo in your email, but that "j" should be "-j".

Did you also add a FORWARDing rule to allow the packets through ?

iptables -A FORWARD -d 61.1.2.3 -j ACCEPT

If that doesn't sort it out,please provide further information about the 
problem:

1. Can your firewall successfully connect to machine 61.1.2.3 ?
2. Are the source and destination machines on opposite sides of your 
firewall, so that both initial packets and replies get routed through the 
firewall ?
3. Add a LOG rule or use a packet sniffer to find out what is arriving at 
your firewall and tell you what you see and what is missing.
4. What protocol are you trying to use to connect to 61.1.2.3 ?

Antony.

-- 

The first ninety percent of an engineering project takes ninety percent
of the time, and the last ten percent takes the remaining ninety percent.