destinations interface must be eth0?

destinations interface must be eth0?

[Jim Burnett]

I have found that my destination IP in my rules MUST be bound on eth0
what is this? I thought I could use any working IP on my internal
network as the --to-destination IP...??

Example:
internal machine:
eth0:192.168.1.55
eth1:192.168.1.56


#1
iptables -v -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNA
T--to                  192.168.1.55:80
This will work because the destination IP is on eth0

#2
iptables -v -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNA
T--to                  192.168.1.56:80
This wont work because the destination IP is on eth1

I didnt see this in the documentation and it took my 5 days to figure it
out....

Tested on 6 machines, redhat 9, slackware 9, Latest gentoo build from
stage 1. Various brand nic cards. Various compiled kernels. 2.4.18 -
2.4.22

-Jim

Re: destinations interface must be eth0?

[Jamie Pratt]

Hi.

Jim Burnett wrote:

<snip>

 > #2
> iptables -v -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNA
> T--to                  192.168.1.56:80
> This wont work because the destination IP is on eth1
> 

...did you try using -i eth1 instead of -i eth0 in the above command?


> I didnt see this in the documentation and it took my 5 days to figure it
> out....
> 
> Tested on 6 machines, redhat 9, slackware 9, Latest gentoo build from
> stage 1. Various brand nic cards. Various compiled kernels. 2.4.18 -
> 2.4.22
> 
> -Jim
> 
> 

regards,
jamie

> 
> 
> 
> 

Re: destinations interface must be eth0?

[Ramin Dousti]

What is not working? That the packets are not being DNATted to 192.168.1.56:80?

Ramin

On Mon, Sep 15, 2003 at 09:47:39AM -0500, Jim Burnett wrote:

> I have found that my destination IP in my rules MUST be bound on eth0
> what is this? I thought I could use any working IP on my internal
> network as the --to-destination IP...??
> 
> Example:
> internal machine:
> eth0:192.168.1.55
> eth1:192.168.1.56
> 
> 
> #1
> iptables -v -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNA
> T--to                  192.168.1.55:80
> This will work because the destination IP is on eth0
> 
> #2
> iptables -v -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNA
> T--to                  192.168.1.56:80
> This wont work because the destination IP is on eth1
> 
> I didnt see this in the documentation and it took my 5 days to figure it
> out....
> 
> Tested on 6 machines, redhat 9, slackware 9, Latest gentoo build from
> stage 1. Various brand nic cards. Various compiled kernels. 2.4.18 -
> 2.4.22
> 
> -Jim
> 
> 
> 

Re: destinations interface must be eth0?

[Jim Burnett]

Correct.

You cant DNAT to an IP which isnt bound to eth0 of that DNATed machine.
The gateway of the DNATed machine must point to the firewall also. This
isnt document. This was the case with 9 diferent tested linux distros.



On Tue, 2003-09-16 at 09:22, Ramin Dousti wrote:
> What is not working? That the packets are not being DNATted to 192.168.1.56:80?
> 
> Ramin
> 
> On Mon, Sep 15, 2003 at 09:47:39AM -0500, Jim Burnett wrote:
> 
> > I have found that my destination IP in my rules MUST be bound on eth0
> > what is this? I thought I could use any working IP on my internal
> > network as the --to-destination IP...??
> > 
> > Example:
> > internal machine:
> > eth0:192.168.1.55
> > eth1:192.168.1.56
> > 
> > 
> > #1
> > iptables -v -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNA
> > T--to                  192.168.1.55:80
> > This will work because the destination IP is on eth0
> > 
> > #2
> > iptables -v -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNA
> > T--to                  192.168.1.56:80
> > This wont work because the destination IP is on eth1
> > 
> > I didnt see this in the documentation and it took my 5 days to figure it
> > out....
> > 
> > Tested on 6 machines, redhat 9, slackware 9, Latest gentoo build from
> > stage 1. Various brand nic cards. Various compiled kernels. 2.4.18 -
> > 2.4.22
> > 
> > -Jim
> > 
> > 
> > 

Re: destinations interface must be eth0?

[Ramin Dousti]

On Tue, Sep 16, 2003 at 01:57:39PM -0500, Jim Burnett wrote:

> Correct.
> 
> You cant DNAT to an IP which isnt bound to eth0 of that DNATed machine.
> The gateway of the DNATed machine must point to the firewall also. This
> isnt document. This was the case with 9 diferent tested linux distros.

I'm sorry. You lost me here. What is "DNATed machine"? And what do you
mean by "The gateway of the DNATed machine must point to the firewall"?

Ramin

Re: destinations interface must be eth0?

[Cedric Blancher]

Le lun 15/09/2003 à 16:47, Jim Burnett a écrit :
> I have found that my destination IP in my rules MUST be bound on eth0
> what is this? I thought I could use any working IP on my internal
> network as the --to-destination IP...??
> Example:
> internal machine:
> eth0:192.168.1.55
> eth1:192.168.1.56

There's a wierd thing in your setup. Can you show us your routing table,
as I don't see how you could assign 192.168.1.55 and 192.168.1.56 in two
different subnets.

Btw, I tried on my box that has two interfaces the same thing, and it
works :

cbr@elendil:~$ ifconfig
eth0      Lien encap:Ethernet  HWaddr 00:0A:41:EE:A5:50
          inet adr:192.168.100.10  Bcast:192.168.100.127
		Masque:255.255.255.128
[...]
eth1      Lien encap:Ethernet  HWaddr 00:01:02:50:0E:0E
          inet adr:192.168.100.130  Bcast:192.168.100.255 
Masque:255.255.255.128
[...]
cbr@elendil:~$ sudo iptables -v -t nat -A PREROUTING -i eth0 -p tcp
--dport 80 -j DNAT --to 192.168.100.15:80
DNAT  tcp opt -- in eth0 out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80
to:192.168.100.15:80
cbr@elendil:~$ sudo iptables -v -t nat -A PREROUTING -i eth0 -p tcp
--dport 80 -j DNAT --to 192.168.100.155:80
DNAT  tcp opt -- in eth0 out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:80
to:192.168.100.155:80
cbr@elendil:~$ sudo iptables -t nat -L PREROUTING -v
Chain PREROUTING (policy ACCEPT 140 packets, 23585 bytes)
 pkts bytes target     prot opt in     out     source              
destination                                                                                 
    0     0 DNAT       tcp  --  eth0   any     anywhere            
anywhere        tcp dpt:www to:192.168.100.15:80
    0     0 DNAT       tcp  --  eth0   any     anywhere            
anywhere        tcp dpt:www to:192.168.100.155:80

And :

cbr@elendil:~$ iptables --version
iptables v1.2.8
cbr@elendil:~$ uname -r
2.4.22

Patch-o-matic pending and submitted sections are applied.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: destinations interface must be eth0?

[Jim Carter]

On Mon, 15 Sep 2003, Jim Burnett wrote:
> I have found that my destination IP in my rules MUST be bound on eth0
> what is this? I thought I could use any working IP on my internal
> network as the --to-destination IP...??
>
> Example:
> internal machine:
> eth0:192.168.1.55
> eth1:192.168.1.56

Maybe it would help if you could explain what you were trying to accomplish
here.  I wouldn't be surprised if the web server's answers were getting
lost, or subsequent packets in the connection were getting lost, because of
switching to the other interface.

Have you used tcpdump or ethereal or snort to make sure which packets are
vanishing?  Also, when tcpdump puts one of the interfaces into promiscuous
mode, it might start accepting packets for the other interface and your
setup might start working.  That would be an important clue (but definitely
not the way to run a production server).

To save a round of back-and forth, let me make a guess...  You have two
independent web sites and each is assigned a different IP address.
Perhaps you even have two independent instances of Apache, each listening
to its own interface.  This is kind of overkill.  If I were setting it up,
I would have DNS CNAMEs mapping both alphabetic names to the same IP
address, and just one interface on the box, and just one instance of
Apache.  Then I would set up a virtual host for each client site (the main
instance would be just for administration).  Apache distinguishes the sites
by the name in the URL, not the IP address.  This is the preferred method
for commercial web hosting companies.  I use it for my HTTPS service.

Hope this helps!

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc@math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)

Re: destinations interface must be eth0?

[Julian Gomez]

On Tue, Sep 16, 2003 at 11:10:41AM -0700, Jim Carter spoke thusly:
>On Mon, 15 Sep 2003, Jim Burnett wrote:

(snip)

>To save a round of back-and forth, let me make a guess...  You have two
>independent web sites and each is assigned a different IP address.
>Perhaps you even have two independent instances of Apache, each listening
>to its own interface.  This is kind of overkill.  If I were setting it up,
>I would have DNS CNAMEs mapping both alphabetic names to the same IP
>address, and just one interface on the box, and just one instance of
>Apache.  Then I would set up a virtual host for each client site (the main
>instance would be just for administration).  Apache distinguishes the sites
>by the name in the URL, not the IP address.  This is the preferred method
>for commercial web hosting companies.  I use it for my HTTPS service.

Your setup of 1 IP hosting multiple websites will work if its only dealing
with HTTP. With HTTPS - you have to split the IP or port numbers, because
the SSL tunnel gets established prior to parsing of the HTTP/1.1 Host:
header. You could still do it, but you'd get bogus certs for different
FQDNs which might not look nice if you are a e-commerce site.

Re: destinations interface must be eth0?

[Jim Burnett]

I have Virtual hosting so I dont need more then 1 ip. Its fixed now.

THanks


On Wed, 2003-09-17 at 06:30, Julian Gomez wrote:
> On Tue, Sep 16, 2003 at 11:10:41AM -0700, Jim Carter spoke thusly:
> >On Mon, 15 Sep 2003, Jim Burnett wrote:
> 
> (snip)
> 
> >To save a round of back-and forth, let me make a guess...  You have two
> >independent web sites and each is assigned a different IP address.
> >Perhaps you even have two independent instances of Apache, each listening
> >to its own interface.  This is kind of overkill.  If I were setting it up,
> >I would have DNS CNAMEs mapping both alphabetic names to the same IP
> >address, and just one interface on the box, and just one instance of
> >Apache.  Then I would set up a virtual host for each client site (the main
> >instance would be just for administration).  Apache distinguishes the sites
> >by the name in the URL, not the IP address.  This is the preferred method
> >for commercial web hosting companies.  I use it for my HTTPS service.
> 
> Your setup of 1 IP hosting multiple websites will work if its only dealing
> with HTTP. With HTTPS - you have to split the IP or port numbers, because
> the SSL tunnel gets established prior to parsing of the HTTP/1.1 Host:
> header. You could still do it, but you'd get bogus certs for different
> FQDNs which might not look nice if you are a e-commerce site.
>