forwarding on the same NIC

forwarding on the same NIC

[alucard]

Hi there...

   I have been using netfilter for a while and now, I have to integrate
some other servers and somehow I can't get it to forward packets. Let
me explain mi scenario.

- Linux box, Address 10.73.219.156 nat'ed' from a real IP address from a
external router
- The linux box has only one NIC -and having a second one is not a
problem- It functions as a web/mail server, and that means that I'm using
80 and 25 already. What i'd like to do is, access another internal
webserver from the outside getting in using another port in the nat'ed'
linux box.


-------      -----------------      ----------------
router |<--->|Linux box      |<---->|2nd WebServer |
-------      |using web/mail |      |10.73.219.77  |
             |10.73.219.156  |      ----------------
             -----------------

And I think that, using something like this would make it happen but it
doesn't

-------------
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT
--to-destination 10.73.219.77:80
--------------

I'm trying to use port 8080 to enter into the server and then forward it
to the other's server port 80 and it's not working. Here's my whole
script, which include some other services that I use perfectly.

--------------
iptables -F
iptables -X

echo "Habilitando politicas de negacion total de paquetes"

iptables -P FORWARD DROP
iptables -P INPUT DROP

echo "Reglas para paquetes de entrada y salida"

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

##internas
iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT

#para el forward a la maquina compaq

echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT \
--to-destination 10.73.219.77:80
echo 1 > /proc/sys/net/ipv4/ip_forward
--------------

Any suggestions would be really apreciated

Thanx a lot as usual...
Juan

Re: forwarding on the same NIC

[Antony Stone]

On Monday 10 May 2004 8:36 pm, alucard@kanux.com wrote:

> Hi there...
>
>    I have been using netfilter for a while and now, I have to integrate
> some other servers and somehow I can't get it to forward packets.

Change:

> iptables -A FORWARD -i eth0 -p tcp --dport 8080 -j ACCEPT

Into:

iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT

Remember that PREROUTING (where you are changing the port number) happens 
before FORWARD.

Regards,

Antony.

-- 
I don't know, maybe if we all waited then cosmic rays would write all our 
software for us. Of course it might take a while.

 - Ron Minnich, Los Alamos National Laboratory

                                                     Please reply to the list;
                                                           please don't CC me.

Re: forwarding on the same NIC

[alucard]

Hi again...

   I did it, and nothing happens, the 2nd webserver is fully operational
and I cant get to it from my server/router. Here's my nmap test:

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
143/tcp  open  imap
3306/tcp open  mysql

and there's no 8080 port that could be getting packets

And here's my script again... maybe I'm missing something else...

-------------
echo "Borrando posibles reglas anteriores..."
iptables -F
iptables -X

echo "Habilitando politicas de negacion total de paquetes"

iptables -P FORWARD DROP
iptables -P INPUT DROP

echo "Reglas para paquetes de entrada y salida"

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

##internas
iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT

#para el forward a la maquina compaq

echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT
--to-destination 10.73.219.77:80
echo 1 > /proc/sys/net/ipv4/ip_forward
-------------

Any sugestions pals?
Thanx again for your great help
Juan



> On Monday 10 May 2004 8:36 pm, alucard@kanux.com wrote:
>
>> Hi there...
>>
>>    I have been using netfilter for a while and now, I have to integrate
>> some other servers and somehow I can't get it to forward packets.
>
> Change:
>
>> iptables -A FORWARD -i eth0 -p tcp --dport 8080 -j ACCEPT
>
> Into:
>
> iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
>
> Remember that PREROUTING (where you are changing the port number) happens
> before FORWARD.
>
> Regards,
>
> Antony.
>
> --
> I don't know, maybe if we all waited then cosmic rays would write all our
> software for us. Of course it might take a while.
>
>  - Ron Minnich, Los Alamos National Laboratory
>
>                                                      Please reply to the
> list;
>                                                            please don't CC
> me.
>
>
>

Re: forwarding on the same NIC

[John A. Sullivan III]

Alas, I discarded your original e-mail with the set up info when I saw
you received a credible reply.  However, have you set up either a packet
trace to see if the packets are getting lost on the wire or logging
rules at the various points within iptables to see if where the
unexpected behavior is happening in iptables?

On Mon, 2004-05-10 at 18:09, alucard@kanux.com wrote:
> Hi again...
> 
>    I did it, and nothing happens, the 2nd webserver is fully operational
> and I cant get to it from my server/router. Here's my nmap test:
> 
> PORT     STATE SERVICE
> 21/tcp   open  ftp
> 22/tcp   open  ssh
> 25/tcp   open  smtp
> 80/tcp   open  http
> 143/tcp  open  imap
> 3306/tcp open  mysql
> 
> and there's no 8080 port that could be getting packets
> 
> And here's my script again... maybe I'm missing something else...
> 
> -------------
> echo "Borrando posibles reglas anteriores..."
> iptables -F
> iptables -X
> 
> echo "Habilitando politicas de negacion total de paquetes"
> 
> iptables -P FORWARD DROP
> iptables -P INPUT DROP
> 
> echo "Reglas para paquetes de entrada y salida"
> 
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> 
> ##internas
> iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
> 
> #para el forward a la maquina compaq
> 
> echo 0 > /proc/sys/net/ipv4/ip_forward
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT
> --to-destination 10.73.219.77:80
> echo 1 > /proc/sys/net/ipv4/ip_forward
> -------------
> 
> Any sugestions pals?
> Thanx again for your great help
> Juan
> 
> 
> 
> > On Monday 10 May 2004 8:36 pm, alucard@kanux.com wrote:
> >
> >> Hi there...
> >>
> >>    I have been using netfilter for a while and now, I have to integrate
> >> some other servers and somehow I can't get it to forward packets.
> >
> > Change:
> >
> >> iptables -A FORWARD -i eth0 -p tcp --dport 8080 -j ACCEPT
> >
> > Into:
> >
> > iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
> >
> > Remember that PREROUTING (where you are changing the port number) happens
> > before FORWARD.
> >
> > Regards,
> >
> > Antony.
> >
> > --
> > I don't know, maybe if we all waited then cosmic rays would write all our
> > software for us. Of course it might take a while.
> >
> >  - Ron Minnich, Los Alamos National Laboratory
> >
> >                                                      Please reply to the
> > list;
> >                                                            please don't CC
> > me.
> >
> >
> >
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

Re: forwarding on the same NIC

[alucard]

Hi again

   I used a trace program and there are no packets going thru, and I scan
the ports and there's no 8080 open, let me show you everything again

Here's my /etc/rc.d/rc.firewall
-----
echo "Borrando posibles reglas anteriores..."
iptables -F
iptables -X

echo "Habilitando politicas de negacion total de paquetes"

iptables -P FORWARD DROP
iptables -P INPUT DROP

echo "Reglas para paquetes de entrada y salida"

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

##internas
iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT

#para el forward a la maquina compaq

echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT
--to-destination 10.73.219.77:80
echo 1 > /proc/sys/net/ipv4/ip_forward
-----

Here's my nmap scan
-----
root@mail:~# nmap 10.73.219.156

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-05-11 09:42 VET
Interesting ports on mail.aeropostal.com.ve (10.73.219.156):
(The 1651 ports scanned but not shown below are in state: filtered)
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
25/tcp   open   smtp
80/tcp   open   http
143/tcp  open   imap
3306/tcp open   mysql

------

As we can see, there's no 8080 port. We have to remember that the
interface that is nat'ed' from the internet is the same one that's
forwarding packets to 10.73.219.77. Do you think that this could be the
reason? should I use a second card and use it to forward packets? Here's
setup, the one I wrote on the first message

-----

- The linux box has only one NIC -and having a second one is not a
problem- It functions as a web/mail server, and that means that I'm using
80 and 25 already. What i'd like to do is, access another internal
webserver from the outside getting in using another port in the nat'ed'
linux box.


-------      -----------------      ----------------
router |<--->|Linux box      |<---->|2nd WebServer |
-------      |using web/mail |      |10.73.219.77  |
             |10.73.219.156  |      ----------------
             -----------------

-------------

Thanx a lot for your time...

Juan

Re: forwarding on the same NIC

[John A. Sullivan III]

On Tue, 2004-05-11 at 09:49, alucard@kanux.com wrote:
> Hi again
> 
>    I used a trace program and there are no packets going thru, and I scan
> the ports and there's no 8080 open, let me show you everything again
> 
> Here's my /etc/rc.d/rc.firewall
> -----
> echo "Borrando posibles reglas anteriores..."
> iptables -F
> iptables -X
> 
> echo "Habilitando politicas de negacion total de paquetes"
> 
> iptables -P FORWARD DROP
> iptables -P INPUT DROP
> 
> echo "Reglas para paquetes de entrada y salida"
> 
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> 
> ##internas
> iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -i lo -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
> 
> #para el forward a la maquina compaq
> 
> echo 0 > /proc/sys/net/ipv4/ip_forward
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT
> --to-destination 10.73.219.77:80
> echo 1 > /proc/sys/net/ipv4/ip_forward
> -----
> 
> Here's my nmap scan
> -----
> root@mail:~# nmap 10.73.219.156
> 
> Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-05-11 09:42 VET
> Interesting ports on mail.aeropostal.com.ve (10.73.219.156):
> (The 1651 ports scanned but not shown below are in state: filtered)
> PORT     STATE  SERVICE
> 21/tcp   closed ftp
> 22/tcp   open   ssh
> 25/tcp   open   smtp
> 80/tcp   open   http
> 143/tcp  open   imap
> 3306/tcp open   mysql
> 
> ------
> 
> As we can see, there's no 8080 port. We have to remember that the
> interface that is nat'ed' from the internet is the same one that's
> forwarding packets to 10.73.219.77. Do you think that this could be the
> reason? should I use a second card and use it to forward packets? Here's
> setup, the one I wrote on the first message
> 
> -----
> 
> - The linux box has only one NIC -and having a second one is not a
> problem- It functions as a web/mail server, and that means that I'm using
> 80 and 25 already. What i'd like to do is, access another internal
> webserver from the outside getting in using another port in the nat'ed'
> linux box.
> 
> 
> -------      -----------------      ----------------
> router |<--->|Linux box      |<---->|2nd WebServer |
> -------      |using web/mail |      |10.73.219.77  |
>              |10.73.219.156  |      ----------------
>              -----------------
> 
> -------------
> 
> Thanx a lot for your time...
> 
> Juan
Let me see if I understand this correctly.  The ISP router connects you
to the Internet but it know you as the RFC 1918 (private) address
10.73.219.156.  The router, Linux box and 2nd WebServer are all
connected on the same subnet through a hub or switch.  You want the
Linux box to change the packet addressed to it on 8080/tcp to 80/tcp
with a source address of 10.73.219.77 and then forward the packet to the
2nd WebServer?

I've never tried this but I'll take a few guesses on what happens and
why it is probably much safer to use a second NIC.  I would guess that
the packet 10.73.219.156:8080 arrives at the Linux box (can be verified
with Ethereal (www.ethereal.com)), is properly DNAT'd to 10.73.219.77:80
and then passed to the routing subsystem.  The routing subsystem looks
at the packet and sees that it lives on the same network as itself
(10.73.219.x) and thus does not forward the packet (can be verified by
putting a log rule at the beginning of both the INPUT and FORWARD chains
- my guess is it never arrives at the FORWARD chain).  Unless the Linux
box and the 2nd WebServer live on separate networks, routing will not
forward a packet from one to the other.

In other words, you are bridging rather than routing and thus need to
make a layer two decision rather than a layer three decision.  I
understand there is bridging functionality available in Linux but I have
never used it and do not know where to find it.

Alternately, you could subnet 10.73.219.x into two separate networks and
bind two addresses (one for each subnet) to the NIC in the Linux box.

However, I would suggest a separate NIC and a true DMZ.  I assume that
if someone within the ISP cloud attempted to attack 10.73.219.77 by
addressing it directly, there would be nothing to stop them.  The
packets would be forwarded from the ISP router to the 2nd WebServer.  I
would always set it up behind the firewall even though it uses an RFC
1918 address unless you have the utmost trust in both the ISP and all
users attached to their cloud.  Hope this helps - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: forwarding on the same NIC

[alucard]

Hi again... let me answer each section...

> Let me see if I understand this correctly.  The ISP router connects you
> to the Internet but it know you as the RFC 1918 (private) address
> 10.73.219.156.  The router, Linux box and 2nd WebServer are all
> connected on the same subnet through a hub or switch.  You want the
> Linux box to change the packet addressed to it on 8080/tcp to 80/tcp
> with a source address of 10.73.219.77 and then forward the packet to the
> 2nd WebServer?

Yes, exactly... ;)

> I've never tried this but I'll take a few guesses on what happens and
> why it is probably much safer to use a second NIC.  I would guess that
> the packet 10.73.219.156:8080 arrives at the Linux box (can be verified
> with Ethereal (www.ethereal.com)), is properly DNAT'd to 10.73.219.77:80
> and then passed to the routing subsystem.  The routing subsystem looks
> at the packet and sees that it lives on the same network as itself
> (10.73.219.x) and thus does not forward the packet (can be verified by
> putting a log rule at the beginning of both the INPUT and FORWARD chains
> - my guess is it never arrives at the FORWARD chain).  Unless the Linux
> box and the 2nd WebServer live on separate networks, routing will not
> forward a packet from one to the other.

That's correct, exactly what I though. There's no forwarding because we
are using the same subnet

> In other words, you are bridging rather than routing and thus need to
> make a layer two decision rather than a layer three decision.  I
> understand there is bridging functionality available in Linux but I have
> never used it and do not know where to find it.

Anyone could help? the thing is that, this second webserver is using and
aplication that we use internally and, what I'm trying to do here is,
access the web configuration service from the outside using our existing
server, which is the only one nat'ed', so our other offices can access it.
Since the second server is a production server, there's no way we can
change it's IP and use a subnet.

> However, I would suggest a separate NIC and a true DMZ.  I assume that
> if someone within the ISP cloud attempted to attack 10.73.219.77 by
> addressing it directly, there would be nothing to stop them.
> Thepackets would be forwarded from the ISP router to the 2nd WebServer. 
 > I would always set it up behind the firewall even though it uses an
RFC
> 1918 address unless you have the utmost trust in both the ISP and all
> users attached to their cloud.  Hope this helps - John

Well, that's a risk we are willing to take, and our application has the
latest patches and all that stuff to make it as secure as we can...

Any other suggestions from anyone??
John, Thanx a lot for your help and your time, I really apreciate it.

Juan

Re: forwarding on the same NIC

[Aleksandar Milivojevic]

alucard@kanux.com wrote:
> Anyone could help? the thing is that, this second webserver is using and
> aplication that we use internally and, what I'm trying to do here is,
> access the web configuration service from the outside using our existing
> server, which is the only one nat'ed', so our other offices can access it.
> Since the second server is a production server, there's no way we can
> change it's IP and use a subnet.

I wasn't following this discussion too closely.  However after reading 
what John wrote, I'd guess that your first box is also generating ICMP 
redirect packets back to the router.  Reasoning why I believe that it is 
generating them is that the packet has arrived on the same physical 
interface where it is supposed to be routed out.  This is exactly the 
situation where routers (by default) generate ICMP redirects.  So even 
if you get your box to start routing, you might need to turn off 
generation of ICMP redirects on first Linux box (send_recirects, or 
something like that).

I guess that router is actually at your end (not ISP end), and it is one 
of those small cheap boxes where you connect ADSL or cable, so it has 
public IP address on one end, and is doing NAT for the internal network 
(and your Linux box is assigned to do firewalling).  If this is the 
case, you can solve it a simple way by putting second NIC in your first 
Linux box and assign it different network.  So you would end up with 
something like this:

                   +-------------+
                   |     ISP     |
                   +-------------+
                          |
                          |
                          | ISP assigned public IP
                   +-------------+
                   |   router    |
                   +-------------+
                          | 192.168.1.1
                          |
                          | 192.168.1.2
                   +-------------+
                   |  Linux box  |
                   +-------------+
                          | 10.73.219.156
                          |
                          | 10.73.219.77
                   +-------------+
                   | 2nd Web srv |
                   +-------------+

Router will have default route pointing to ISP, Linux box will have 
default route pointing to router, and 2nd web server to your Linux box. 
  You will be doing NAT twice, once in the router, and again in the 
Linux box.  You can get away with only one NAT if you want, of course. 
The 192.168.0.0/16 will become your future DMZ network, and your 
internal network (10.0.0.0/8) will be deep inside.  I've used 192.168 
for DMZ to avoid guessing what you already used from 10.

To enhance security, you might start making plans to move 2nd Web server 
into the DMZ (change of IP address) as some future project, but you 
don't have to do it right away.

Anyhow, you've got the idea, you only need to adjust it for your 
environment.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: forwarding on the same NIC

[alucard]

Aleksandar Milivojevic wrote:
> I wasn't following this discussion too closely.  However after reading
> what John wrote, I'd guess that your first box is also generating ICMP
> redirect packets back to the router.  Reasoning why I believe that it is
> generating them is that the packet has arrived on the same physical
> interface where it is supposed to be routed out.  This is exactly the
> situation where routers (by default) generate ICMP redirects.  So even
> if you get your box to start routing, you might need to turn off
> generation of ICMP redirects on first Linux box (send_recirects, or
> something like that).
>

Yes, that could be happening because i'm trying to use the same card to
receive and to forward to the same subnet

> I guess that router is actually at your end (not ISP end), and it is one
> of those small cheap boxes where you connect ADSL or cable, so it has
> public IP address on one end, and is doing NAT for the internal network
> (and your Linux box is assigned to do firewalling).

mmm not at all, it's a cisco router for one of the t1's for the company I
work for. There are no other IP addresses available to forward it from the
cisco router -because they are all taken in other stuff-, so I have to
figure that out. If there's a way to do it with a second card, i'll do it
but, it has to be on the same subnet because the second webserver it's
being used by some employees and we need it to be seen from the outside
and there must be a way to do it whith netfilter. Since i have never used
any cisco routers, and the guy in charge of that is not very competent at
all, I started to use netfilter for this. I know that you could do it in
the cisco router directly but that's not my field and I am not allowed to
do it either



> If this is the case, you can solve it a simple way by putting second NIC
> in your first Linux box and assign it different network.
> So you would end up with something like this:
>
>                    +-------------+
>                    |     ISP     |
>                    +-------------+
>                           |
>                           |
>                           | ISP assigned public IP
>                    +-------------+
>                    |   router    |
>                    +-------------+
>                           | 192.168.1.1
>                           |
>                           | 192.168.1.2
>                    +-------------+
>                    |  Linux box  |
>                    +-------------+
>                           | 10.73.219.156
>                           |
>                           | 10.73.219.77
>                    +-------------+
>                    | 2nd Web srv |
>                    +-------------+
>

Here's my current setup:

                    +-------------+
                    |Cisco Router |
                    +-------------+
                           |
                           |
                           | IP Address -NAT-
                    +-------------+
                    |  Linux box  |
                    +-------------+
                           | 10.73.219.156 -Nat'ed' Address-
                           |
                           | 10.73.219.77 -2nd WebServer-
                    +-------------+
                    | 2nd Web srv |
                    +-------------+


> To enhance security, you might start making plans to move 2nd Web server
> into the DMZ (change of IP address) as some future project, but you
> don't have to do it right away.

That would be great and that's what I though at first but, let's put it
this way, this company has a lot of burocracy -and I hate it- to go thru
before changing something like this.

>
> Anyhow, you've got the idea, you only need to adjust it for your
> environment.
>
> --

I really apreciate your help a lot...
Juan

Re: forwarding on the same NIC

[Aleksandar Milivojevic]

alucard@kanux.com wrote:
> mmm not at all, it's a cisco router for one of the t1's for the company I
> work for.

Hm, doesn't change much in the hole picture.  What you'll need to do 
depends much on how much you are allowed to change (and you'll have to 
change something, there's no way around it).  If you are allowed to 
change internal IP address on Cisco, than you can use your Linux box as 
router/firewall for internal network (as per diagram I sent earlier). 
That would move Cisco out of your internal network (good thing (tm) 
since you don't control it, and obviously you are not very keen of 
person who does have control over it), and than you can do close to 
about anything you desire.

BTW, one stupid question, you did set ip_forwarding to 1 on Linux box, 
right?  As I recall, it defaults to 0 (either in kernel, or startup 
scripts in various distributions set it to 0, not sure).

What John just suggested with virutal interfaces will also work.  But 
with only one physical interface you must be carefull about ICMP 
redirects.  Your Linux box is going to start spitting them out as soon 
as it detects two networks on same wire, unless you specifically tell it 
not to do that.  If Cisco and Web2 boxes are set to obey them (bad thing 
(tm)), they'll just start talking directly to each other.  Been there, 
done that.

Anyhow, whatever you choose to do, I would stronly recommend having two 
seperate wires.  One for your internal network, and another for outside 
world.  And since you don't have control over Cisco, it boils down to 
two NICs in your Linux box or two NICs in your Web box.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: forwarding on the same NIC

[John A. Sullivan III]

On Tue, 2004-05-11 at 11:38, alucard@kanux.com wrote:

> <snip>
> That's correct, exactly what I though. There's no forwarding because we
> are using the same subnet
> 
> > In other words, you are bridging rather than routing and thus need to
> > make a layer two decision rather than a layer three decision.  I
> > understand there is bridging functionality available in Linux but I have
> > never used it and do not know where to find it.
> 
> Anyone could help? the thing is that, this second webserver is using and
> aplication that we use internally and, what I'm trying to do here is,
> access the web configuration service from the outside using our existing
> server, which is the only one nat'ed', so our other offices can access it.
> Since the second server is a production server, there's no way we can
> change it's IP and use a subnet.
OK - so let me summarize again just to make sure I understand you.  The
2nd Webserver at 10.73.219.77 is used by internal resources and cannot
change its IP address.  You want to make it available to remote users in
other offices via the Internet but the only Internet access you have is
through the one Linux box.

If you do not want to expose the 2nd Webserver to the world but only
make it available to other offices, you may wish to consider an IPSec
VPN between the other offices and the Linux box although we'd need to
know a little more about how your ISP is getting you to the Internet and
how your other offices access the Internet.

You will still have the routing problem.  You can create a second
network without changing the IP address.  It will depend on how the
internal users access the 2nd Webserver.  If the access is also through
the Linux box, then you can split the 10.73.219.x network.  Assuming it
is using a 24 bit mask, you could create the network 10.73.219.0/25 and
10.73.219.128/25.  Leave the NIC with 10.73.219.156 on the latter
network, add a second NIC with an address on the former network and
place the second Webserver on the former network - note there is no need
to change the IP address of the 2nd Webserver or the DNS entry - just
the subnet mask.
> 
<snip>
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: forwarding on the same NIC

[alucard]

John A. Sullivan III wrote:

> OK - so let me summarize again just to make sure I understand you.  The
> 2nd Webserver at 10.73.219.77 is used by internal resources and cannot
> change its IP address.  You want to make it available to remote users in
> other offices via the Internet but the only Internet access you have is
> through the one Linux box.

Yep, exactly
>
> If you do not want to expose the 2nd Webserver to the world but only
> make it available to other offices, you may wish to consider an IPSec
> VPN between the other offices and the Linux box although we'd need to
> know a little more about how your ISP is getting you to the Internet and
> how your other offices access the Internet.

This company has a cisco router -to which I have no access to it- and that
redirects the public IP address that we use for webmail services. This 2nd
webserver should be seen by a lot of people and using a VPN would make
things worse


>
> You will still have the routing problem.  You can create a second
> network without changing the IP address.  It will depend on how the
> internal users access the 2nd Webserver.  If the access is also through
> the Linux box, then you can split the 10.73.219.x network.  Assuming it
> is using a 24 bit mask, you could create the network 10.73.219.0/25 and
> 10.73.219.128/25.  Leave the NIC with 10.73.219.156 on the latter
> network, add a second NIC with an address on the former network and
> place the second Webserver on the former network - note there is no need
> to change the IP address of the 2nd Webserver or the DNS entry - just
> the subnet mask.

We have a 255.255.252.0 network already because there are more than 500
computers with IP addresses in this company. All the users access the 2nd
webserver directly to it thru it's IP address. Changing the subnet mask
wouldn't quit the access? I dont understand what you are trying to explain
here.

John, thanx a lot for this pal...
Juan

Re: forwarding on the same NIC

[John A. Sullivan III]

On Tue, 2004-05-11 at 15:35, alucard@kanux.com wrote:
> John A. Sullivan III wrote:
> 
> > OK - so let me summarize again just to make sure I understand you.  The
> > 2nd Webserver at 10.73.219.77 is used by internal resources and cannot
> > change its IP address.  You want to make it available to remote users in
> > other offices via the Internet but the only Internet access you have is
> > through the one Linux box.
> 
> Yep, exactly
> >
> > If you do not want to expose the 2nd Webserver to the world but only
> > make it available to other offices, you may wish to consider an IPSec
> > VPN between the other offices and the Linux box although we'd need to
> > know a little more about how your ISP is getting you to the Internet and
> > how your other offices access the Internet.
> 
> This company has a cisco router -to which I have no access to it- and that
> redirects the public IP address that we use for webmail services. This 2nd
> webserver should be seen by a lot of people and using a VPN would make
> things worse
> 
> 
> >
> > You will still have the routing problem.  You can create a second
> > network without changing the IP address.  It will depend on how the
> > internal users access the 2nd Webserver.  If the access is also through
> > the Linux box, then you can split the 10.73.219.x network.  Assuming it
> > is using a 24 bit mask, you could create the network 10.73.219.0/25 and
> > 10.73.219.128/25.  Leave the NIC with 10.73.219.156 on the latter
> > network, add a second NIC with an address on the former network and
> > place the second Webserver on the former network - note there is no need
> > to change the IP address of the 2nd Webserver or the DNS entry - just
> > the subnet mask.
> 
> We have a 255.255.252.0 network already because there are more than 500
> computers with IP addresses in this company. All the users access the 2nd
> webserver directly to it thru it's IP address. Changing the subnet mask
> wouldn't quit the access? I dont understand what you are trying to explain
> here.
> 
> John, thanx a lot for this pal...
> Juan
Ah, OK - between this reply and your replay to Aleksander, it's starting
to become a bit more clear.  The router is a corporate router to the
outside world over which you have no control.  This internal 10 network
where the Linux box and 2nd Webserver sit IS the entire internal network
with a 22 bit mask and housing all users who directly access the 2nd
WebServer on the LAN.  You want the WebServer accessible to the world
but, because of politics, bureaucracy, etc., you only have control over
the Linux box.  Do I understand it thus far?

Do you have the freedom to insert a second NIC into the 2nd WebServer?
If so, you can insert a second NIC into both devices, set the default
gateway for the 2nd WebServer to the Linux Box and allow world access
through this second network.

If you can't make the hardware change, do you have the freedom to bind a
second address to the NIC on the 2nd WebServer and make a virtual
network, i.e., two networks with different addresses on the same
physical media.  This would still allow you to route and protect the 2nd
WebServer.

One way or another, you are going to have to touch the 2nd WebServer
even if just to change its default gateway to the LinuxBox so that its
reply packets to the world pass through the Linux Box.  If you cannot
get it on a separate network by hook or by crook, you'll have to
investigate bridging.  I think there is something at
http://ebtables.sourceforge.net/ but I have never played with it.  Good
luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: forwarding on the same NIC

[alucard]

John A. Sullivan III wrote:
> Ah, OK - between this reply and your replay to Aleksander, it's starting
> to become a bit more clear.  The router is a corporate router to the
> outside world over which you have no control.  This internal 10 network
> where the Linux box and 2nd Webserver sit IS the entire internal network
> with a 22 bit mask and housing all users who directly access the 2nd
> WebServer on the LAN.  You want the WebServer accessible to the world
> but, because of politics, bureaucracy, etc., you only have control over
> the Linux box.  Do I understand it thus far?

Exactly :)

>
> Do you have the freedom to insert a second NIC into the 2nd WebServer?
> If so, you can insert a second NIC into both devices, set the default
> gateway for the 2nd WebServer to the Linux Box and allow world access
> through this second network.

No, I don't but, I'm just going to have to go through all the steps in
this company to get it in order to do what they require.

> One way or another, you are going to have to touch the 2nd WebServer
> even if just to change its default gateway to the LinuxBox so that its
> reply packets to the world pass through the Linux Box.  If you cannot
> get it on a separate network by hook or by crook, you'll have to
> investigate bridging.  I think there is something at
> http://ebtables.sourceforge.net/ but I have never played with it.  Good
> luck - John

To make matters worse, the second webserver is IIS and I have no idea how
to use IP Multiplexing on Win2k, I could do it in linux but Windows
systems are not my expertise. What I'm going to do -if I get the
permission- is this: Install a 2nd nic on the 2nd webserver so the IP
address that is being used doesn't get affected and I will configure it's
router to the linux box so it can redirect packets where they should go...

Thanx a lot for this great help, I really mean it... this mailing list is
simply great

Juan

Re: forwarding on the same NIC

[Alistair Tonner]

On May 10, 2004 03:36 pm, alucard@kanux.com wrote:
> es -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i eth0 -p tcp --dport 8080 -j ACCEPT


	Your forward rule should be for port 80.

	The port on the packet by the time it hits forward is 80 not 8080
	you might want to add the 'destination' ip address to this rule as well.

	Alistair.

	

RE: forwarding on the same NIC

[Daniel Chemko]

Have you tried something like:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD --destination 10.73.219.156 -p tcp --dport 80 -j
ACCEPT
iptables -t nat -A PREROUTING --destination 10.73.219.156 -p tcp --dport
8080 -j DNAT --to-destination 10.73.219.77:80
iptables -t nat -A POSTROUTING --destination 10.73.219.77 -p tcp --dport
80 -j SNAT --to-source 10.73.219.156

Remember, if the default router of the web server isn't your firewall
box, the packet will exit the router, but when the next packet destined
for the web server is senty by the client, the linux box doesn't think
its valid. This is because the conntrack missed the obligatory SYNACK.
The subsequent ACK to the firewall would mean nothing. I could be wrong
about the internal logic, but it'd make sense.

RE: forwarding on the same NIC

[Daniel Chemko]

> To make matters worse, the second webserver is IIS and I have no idea
> how to use IP Multiplexing on Win2k, I could do it in linux but
> Windows systems are not my expertise. What I'm going to do -if I get
> the permission- is this: Install a 2nd nic on the 2nd webserver so
> the IP address that is being used doesn't get affected and I will
> configure it's router to the linux box so it can redirect packets
> where they should go...     

You are either not grasping how difficult what your trying to do, or you
haven't used proper the wording. Source Routing from windows == blah! If
you're relying on windows to do routing, I pity thou. 


To the best of my knowledge, you have:
x.x.x.254 ROUTER
   |--x.x.x.1 Linux Server 1  (default route x.x.x.254)
   |--x.x.x.2 Windows IIS (default route x.x.x.254)

You have the router forwarding a public IP address and PATing it to
x.x.x.1. You want x.x.x.1:8080 to go to x.x.x.2:80

To get this to work, use:

# Allow any established traffic to traverse the machine
iptables -A FORWARD -m state ESTABLISHED,RELATED -j ACCEPT
# Forward the packet destined for 8080 to the windows machine on port 80
iptables -t nat -A PREROUTING --destination x.x.x.1 -p tcp --dport 8080
-j DNAT --to x.x.x.2:80
# Allow new web traffic into the network
iptables -A FORWARD --destination x.x.x.2 -p tcp --dport 80 -j ACCEPT
# Forces the windows box to route back to you before leaving the network
iptables -t nat -A POSTROUTING --destination x.x.x.2 -p tcp --dport 80
-j SNAT --to x.x.x.1

The order of traversal becomes:

Router->Firewall->Windows->Firewall->Router
Instead of
Router->Firewall->Windows->Router
The later breaks as I've described earlier.