AW: a NAT question

AW: a NAT question

[Account fur Maillinglisten]

> Hi,
> We have been allocated 2 more IPs by our ISP for a period of 1 month
> for our purpose. Now these 2 IPs will be assigned to 2 Windows
> machines which are to be accessed from outside. We want port 21 or one
> machine to be accessed from outside and port 80 and 9001, 25 of other
> machine. Which is the best way to allow access to these machines from
> outside still having them under my firewall? I thought of having ip
> aliases on the Linux box and forwarding the connections to the
> respective windows box.
> Can someone explain an easy way for this?
> With warm regards,
> -Payal

Hi Payal,

you should go fort hat issue. Add virtual interfaces to your linuxbox,
assign them the ip-addresses and create some forwarding-rules for your
required ports 

# virtual alias on your interface. check man ifconfig and alter my 
# statements for your needs eq replace x.x.x.x with the correct values
ifconfig eth0:1 x.x.x.x
# This creates a duplicate interface of eth0 with a different ip-address

# (x.x.x.x). To remove one, simply put it down with ifconfig eth0:1 down

After that you've got an interface where you can bind your
forwardingrules to.

hth
-fe

Re: AW: a NAT question

[Micha Silver]

>>Hi,
>>We have been allocated 2 more IPs by our ISP for a period of 1 month
>>for our purpose. Now these 2 IPs will be assigned to 2 Windows
>>machines which are to be accessed from outside. We want port 21 or one
>>machine to be accessed from outside and port 80 and 9001, 25 of other
>>machine. Which is the best way to allow access to these machines from
>>outside still having them under my firewall? I thought of having ip
>>aliases on the Linux box and forwarding the connections to the
>>respective windows box.
>>Can someone explain an easy way for this?
>>With warm regards,
>>-Payal
>>    
>>
Payal:
Have you tried Shorewall? http://www.shorewall.net
You can do it with either DNAT or proxy arp.
Shorewall makes jobs like this quite simple and easy to understand.

--Micha

Re: AW: a NAT question

[Payal Rathod]

On Fri, Jul 16, 2004 at 11:51:54AM +0300, Micha Silver wrote:
> Have you tried Shorewall? http://www.shorewall.net
> You can do it with either DNAT or proxy arp.

Ok. I will try it. But I am not too fond of using tools for firewall.
Thanks.
-Payal

RE: AW: a NAT question

[Daniel Chemko]

Payal Rathod wrote:
> On Fri, Jul 16, 2004 at 11:51:54AM +0300, Micha Silver wrote:
>> Have you tried Shorewall? http://www.shorewall.net
>> You can do it with either DNAT or proxy arp.
> 
> Ok. I will try it. But I am not too fond of using tools for firewall.
> Thanks.
> -Payal

The setup of a Script-only setup isn't too hard. You have to abandon the
concept of ip aliases since netfilter dropped support for the concept.
You only deal with the root interface and ip addresses.

If you want to setup a multi-ip address interface from the command line,
you could use something like the following:

<Assming you already have $ip0 setup on eth0 and netmask == 24, and gw
== $gw>
ip addr add $ip1/24 dev eth0
ip addr add $ip2/24 dev eth0

Now, any data sent to 200.1.1.2-4 will be sent to your Firewall.

Assuming you have a block-all,accept-selected rule, you'd setup
something like the following:

iptables -t nat -A PREROUTING --destination $ip1 -p tcp --dport 21 -j
DNAT --to $internal_1
iptables -t nat -A PREROUTING --destination $ip1 -p tcp --dport 9001 -j
DNAT --to $internal_2
iptables -t nat -A PREROUTING --destination $ip1 -p tcp --dport 80 -j
DNAT --to $internal_2
iptables -t nat -A PREROUTING --destination $ip1 -p tcp --dport 25 -j
DNAT --to $internal_2

iptables -A FORWARD --destination $internal_1 -p tcp --dport 21 -j
ACCEPT
iptables -A FORWARD --destination $internal_2 -p tcp --dport 9001 -j
ACCEPT
iptables -A FORWARD --destination $internal_2 -p tcp --dport 80 -j
ACCEPT
iptables -A FORWARD --destination $internal_2 -p tcp --dport 25 -j
ACCEPT

echo "1" > /proc/sys/net/ipv4/forward

My example used the same external interface to handle all requests. You
can replace the --destination field with any one that you've bound to
the external interface.

Re: AW: a NAT question

[Payal Rathod]

On Fri, Jul 16, 2004 at 11:43:05AM -0700, Daniel Chemko wrote:

> The setup of a Script-only setup isn't too hard. You have to abandon the
> concept of ip aliases since netfilter dropped support for the concept.
> You only deal with the root interface and ip addresses.

You mean the something like eth0:1 isn't supported? Do I have to
learn the ip thing instead of ifconfig?
For a while I would prefer ifconfig.

With warm regards,
-Payal

Re: AW: a NAT question

[Antony Stone]

On Friday 16 July 2004 7:50 pm, Payal Rathod wrote:

> On Fri, Jul 16, 2004 at 11:43:05AM -0700, Daniel Chemko wrote:
> > The setup of a Script-only setup isn't too hard. You have to abandon the
> > concept of ip aliases since netfilter dropped support for the concept.
> > You only deal with the root interface and ip addresses.
>
> You mean the something like eth0:1 isn't supported?

It's supported just as much as the (preferred) "ip addr add..." is, so long as 
you keep in mind that netfilter doesn't use anything other than the "real" 
name of the interface, eg: eth0, not eth0:1

However, this makes no difference to your netfilter rules - all the packets 
are really coming in on eth0 anyway, even if ifconfig decided to label the 
second IP address eth0:1

Regards,

Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

                                                     Please reply to the list;
                                                           please don't CC me.

Re: AW: a NAT question

[Victor Wren]

> On Fri, Jul 16, 2004 at 11:43:05AM -0700, Daniel Chemko wrote:
> 
> > The setup of a Script-only setup isn't too hard. You have to abandon the
> > concept of ip aliases since netfilter dropped support for the concept.
> > You only deal with the root interface and ip addresses.
> 
> You mean the something like eth0:1 isn't supported? Do I have to
> learn the ip thing instead of ifconfig?
> For a while I would prefer ifconfig.

It's not as bad as all that, and it's really sound policy, If you think about 
it.  It's matching packets that come into a particular physical interface.  
It doesn't care what the ip address of that port is, or whether it has one 
address or twenty, so when you say "-i eth0" (or -o) just remember that 
you're also catching "eth0:56, eth0:fred, eth0:arf" etc.

I like this way of doing it.  Having the filter match aliases just mudies the 
water (and frankly, they'll all arp to the same ethernet mac address, so 
what's the point?)  If you really want to match on a particular address (or 
subnet), you can still do that with the "-d " switch.

Victor Wren