Can anyone tell me how to do this?

Can anyone tell me how to do this?

[Dominic Iadicicco]

Hello all,

Can anyone tell me how to do this so that I may ask
some questions afterword's in hopes to learn a little
more about iptables.

This is what I would like to try. I think this would
get me to the next level.

My devil-Box is at 172.16.12.130 and I want all ssh
request to this .130 address, to go to address
172.16.12.212.   How do I do this?  All machines are
on the 172.16.12.x subnet for right now.



Thanks in advance


Dominic


		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail

Re: Can anyone tell me how to do this?

[Eric Leblond]

On Wed, 2004-09-22 at 16:09, Dominic Iadicicco wrote:
> Hello all,
> My devil-Box is at 172.16.12.130 and I want all ssh
> request to this .130 address, to go to address
> 172.16.12.212.   

go to : it's the easy part : 
iptables -A PREROUTING -t nat -d 172.16.12.130 -p tcp -dport 22 \\
-j DNAT --to 172.16.12.212

well that's for go to. But let say A try to connect to 172.16.12.130 then
172.16.12.212 receive a connection from 1 and answer to A which wait
answer from 172.16.12.130. bad day for him.
The solution is to change source address of packets going to
172.16.12.212 :
iptables -A POSTROUTING -t nat -d 172.16.12.212 -p tcp --dport 22 \\ 
-j SNAT --to 172.16.12.130

thus we have the following :
 A talks to 172.16.12.130
 packet arrive to 172.16.12.212 with source 172.16.12.130
packet return to 172.16.12.130
which reemit to A.

BR,
-- 
Eric Leblond <eric@inl.fr>
INL

Re: Can anyone tell me how to do this?

[Jason Opperisano]

On Wed, 2004-09-22 at 10:09, Dominic Iadicicco wrote:
> Hello all,
> 
> Can anyone tell me how to do this so that I may ask
> some questions afterword's in hopes to learn a little
> more about iptables.

learning more about iptables is a nice goal to have.  sometimes i wish
it was just as glamorous for people to want to learn more about routing
and the OSI model, before becoming super l33t firewall gurus...but i
digress...

> This is what I would like to try. I think this would
> get me to the next level.
> 
> My devil-Box is at 172.16.12.130 and I want all ssh
> request to this .130 address, to go to address
> 172.16.12.212.   How do I do this?  All machines are
> on the 172.16.12.x subnet for right now.

  iptables -t nat -A PREROUTING -p tcp --dport 22 \
    -d 172.16.12.130 -j DNAT --to-destination 172.16.12.212

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  iptables -A FORWARD -p tcp -d 172.16.12.212 -j ACCEPT

  iptables -t nat -A POSTROUTING -p tcp --dport 22 \
    -d 172.16.12.212 -j SNAT --to-source 172.16.12.130

  sysctl -w net.ipv4.ip_forward=1

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Can anyone tell me how to do this?

[Dominic Iadicicco]

Eric:

Where should I put?

  "iptables -A POSTROUTING -t nat -d 172.16.12.212 -p
> tcp --dport 22 \\ 
> -j SNAT --to 172.16.12.130"


Should that command also be executed on the same
machine as the previous?


Thanks

Dom
 
--- Eric Leblond <eric@inl.fr> wrote:

> On Wed, 2004-09-22 at 16:09, Dominic Iadicicco
> wrote:
> > Hello all,
> > My devil-Box is at 172.16.12.130 and I want all
> ssh
> > request to this .130 address, to go to address
> > 172.16.12.212.   
> 
> go to : it's the easy part : 
> iptables -A PREROUTING -t nat -d 172.16.12.130 -p
> tcp -dport 22 \\
> -j DNAT --to 172.16.12.212
> 
> well that's for go to. But let say A try to connect
> to 172.16.12.130 then
> 172.16.12.212 receive a connection from 1 and answer
> to A which wait
> answer from 172.16.12.130. bad day for him.
> The solution is to change source address of packets
> going to
> 172.16.12.212 :
> iptables -A POSTROUTING -t nat -d 172.16.12.212 -p
> tcp --dport 22 \\ 
> -j SNAT --to 172.16.12.130
> 
> thus we have the following :
>  A talks to 172.16.12.130
>  packet arrive to 172.16.12.212 with source
> 172.16.12.130
> packet return to 172.16.12.130
> which reemit to A.
> 
> BR,
> -- 
> Eric Leblond <eric@inl.fr>
> INL
> 
> 



		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

Re: Can anyone tell me how to do this?

[Eric Leblond]

On Wed, 2004-09-22 at 16:45, Dominic Iadicicco wrote:
> Eric:
> Should that command also be executed on the same
> machine as the previous?

yes.

take a paper and write carrefully the life of a packet on its way in and
back.

BR,
-- 
Eric Leblond <eric@inl.fr>
INL

Re: Can anyone tell me how to do this?

[Dominic Iadicicco]

I got it.  :)

It worked.

I am starting to get it a little more now.

It is almost like a phone switch board.

a send line and a receive line.

I am sure I will have more questions later.




Thank you.  Eric and Jason Operisano, Both of your
post  have helped me learn alot.





--- Eric Leblond <eric@inl.fr> wrote:

> On Wed, 2004-09-22 at 16:45, Dominic Iadicicco
> wrote:
> > Eric:
> > Should that command also be executed on the same
> > machine as the previous?
> 
> yes.
> 
> take a paper and write carrefully the life of a
> packet on its way in and
> back.
> 
> BR,
> -- 
> Eric Leblond <eric@inl.fr>
> INL
> 
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

RE: Can anyone tell me how to do this?

[Daniel Chemko]

> learning more about iptables is a nice goal to have.  sometimes i wish
> it was just as glamorous for people to want to learn more about
> routing and the OSI model, before becoming super l33t firewall
> gurus...but i digress...

Problem is: Neither of these topics can easily be approached by network
newbs without a lot of setup. There aren't many visiting this list with
routing more complicated than ip route add x via y

As for OSI, any casual admin wouldn't find much real world value in it.
I'd say OSI influences programmers more than admins. Experienced admins
do need to understand programming and OSI's a good practical example of
basic layered approaches, etc.. Plus, since others use OSI as a mindset
when developing, its good to know where they get their ideas from.

Firewalls are an inevitability these days. You either: Don't use a
firewall and get viruses, or you do use a firewall and you're forced to
fiddle with it when one of your programs doesn't work. See, your forced
to learn it if you like networking and administration or not. 

RE: Can anyone tell me how to do this?

[Hudson Delbert J Contr 61 CS/SCBN]

firewalls and virii ???

firewalls do not stop virus...

virus detection and removal/mitigation software does this chore
if bundled with the firewall tool.

lets not lead the newbs astray...

~piranha


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Daniel Chemko
Sent: Wednesday, September 22, 2004 9:59 AM
To: Jason Opperisano; netfilter@lists.netfilter.org
Subject: RE: Can anyone tell me how to do this?



> learning more about iptables is a nice goal to have.  sometimes i wish
> it was just as glamorous for people to want to learn more about
> routing and the OSI model, before becoming super l33t firewall
> gurus...but i digress...

Problem is: Neither of these topics can easily be approached by network
newbs without a lot of setup. There aren't many visiting this list with
routing more complicated than ip route add x via y

As for OSI, any casual admin wouldn't find much real world value in it.
I'd say OSI influences programmers more than admins. Experienced admins
do need to understand programming and OSI's a good practical example of
basic layered approaches, etc.. Plus, since others use OSI as a mindset
when developing, its good to know where they get their ideas from.

Firewalls are an inevitability these days. You either: Don't use a
firewall and get viruses, or you do use a firewall and you're forced to
fiddle with it when one of your programs doesn't work. See, your forced
to learn it if you like networking and administration or not. 

RE: Can anyone tell me how to do this?

[Daniel Chemko]

Hudson Delbert J Contr 61 CS/SCBN wrote:
> firewalls and virii ???
> 
> firewalls do not stop virus...
> 
> virus detection and removal/mitigation software does this chore
> if bundled with the firewall tool.
> 
> lets not lead the newbs astray...

Well said... Sometimes I don't think about what I'm typing until its
been sent. I end up sounding like a so many PHB's. 

Step 1: Loose nerd status
Step 2: Become PHB
Step 3: PROFIT!!

Re: Can anyone tell me how to do this?

[Alistair Tonner]

On September 22, 2004 12:59 pm, Daniel Chemko wrote:
> > learning more about iptables is a nice goal to have.  sometimes i wish
> > it was just as glamorous for people to want to learn more about
> > routing and the OSI model, before becoming super l33t firewall
> > gurus...but i digress...
>
> Problem is: Neither of these topics can easily be approached by network
> newbs without a lot of setup. There aren't many visiting this list with
> routing more complicated than ip route add x via y
>
> As for OSI, any casual admin wouldn't find much real world value in it.
> I'd say OSI influences programmers more than admins. Experienced admins
> do need to understand programming and OSI's a good practical example of
> basic layered approaches, etc.. Plus, since others use OSI as a mindset
> when developing, its good to know where they get their ideas from.

	Trust me -- when troubleshooting a distributed application you *really* need 
to know OSI.  I've found often that developers like to yell that the network 
is the problem.  Lots of developers have no idea about networking, and seem 
to believe that it can magically disappear, mangle, harrass, alter and chew 
up their data.  Now .. that might happen on some networks, but not on ours, 
or at least not without setting off a bunch of nasty alerts.... 


> Firewalls are an inevitability these days. You either: Don't use a
> firewall and get viruses, or you do use a firewall and you're forced to
> fiddle with it when one of your programs doesn't work. See, your forced
> to learn it if you like networking and administration or not.

	Using a firewall that blocks certain ports may prevent certain virii from 
being able to connect and spread, but it wont STOP virii, -- they seem to be 
getting multitalented these days.  Security as allways is very much like OSI.  
Layered, purpose driven components.  Each component must do its job, and 
scream blue bloody murder when it can't/doesn't or fails.

	Alistair.

Re: Can anyone tell me how to do this?

[Eric Ellis]

Daniel Chemko wrote:

> Hudson Delbert J Contr 61 CS/SCBN wrote:
> 
>>firewalls and virii ???
>>
>>firewalls do not stop virus...
>>
>>virus detection and removal/mitigation software does this chore
>>if bundled with the firewall tool.
>>
>>lets not lead the newbs astray...
> 
> 
> Well said... Sometimes I don't think about what I'm typing until its
> been sent. I end up sounding like a so many PHB's. 
> 
> Step 1: Loose nerd status
> Step 2: Become PHB
> Step 3: PROFIT!!
Sadly, your last statement is all too true. :)

-- 
Eric Ellis
Gilchrist County Sheriff's Department
IT Coordinator
eellis@mail.co.gilchrist.fl.us
352-463-3181

Re: Can anyone tell me how to do this?

[Dominic Iadicicco]

ok, I have another one for all.

I have now been tring to do this:

I have an IP, 10.0.0.1 on eth1 and an IP 172.16.12.130
at eth0. And heres were things get fun.  I want all
ssh requests that go to 10.0.0.1 to get routed to
172.16.12.130 just like it worked when we did it from
.130 to .212.  (if anyone is new and doesn't what was
discussed yesterday, please let me know I will post
it.)


Once again thanks for all help in advance.

Dominic



--- Eric Ellis <eellis@mail.co.gilchrist.fl.us> wrote:

> Daniel Chemko wrote:
> 
> > Hudson Delbert J Contr 61 CS/SCBN wrote:
> > 
> >>firewalls and virii ???
> >>
> >>firewalls do not stop virus...
> >>
> >>virus detection and removal/mitigation software
> does this chore
> >>if bundled with the firewall tool.
> >>
> >>lets not lead the newbs astray...
> > 
> > 
> > Well said... Sometimes I don't think about what
> I'm typing until its
> > been sent. I end up sounding like a so many PHB's.
> 
> > 
> > Step 1: Loose nerd status
> > Step 2: Become PHB
> > Step 3: PROFIT!!
> Sadly, your last statement is all too true. :)
> 
> -- 
> Eric Ellis
> Gilchrist County Sheriff's Department
> IT Coordinator
> eellis@mail.co.gilchrist.fl.us
> 352-463-3181
> 
> 


		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

Re: Can anyone tell me how to do this?

[Jason Opperisano]

On Thu, 2004-09-23 at 09:22, Dominic Iadicicco wrote:
> ok, I have another one for all.
> 
> I have now been tring to do this:
> 
> I have an IP, 10.0.0.1 on eth1 and an IP 172.16.12.130
> at eth0. And heres were things get fun.  I want all
> ssh requests that go to 10.0.0.1 to get routed to
> 172.16.12.130 just like it worked when we did it from
> .130 to .212.  (if anyone is new and doesn't what was
> discussed yesterday, please let me know I will post
> it.)

are 10.0.0.1 and 172.16.12.130 on the same physical machine?

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Can anyone tell me how to do this?

[Dominic Iadicicco]

yes

> wrote: On Thu, 2004-09-23 at 09:22, Dominic Iadicicco wrote:
> ok, I have another one for all.
> 
> I have now been tring to do this:
> 
> I have an IP, 10.0.0.1 on eth1 and an IP 172.16.12.130
> at eth0. And heres were things get fun. I want all
> ssh requests that go to 10.0.0.1 to get routed to
> 172.16.12.130 just like it worked when we did it from
> .130 to .212. (if anyone is new and doesn't what was
> discussed yesterday, please let me know I will post
> it.)

are 10.0.0.1 and 172.16.12.130 on the same physical machine?

-j

-- 
Jason Opperisano 





		
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!

Re: Can anyone tell me how to do this?

[Jason Opperisano]

On Thu, 2004-09-23 at 11:14, Dominic Iadicicco wrote:
> yes
> 
> > wrote: On Thu, 2004-09-23 at 09:22, Dominic Iadicicco wrote:
> > ok, I have another one for all.
> > 
> > I have now been tring to do this:
> > 
> > I have an IP, 10.0.0.1 on eth1 and an IP 172.16.12.130
> > at eth0. And heres were things get fun. I want all
> > ssh requests that go to 10.0.0.1 to get routed to
> > 172.16.12.130 just like it worked when we did it from
> > .130 to .212. (if anyone is new and doesn't what was
> > discussed yesterday, please let me know I will post
> > it.)
> 
> are 10.0.0.1 and 172.16.12.130 on the same physical machine?
> 
> -j

i hate answering questions with the "why don't you just do it this way"
response, but here goes...

if you have SSH connections being received on 10.0.0.1, and that machine
also has an IP of 172.16.12.130, why don't you just accept the
connections on 10.0.0.1?

-j

-- 
Jason Opperisano <opie@817west.com>

RE: Can anyone tell me how to do this?

[Samuel Díaz García (ArcosCom)]

Think in that it is an internal configured SSH daemond and the administrator
don't want to modify the config because the daemon is worwing well.

The solution to open the service to another network is map the ports.

A posible solution for redirect the ssh port is (in the 10.0.0.1 machine):

1) Allow incoming SSH connexs from the 10.0.0.1 iface.
2) Redirect 10.0.0.1:22 to 172.16.12.130:22

And ... how to do this with IPTABLES?

$> iptables -t filter -A INPUT -i eth1 -d 10.0.0.1 -m tcp -p tcp --dport
22 -j ACCEPT
$> iptables -t nat -A PREROUTING -i eth1 -d 10.0.0.1 -m tcp -p tcp --dport
22 -j DNAT --to-destination 172.16.12.130:22

This add the rules at the chain tail.

Regards,

Samuel Díaz García
Director Gerente
ArcosCom Wireless, S.L.L.

mailto:samueldg@arcoscom.com
http://www.arcoscom.com
móvil: 651 93 72 48
tlfn/fax: 956 70 13 15


-----Mensaje original-----
De: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]En nombre de Jason
Opperisano
Enviado el: jueves, 23 de septiembre de 2004 18:15
Para: netfilter@lists.netfilter.org
Asunto: Re: Can anyone tell me how to do this?


On Thu, 2004-09-23 at 11:14, Dominic Iadicicco wrote:
> yes
>
> > wrote: On Thu, 2004-09-23 at 09:22, Dominic Iadicicco wrote:
> > ok, I have another one for all.
> >
> > I have now been tring to do this:
> >
> > I have an IP, 10.0.0.1 on eth1 and an IP 172.16.12.130
> > at eth0. And heres were things get fun. I want all
> > ssh requests that go to 10.0.0.1 to get routed to
> > 172.16.12.130 just like it worked when we did it from
> > .130 to .212. (if anyone is new and doesn't what was
> > discussed yesterday, please let me know I will post
> > it.)
>
> are 10.0.0.1 and 172.16.12.130 on the same physical machine?
>
> -j

i hate answering questions with the "why don't you just do it this way"
response, but here goes...

if you have SSH connections being received on 10.0.0.1, and that machine
also has an IP of 172.16.12.130, why don't you just accept the
connections on 10.0.0.1?

-j

--
Jason Opperisano <opie@817west.com>

Re: Can anyone tell me how to do this?

[Dominic Iadicicco]

Jason:

  Thats a perfectly good question.

   I am tring to learn how to use iptables.  I have
read a lot of documentation but am not having to much
success. So my whole goal in this is just to learn.
:)


Thanks.

Dom
--- Jason Opperisano <opie@817west.com> wrote:

> On Thu, 2004-09-23 at 11:14, Dominic Iadicicco
> wrote:
> > yes
> > 
> > > wrote: On Thu, 2004-09-23 at 09:22, Dominic
> Iadicicco wrote:
> > > ok, I have another one for all.
> > > 
> > > I have now been tring to do this:
> > > 
> > > I have an IP, 10.0.0.1 on eth1 and an IP
> 172.16.12.130
> > > at eth0. And heres were things get fun. I want
> all
> > > ssh requests that go to 10.0.0.1 to get routed
> to
> > > 172.16.12.130 just like it worked when we did it
> from
> > > .130 to .212. (if anyone is new and doesn't what
> was
> > > discussed yesterday, please let me know I will
> post
> > > it.)
> > 
> > are 10.0.0.1 and 172.16.12.130 on the same
> physical machine?
> > 
> > -j
> 
> i hate answering questions with the "why don't you
> just do it this way"
> response, but here goes...
> 
> if you have SSH connections being received on
> 10.0.0.1, and that machine
> also has an IP of 172.16.12.130, why don't you just
> accept the
> connections on 10.0.0.1?
> 
> -j
> 
> -- 
> Jason Opperisano <opie@817west.com>
> 
> 
> 


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

RE: Can anyone tell me how to do this?

[Dominic Iadicicco]

it didn't work
 

  Thank you for the input though. 


Dom
--- Samuel Díaz García (ArcosCom)
<samueldg@arcoscom.com> wrote:

> Think in that it is an internal configured SSH
> daemond and the administrator
> don't want to modify the config because the daemon
> is worwing well.
> 
> The solution to open the service to another network
> is map the ports.
> 
> A posible solution for redirect the ssh port is (in
> the 10.0.0.1 machine):
> 
> 1) Allow incoming SSH connexs from the 10.0.0.1
> iface.
> 2) Redirect 10.0.0.1:22 to 172.16.12.130:22
> 
> And ... how to do this with IPTABLES?
> 
> $> iptables -t filter -A INPUT -i eth1 -d 10.0.0.1
> -m tcp -p tcp --dport
> 22 -j ACCEPT
> $> iptables -t nat -A PREROUTING -i eth1 -d 10.0.0.1
> -m tcp -p tcp --dport
> 22 -j DNAT --to-destination 172.16.12.130:22
> 
> This add the rules at the chain tail.
> 
> Regards,
> 
> Samuel Díaz García
> Director Gerente
> ArcosCom Wireless, S.L.L.
> 
> mailto:samueldg@arcoscom.com
> http://www.arcoscom.com
> móvil: 651 93 72 48
> tlfn/fax: 956 70 13 15
> 
> 
> -----Mensaje original-----
> De: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org]En
> nombre de Jason
> Opperisano
> Enviado el: jueves, 23 de septiembre de 2004 18:15
> Para: netfilter@lists.netfilter.org
> Asunto: Re: Can anyone tell me how to do this?
> 
> 
> On Thu, 2004-09-23 at 11:14, Dominic Iadicicco
> wrote:
> > yes
> >
> > > wrote: On Thu, 2004-09-23 at 09:22, Dominic
> Iadicicco wrote:
> > > ok, I have another one for all.
> > >
> > > I have now been tring to do this:
> > >
> > > I have an IP, 10.0.0.1 on eth1 and an IP
> 172.16.12.130
> > > at eth0. And heres were things get fun. I want
> all
> > > ssh requests that go to 10.0.0.1 to get routed
> to
> > > 172.16.12.130 just like it worked when we did it
> from
> > > .130 to .212. (if anyone is new and doesn't what
> was
> > > discussed yesterday, please let me know I will
> post
> > > it.)
> >
> > are 10.0.0.1 and 172.16.12.130 on the same
> physical machine?
> >
> > -j
> 
> i hate answering questions with the "why don't you
> just do it this way"
> response, but here goes...
> 
> if you have SSH connections being received on
> 10.0.0.1, and that machine
> also has an IP of 172.16.12.130, why don't you just
> accept the
> connections on 10.0.0.1?
> 
> -j
> 
> --
> Jason Opperisano <opie@817west.com>
> 
> 
> 
> 
> 



		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

Re: Can anyone tell me how to do this?

[Jason Opperisano]

On Thu, 2004-09-23 at 12:58, Dominic Iadicicco wrote:
> Jason:
> 
>   Thats a perfectly good question.
> 
>    I am tring to learn how to use iptables.  I have
> read a lot of documentation but am not having to much
> success. So my whole goal in this is just to learn.
> :)
> 
> 
> Thanks.
> 
> Dom

this is not tested, but it works in my head:

  iptables -t nat -A PREROUTING -i eth1 -p tcp \
    -d 10.0.0.1 --dport 22 -j DNAT --to-destination 172.16.12.130

  # at this point, the netfilter code should treat this
  # packet as "locally-destined" and i *believe* will
  # never enter the FORWARD chain

  iptables -A INPUT -p tcp -d 172.16.12.130 --dport 22 -j ACCEPT

i'm pretty sure i recall reading somewhere that the INPUT vs. FORWARD
decision is solely based on IP, not interface.  so even though
conceptually it seems as though the packet would be "forwarded" from
eth1 to eth0, it's still just an INPUT packet, as it is destined for a
local IP (172.16.12.130)...  the "IN=" in a log entry should still show
eth1, i think...

let us know how it goes.

-j

-- 
Jason Opperisano <opie@817west.com>

RE: Can anyone tell me how to do this?

[Jason Opperisano]

On Thu, 2004-09-23 at 13:28, Dominic Iadicicco wrote:
> it didn't work
>  
> 
>   Thank you for the input though. 
> 
> 
> Dom

hmmm...i never got Samuel's response...

a good learning exercise for you would be to figure out why it doesn't
work...

> --- Samuel Daz Garca (ArcosCom)
> <samueldg@arcoscom.com> wrote:

[ snip]

> > $> iptables -t filter -A INPUT -i eth1 -d 10.0.0.1
> > -m tcp -p tcp --dport
> > 22 -j ACCEPT

this allows connections to pass an INPUT filter rule with destination IP
10.0.0.1 and destination port 22 (TCP).

that wasn't really what you were asking for, but may be of some use to
you in another situation...

> > $> iptables -t nat -A PREROUTING -i eth1 -d 10.0.0.1
> > -m tcp -p tcp --dport
> > 22 -j DNAT --to-destination 172.16.12.130:22

think about what the word PREROUTING means.  it means that before this
linux host every makes any layer 3 decision about this packet at
all--we're going to modify it.  once this rule is applied--the linux
host will never ever see a packet that has a destination IP of 10.0.0.1
in the context of this connection.  the destination IP is
172.16.12.130.  as such, any filter rules applied later in the stack
will have to accommodate 172.16.12.130, not 10.0.0.1.

if you're using this as a learning experience (and i hope this is on a
test machine); i recommend LOG-ing everything you can, break things at
will, figure out why they broke, and how to fix them.

and i never get tired of pimping this:

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

HTH...

-j

-- 
Jason Opperisano <opie@817west.com>

RE: Can anyone tell me how to do this?

[Dominic Iadicicco]

Here is Samuel's response


> > $> iptables -t filter -A INPUT -i eth1 -d 10.0.0.1
> > -m tcp -p tcp --dport
> > 22 -j ACCEPT

this allows connections to pass an INPUT filter rule
with destination 
IP
10.0.0.1 and destination port 22 (TCP).

that wasn't really what you were asking for, but may
be of some use to
you in another situation...

> > $> iptables -t nat -A PREROUTING -i eth1 -d
10.0.0.1
> > -m tcp -p tcp --dport
> > 22 -j DNAT --to-destination 172.16.12.130:22

think about what the word PREROUTING means.  it means
that before this
linux host every makes any layer 3 decision about this
packet at
all--we're going to modify it.  once this rule is
applied--the linux
host will never ever see a packet that has a
destination IP of 10.0.0.1
in the context of this connection.  the destination IP
is
172.16.12.130.  as such, any filter rules applied
later in the stack
will have to accommodate 172.16.12.130, not 10.0.0.1.

if you're using this as a learning experience (and i
hope this is on a
test machine); i recommend LOG-ing everything you can,
break things at
will, figure out why they broke, and how to fix them.

and i never get tired of pimping this:

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

HTH...
--- Jason Opperisano <opie@817west.com> wrote:

> On Thu, 2004-09-23 at 13:28, Dominic Iadicicco
> wrote:
> > it didn't work
> >  
> > 
> >   Thank you for the input though. 
> > 
> > 
> > Dom
> 
> hmmm...i never got Samuel's response...
> 
> a good learning exercise for you would be to figure
> out why it doesn't
> work...
> 
> > --- Samuel Daz Garca (ArcosCom)
> > <samueldg@arcoscom.com> wrote:
> 
> [ snip]
> 
> > > $> iptables -t filter -A INPUT -i eth1 -d
> 10.0.0.1
> > > -m tcp -p tcp --dport
> > > 22 -j ACCEPT
> 
> this allows connections to pass an INPUT filter rule
> with destination IP
> 10.0.0.1 and destination port 22 (TCP).
> 
> that wasn't really what you were asking for, but may
> be of some use to
> you in another situation...
> 
> > > $> iptables -t nat -A PREROUTING -i eth1 -d
> 10.0.0.1
> > > -m tcp -p tcp --dport
> > > 22 -j DNAT --to-destination 172.16.12.130:22
> 
> think about what the word PREROUTING means.  it
> means that before this
> linux host every makes any layer 3 decision about
> this packet at
> all--we're going to modify it.  once this rule is
> applied--the linux
> host will never ever see a packet that has a
> destination IP of 10.0.0.1
> in the context of this connection.  the destination
> IP is
> 172.16.12.130.  as such, any filter rules applied
> later in the stack
> will have to accommodate 172.16.12.130, not
> 10.0.0.1.
> 
> if you're using this as a learning experience (and i
> hope this is on a
> test machine); i recommend LOG-ing everything you
> can, break things at
> will, figure out why they broke, and how to fix
> them.
> 
> and i never get tired of pimping this:
> 
>
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> 
> HTH...
> 
> -j
> 
> -- 
> Jason Opperisano <opie@817west.com>
> 
> 
> 



		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 

Re: Can anyone tell me how to do this?

[Aleksandar Milivojevic]

Jason Opperisano wrote:
> i'm pretty sure i recall reading somewhere that the INPUT vs. FORWARD
> decision is solely based on IP, not interface.  so even though
> conceptually it seems as though the packet would be "forwarded" from
> eth1 to eth0, it's still just an INPUT packet, as it is destined for a
> local IP (172.16.12.130)...  the "IN=" in a log entry should still show
> eth1, i think...

You are pretty right about that one.  If packet is to be delivered to 
the local process, it will end up in INPUT chain.  Decision is not made 
based upon interfaces or addresses, it is purely made based on whether 
or not packet will be delivered to local process, or forwarded to 
another (or same) interface.  This is because all the packets from all 
interfaces first go to the PREROUTING chain of nat table, after that 
routing decisions are made, and after that if packet is to be "routed" 
to local process it goes to INPUT chain of filter table, otherwise it 
goes to FORWARD chain of filter table and than to POSTROUTING chain of 
nat table and to the physical interface.  So, once packet ends up in 
FORWARD chain, kernel has already made decision through which interface 
it will be sent out, and there is no way back.

Jim Cliver has a nice diagram showing all this (one image is worth 
thousands of words):

    http://www.aptalaska.net/~jclive/IPTablesFlowChart.pdf

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7