Re: ip alias

Re: ip alias

[Aleksandar Milivojevic]

John Black wrote:
> eth0 161.31.31.22 
> eth0:0 161.31.31.23 (i hope)
> eth1 192.168.1.1

So, eth0 is your external interface with two IP addresses assigned to 
it, and eth1 is interface to your local network?  Don't hope if the 
interface has an address assigned.  Check it with "ifconfig" or "ip 
address show".

Access to the Internet from the firewall box will work out of the box. 
Linux will use address of eth0 for all packets that are to leave the box 
out of eth0.

To allow hosts on your local network to access the internet, you need to 
enable forwarding and define simple NAT rule:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/16 -j SNAT 
--to-source 161.31.31.23

If you wanted to allow access *from* the Internet to one of the hosts on 
your local network (that doesn't have public IP address), than you would 
use DNAT target.

> this is how it was shown in the double nat howto.  so i was
> trying to take that and make it work for a signle.

Howtos are nice, but having an understanding on how things work should 
be priority.  Otherwise you end up with configuration that you have no 
idea what it is doing.  And that is a very bad thing, especially when 
building an firewall.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: ip alias

[John Black]

> You say "it will not let me out". Is that out to the internet ?
> I can't see the use for the above :
> - You assign an ip alias to eth0:0
> - You forward all traffic coming in on eth0 (that is directed to the
> aliased ip 192.168.1.23) to 161.31.31.23
> By doing this you won't get access to the internet.

but, how would you forward outgoing traffic to this address?  So 
all traffic generated on 192.168.1.23 is see coming from 161.31.31.23?

john

Re: ip alias

[Jason Opperisano]

On Tue, 2004-09-28 at 08:04, John Black wrote:
> > You say "it will not let me out". Is that out to the internet ?
> > I can't see the use for the above :
> > - You assign an ip alias to eth0:0
> > - You forward all traffic coming in on eth0 (that is directed to the
> > aliased ip 192.168.1.23) to 161.31.31.23
> > By doing this you won't get access to the internet.
> 
> but, how would you forward outgoing traffic to this address?  So 
> all traffic generated on 192.168.1.23 is see coming from 161.31.31.23?
> 
> john

it sounds like you're trying to do this:

  iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.23 \
    -j SNAT --to-source 161.31.31.23

-j

-- 
Jason Opperisano <opie@817west.com>

Re: ip alias

[Jose Maria Lopez]

El mar, 28 de 09 de 2004 a las 14:04, John Black escribió:
> > You say "it will not let me out". Is that out to the internet ?
> > I can't see the use for the above :
> > - You assign an ip alias to eth0:0
> > - You forward all traffic coming in on eth0 (that is directed to the
> > aliased ip 192.168.1.23) to 161.31.31.23
> > By doing this you won't get access to the internet.
> 
> but, how would you forward outgoing traffic to this address?  So 
> all traffic generated on 192.168.1.23 is see coming from 161.31.31.23?
> 
> john

You can use SNAT to do this, just make a rule that does SNAT
from 192.168.1.23 to 161.31.31.23.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

ip alias

[John Black]

I'm tryint to setup ip alias with iptables on fedora core 2.

Is this right?  For some reason it will not let me out?

ifconfig eth0:0 192.168.1.23 netmask 255.255.255.0
iptables -t nat -A PREROUTING -d 192.168.1.23 -i eth0 \
                -j DNAT --to-destination 161.31.31.23


thanks
john

Re: ip alias

[John Black]

> > ifconfig eth0:0 192.168.1.23 netmask 255.255.255.0
> 
> not this:
> 
> > iptables -t nat -A PREROUTING -d 192.168.1.23 -i eth0 \
> >                -j DNAT --to-destination 161.31.31.23

but i want eth0:0 to be asigned that particular address to the internet.  

Re: ip alias

[Jose Maria Lopez]

El mar, 28 de 09 de 2004 a las 06:44, John Black escribió:
> > > ifconfig eth0:0 192.168.1.23 netmask 255.255.255.0
> > 
> > not this:
> > 
> > > iptables -t nat -A PREROUTING -d 192.168.1.23 -i eth0 \
> > >                -j DNAT --to-destination 161.31.31.23
> 
> but i want eth0:0 to be asigned that particular address to the internet.  

Then I think your rule it's Ok. It will redirect all the traffic
with destination 192.168.1.23 to 161.31.31.23.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: ip alias

[Aleksandar Milivojevic]

Quoting John Black <black@arbbs.net>
Date: Mon, 27 Sep 2004 22:15:50

> I'm tryint to setup ip alias with iptables on fedora core 2.
> 
> Is this right?  For some reason it will not let me out?
> 
> ifconfig eth0:0 192.168.1.23 netmask 255.255.255.0
> iptables -t nat -A PREROUTING -d 192.168.1.23 -i eth0 \
>                 -j DNAT --to-destination 161.31.31.23

Not quite sure what are you trying to do with above.  You don't need iptables to
set up an alias.  The ifconfig or ip commands will suffice.

What do you want to achieve with iptables command?  What it will do is that all
packets addressed for 192.168.1.23 that arrive into box (not generated on the
box) on interface eth0 will be sent to 161.31.31.23 (with that IP address as
destination).  Is that what you wanted to do?

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: ip alias

[John Black]

>
> Not quite sure what are you trying to do with above.  You don't need
iptables to
> set up an alias.  The ifconfig or ip commands will suffice.
>
> What do you want to achieve with iptables command?  What it will do is
that all
> packets addressed for 192.168.1.23 that arrive into box (not generated on
the
> box) on interface eth0 will be sent to 161.31.31.23 (with that IP address
as
> destination).  Is that what you wanted to do?
>
but the traffic from 192.168.1.23 that i need to go to the internet i would
like to
have addressed as 161.31.31.23

john

Re: ip alias

[Aleksandar Milivojevic]

John Black wrote:
> but the traffic from 192.168.1.23 that i need to go to the internet i would
> like to
> have addressed as 161.31.31.23

You need SNAT (source NAT), not DNAT (destination NAT).  I'll assume 
eth0 has address 161.31.31.23:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 161.31.31.23

or if eth0 has dinamically allocated IP address:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUARADE

I'm not sure why you are assigning local IP address as an alias to your 
external interface (probably something you haven't mentioned), so I 
wan't comment on whether it is needed or not.  Also, in case when you 
have multiple IP addresses (aliases) assigned to an interface, I'm not 
sure exactly how MASQUERADE target behaves.  man iptables for more 
details and differences between SNAT and MASQUERADE targets.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

IP_ALIAS

[ruschein]

This option, according to .../Documentation/networking/alias.txt, seems
to be missing in 2.4.0-test13-pre4?  Could whoever maintains this please
update either the code or the documentation?
-- 
Sincerely,
Johannes
--
Dr. Johannes Ruscheinski
Infomine Lead Programmer            ***              LINUX,             ***
EMail:    ruschein@infomine.ucr.edu ***                                 ***
Location: science library, room 218 *** The Choice Of A GNU Generation! ***
Phone:    (909) 787-2290

"Faith may be defined briefly as an illogical belief in the occurrence of the
 improbable...A man full of faith is simply one who has lost (or never had)
 the capacity for clear and realistic thought. He is not a mere ass: he is
 actually ill."
 -- H. L. Mencken

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/