RES: NAT 1:N

RES: NAT 1:N

[Gustavo L. P. dos Santos]

Maybe I wasn´t clear enought with my question, the two machines are web servers visible on the Internet, and I can´t use MASQUERADE for this. If it was the basics i wouldn´t bother you all. And sorry for the annoyance.

Cheers.,

-------------------------------------------------
 ,= ,-_-. =.  Gustavo Lima Peres dos Santos
(( /)0 0(\_)) Security Analyst - INEP 
 `-'(. .)`-'  <gustavo.santos@inep.gov.br>
     \_/      Tel.: +55-61-2104-7684/9080
-------------------------------------------------

Esta mensagem eletrônica pode conter informações privilegiadas e/ou confidenciais, portanto fica o seu receptor notificado de que qualquer disseminação, distribuição ou cópia não autorizada é estritamente proibida. Se você recebeu esta mensagem indevidamente ou por engano, por favor, informe este fato ao remetente e a apague de seu computador imediatamente.

This e-mail message may contain legally privileged and/or confidential information, therefore, the recipient is hereby notified that any unauthorized dissemination, distribution or copying is strictly prohibited. If you have received this e-mail message inappropriately or accidentally, please notify the sender and delete it from your computer immediately. 

-----Mensagem original-----
De: Eljas Alakulppi [mailto:Buzer@buzer.net]
Enviada em: sexta-feira, 29 de junho de 2007 17:19
Para: Gustavo L. P. dos Santos; netfilter@lists.netfilter.org
Assunto: Re: NAT 1:N


First I recomend you to read some basic documentation about iptables (this  
is covered in about every iptables howto). Anyway, the command is (of  
course, make sure you have the required modules loaded/compiled in kernel):
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Gustavo L. P. dos Santos <gustavo.santos@inep.gov.br> kirjoitti Fri, 29  
Jun 2007 23:01:41 +0300:

> Hi,
>
> 	I´m new on the list, so don´t get mad if my question was posted before.  
> I need some help to configure a NAT 1:N with iptables. I need some  
> examples of the syntax to implement this.
>
> 	Here is the solution, that i want to implement: I have two machines in  
> my LAN, that i want to be visible on the Internet using only one valid  
> IP.
>
> 	Sorry for the bad english.
>
> Cheers,
>
> -------------------------------------------------
>  ,= ,-_-. =.  Gustavo Lima Peres dos Santos
> (( /)0 0(\_)) Security Analyst - INEP
>  `-'(. .)`-'  <gustavo.santos@inep.gov.br>
>      \_/      Tel.: +55-61-2104-7684/9080
> -------------------------------------------------
>
> Esta mensagem eletrônica pode conter informações privilegiadas e/ou  
> confidenciais, portanto fica o seu receptor notificado de que qualquer  
> disseminação, distribuição ou cópia não autorizada é estritamente  
> proibida. Se você recebeu esta mensagem indevidamente ou por engano, por  
> favor, informe este fato ao remetente e a apague de seu computador  
> imediatamente.
>
> This e-mail message may contain legally privileged and/or confidential  
> information, therefore, the recipient is hereby notified that any  
> unauthorized dissemination, distribution or copying is strictly  
> prohibited. If you have received this e-mail message inappropriately or  
> accidentally, please notify the sender and delete it from your computer  
> immediately.
>

RE: NAT 1:N

[Ric Messier]

Are you looking for redirect rules?
-A PREROUTING -d w.x.y.z -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.0.2


You can't have two Web servers redirected through one IP address because there is only one port 80. You'd have to move the other Web server to another port. If you are looking for load balancing, you may need to look elsewhere.

Ric


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Gustavo L. P. dos Santos
Sent: Friday, June 29, 2007 2:29 PM
To: Eljas Alakulppi; netfilter@lists.netfilter.org
Subject: RES: NAT 1:N

Maybe I wasn´t clear enought with my question, the two machines are web servers visible on the Internet, and I can´t use MASQUERADE for this. If it was the basics i wouldn´t bother you all. And sorry for the annoyance.

Cheers.,

-------------------------------------------------
 ,= ,-_-. =.  Gustavo Lima Peres dos Santos
(( /)0 0(\_)) Security Analyst - INEP 
 `-'(. .)`-'  <gustavo.santos@inep.gov.br>
     \_/      Tel.: +55-61-2104-7684/9080
-------------------------------------------------

Esta mensagem eletrônica pode conter informações privilegiadas e/ou confidenciais, portanto fica o seu receptor notificado de que qualquer disseminação, distribuição ou cópia não autorizada é estritamente proibida. Se você recebeu esta mensagem indevidamente ou por engano, por favor, informe este fato ao remetente e a apague de seu computador imediatamente.

This e-mail message may contain legally privileged and/or confidential information, therefore, the recipient is hereby notified that any unauthorized dissemination, distribution or copying is strictly prohibited. If you have received this e-mail message inappropriately or accidentally, please notify the sender and delete it from your computer immediately. 

-----Mensagem original-----
De: Eljas Alakulppi [mailto:Buzer@buzer.net]
Enviada em: sexta-feira, 29 de junho de 2007 17:19
Para: Gustavo L. P. dos Santos; netfilter@lists.netfilter.org
Assunto: Re: NAT 1:N


First I recomend you to read some basic documentation about iptables (this  
is covered in about every iptables howto). Anyway, the command is (of  
course, make sure you have the required modules loaded/compiled in kernel):
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Gustavo L. P. dos Santos <gustavo.santos@inep.gov.br> kirjoitti Fri, 29  
Jun 2007 23:01:41 +0300:

> Hi,
>
> 	I´m new on the list, so don´t get mad if my question was posted before.  
> I need some help to configure a NAT 1:N with iptables. I need some  
> examples of the syntax to implement this.
>
> 	Here is the solution, that i want to implement: I have two machines in  
> my LAN, that i want to be visible on the Internet using only one valid  
> IP.
>
> 	Sorry for the bad english.
>
> Cheers,
>
> -------------------------------------------------
>  ,= ,-_-. =.  Gustavo Lima Peres dos Santos
> (( /)0 0(\_)) Security Analyst - INEP
>  `-'(. .)`-'  <gustavo.santos@inep.gov.br>
>      \_/      Tel.: +55-61-2104-7684/9080
> -------------------------------------------------
>
> Esta mensagem eletrônica pode conter informações privilegiadas e/ou  
> confidenciais, portanto fica o seu receptor notificado de que qualquer  
> disseminação, distribuição ou cópia não autorizada é estritamente  
> proibida. Se você recebeu esta mensagem indevidamente ou por engano, por  
> favor, informe este fato ao remetente e a apague de seu computador  
> imediatamente.
>
> This e-mail message may contain legally privileged and/or confidential  
> information, therefore, the recipient is hereby notified that any  
> unauthorized dissemination, distribution or copying is strictly  
> prohibited. If you have received this e-mail message inappropriately or  
> accidentally, please notify the sender and delete it from your computer  
> immediately.
>

Re: NAT 1:N

[Ivan Dubrov]

[-- Attachment #1: Type: text/plain, Size: 712 bytes --]

Ric Messier wrote:
> Are you looking for redirect rules?
> -A PREROUTING -d w.x.y.z -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.0.2
>
>
> You can't have two Web servers redirected through one IP address because there is only one port 80. You'd have to move the other Web server to another port. If you are looking for load balancing, you may need to look elsewhere.
>   
This cannot be done via iptables only, but this can be done with Apache
mod_proxy module. Install Apache on the router and proxy requests to
backend server discriminating by the servername (for example, proxy all
requests to http://web1.example.com/ to first Web server,
http://web2.example.com/ to the second).



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: RES: NAT 1:N

[Frank Gruellich]

Hi,

* Gustavo L. P. dos Santos <gustavo.santos@inep.gov.br> 29. Jun 07:
> Maybe I wasn??t clear enought with my question, the two machines are
> web servers visible on the Internet, and I can??t use MASQUERADE for
> this. If it was the basics i wouldn??t bother you all. And sorry for
> the annoyance.

Don't worry, seems you're not the only one who should do some RTFM on
this list...

The situation you have is clearly described at Oskar Andreassons great
tutorial (a Must-Read for iptables users, IMHO):
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#DNATTARGET

You should use a range of IP#s for --to-destination.  Note, that single
TCP streams will allways be directed to same server while different
streams will be directed in a simple load balancing manner (I think
round robin).  This implies that you don't have any problems with rather
static content, but if you keep session information at server you have
to distribute that to all your webservers.

HTH, kind regards,
 Frank.
-- 
Sigmentation fault

NAT 1:N

[Gustavo L. P. dos Santos]

Hi,

	I´m new on the list, so don´t get mad if my question was posted before. I need some help to configure a NAT 1:N with iptables. I need some examples of the syntax to implement this.

	Here is the solution, that i want to implement: I have two machines in my LAN, that i want to be visible on the Internet using only one valid IP.

	Sorry for the bad english.

Cheers,

-------------------------------------------------
 ,= ,-_-. =.  Gustavo Lima Peres dos Santos
(( /)0 0(\_)) Security Analyst - INEP 
 `-'(. .)`-'  <gustavo.santos@inep.gov.br>
     \_/      Tel.: +55-61-2104-7684/9080
-------------------------------------------------

Esta mensagem eletrônica pode conter informações privilegiadas e/ou confidenciais, portanto fica o seu receptor notificado de que qualquer disseminação, distribuição ou cópia não autorizada é estritamente proibida. Se você recebeu esta mensagem indevidamente ou por engano, por favor, informe este fato ao remetente e a apague de seu computador imediatamente.

This e-mail message may contain legally privileged and/or confidential information, therefore, the recipient is hereby notified that any unauthorized dissemination, distribution or copying is strictly prohibited. If you have received this e-mail message inappropriately or accidentally, please notify the sender and delete it from your computer immediately. 

Re: NAT 1:N

[Eljas Alakulppi]

First I recomend you to read some basic documentation about iptables (this  
is covered in about every iptables howto). Anyway, the command is (of  
course, make sure you have the required modules loaded/compiled in kernel):
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Gustavo L. P. dos Santos <gustavo.santos@inep.gov.br> kirjoitti Fri, 29  
Jun 2007 23:01:41 +0300:

> Hi,
>
> 	I´m new on the list, so don´t get mad if my question was posted before.  
> I need some help to configure a NAT 1:N with iptables. I need some  
> examples of the syntax to implement this.
>
> 	Here is the solution, that i want to implement: I have two machines in  
> my LAN, that i want to be visible on the Internet using only one valid  
> IP.
>
> 	Sorry for the bad english.
>
> Cheers,
>
> -------------------------------------------------
>  ,= ,-_-. =.  Gustavo Lima Peres dos Santos
> (( /)0 0(\_)) Security Analyst - INEP
>  `-'(. .)`-'  <gustavo.santos@inep.gov.br>
>      \_/      Tel.: +55-61-2104-7684/9080
> -------------------------------------------------
>
> Esta mensagem eletrônica pode conter informações privilegiadas e/ou  
> confidenciais, portanto fica o seu receptor notificado de que qualquer  
> disseminação, distribuição ou cópia não autorizada é estritamente  
> proibida. Se você recebeu esta mensagem indevidamente ou por engano, por  
> favor, informe este fato ao remetente e a apague de seu computador  
> imediatamente.
>
> This e-mail message may contain legally privileged and/or confidential  
> information, therefore, the recipient is hereby notified that any  
> unauthorized dissemination, distribution or copying is strictly  
> prohibited. If you have received this e-mail message inappropriately or  
> accidentally, please notify the sender and delete it from your computer  
> immediately.
>