multiple external IP's - virtual NIC - DNAT problems

multiple external IP's - virtual NIC - DNAT problems

[koen.news]

Debian Lenny IPTABLES firewall.



I'm missing some essential knowledge on how to map multiple external IP's

I got from the ISP to specific internal IP's. 

Everything works qua NAT & redirects for one external IP (eth0) and

multiple internal subnets.



The external IP pack is available at the untrust interface of the router

(configured by the ISP) where eth0 of the firewall is connected to. 

Until now the firewall works with one of the external IP's. Port

forwarding works without a problem.



eth0: external IP1

eth1: internal 192.168.1.10/24



$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 9999 -j DNAT --to

192.168.2.240:3389) = Works perfect



I thought I needed to create via /etc/network/interfaces this: eth0:1 an

extra interfaces that matches official IP2 so I can DNAT traffic to a

specific server. 

IPtables doesn't accept eth0:1 as interface. But I can use the IP2. "IP2"

is the official IP e.g. $IPTABLES -t nat -A PREROUTING -p tcp -d "IP2"

--dport 80 -j DNAT --to 192.168.2.240:80 => doesn't work



1) Is this really necessary? First I tried to $IPTABLES -t nat -A

PREROUTING -p tcp -d "IP2" -j DNAT --to 192.168.2.240 without an virtual

interface but it doesn't work, TCP/IP does need an interface with the

correct IP to send data to I guesss :)

2) No other/better way than to define multiple official IP's to one iFACE?



This must be a common problem but I can't find a google answer. 

Any pointer on how to solve this problem? Maybe another approach. I will

need to do this for multiple servers. 



Koen Linders

Re: multiple external IP's - virtual NIC - DNAT problems

[Mike Wright]

koen.news@koca.be wrote:
> Debian Lenny IPTABLES firewall.
> 
> I'm missing some essential knowledge on how to map multiple external IP's
> I got from the ISP to specific internal IP's. 
> Everything works qua NAT & redirects for one external IP (eth0) and
> multiple internal subnets.
> 
> The external IP pack is available at the untrust interface of the router
> (configured by the ISP) where eth0 of the firewall is connected to. 
> Until now the firewall works with one of the external IP's. Port
> forwarding works without a problem.
> 
> eth0: external IP1
> eth1: internal 192.168.1.10/24
> 
> $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 9999 -j DNAT --to
> 192.168.2.240:3389) = Works perfect
> 
> I thought I needed to create via /etc/network/interfaces this: eth0:1 an
> extra interfaces that matches official IP2 so I can DNAT traffic to a
> specific server. 
> IPtables doesn't accept eth0:1 as interface. But I can use the IP2. "IP2"
> is the official IP e.g. $IPTABLES -t nat -A PREROUTING -p tcp -d "IP2"
> --dport 80 -j DNAT --to 192.168.2.240:80 => doesn't work
> 
> 1) Is this really necessary? First I tried to $IPTABLES -t nat -A
> PREROUTING -p tcp -d "IP2" -j DNAT --to 192.168.2.240 without an virtual
> interface but it doesn't work, TCP/IP does need an interface with the
> correct IP to send data to I guesss :)
> 2) No other/better way than to define multiple official IP's to one iFACE?
> 
> This must be a common problem but I can't find a google answer. 
> Any pointer on how to solve this problem? Maybe another approach. I will
> need to do this for multiple servers. 

I have 7 IPs on one interface and use nat to map them to various servers 
on various internal networks and it works very well for me (redhat).  It 
allows me to take servers up and down and to move them around.  It's 
great for testing, too.

The command you seek is "ip".  Here's an example of adding an address to 
an interface:  "ip address add 1.2.3.4/8 dev eth4".

Happy hacking!
Mike Wright

Re: multiple external IP's - virtual NIC - DNAT problems

[koen.news]

> The command you seek is "ip".  Here's an example of adding an address to
> an interface:  "ip address add 1.2.3.4/8 dev eth4".
>
> Happy hacking!
> Mike Wright
>
Thx for the reply. That's indeed what I seek!

I guess I can put that command (or the debian variant) in the pre-up
command for the interface?

Koen Linders

Re: multiple external IP's - virtual NIC - DNAT problems

[Mike Wright]

koen.news@koca.be wrote:
>> The command you seek is "ip".  Here's an example of adding an address to
>> an interface:  "ip address add 1.2.3.4/8 dev eth4".
>>
> Thx for the reply. That's indeed what I seek!
> 
> I guess I can put that command (or the debian variant) in the pre-up
> command for the interface?

I'm Debian ignorant.  In Redhat style systems I  bring up my interfaces 
without addresses or routes and put my custom code in /etc/rc.local.

Re: multiple external IP's - virtual NIC - DNAT problems

[Sven-Haegar Koch]

On Fri, 29 Jan 2010, koen.news@koca.be wrote:

> > The command you seek is "ip".  Here's an example of adding an address to
> > an interface:  "ip address add 1.2.3.4/8 dev eth4".
> >
> > Happy hacking!
> > Mike Wright
> >
> Thx for the reply. That's indeed what I seek!
> 
> I guess I can put that command (or the debian variant) in the pre-up
> command for the interface?

Not pre-up, put them in up / post-up

You can also use eth0:1 eth0:2 interface definitions in debian 
/etc/network/interfaces and use "-i eth0 -d $ip" in your firewall 
config.

The eth0:X interfaces are not really network interfaces, they are just 
secondary ip addresses on the base interface with a different label 
attached to them for ifconfig backward compatibility.

Example:
	ifconfig eth2:2 192.168.19.123 up
	ip addr show dev eth2
	-> inet 192.168.19.123/24 brd 192.168.19.255 scope global secondary eth2:2

	ip addr add 192.168.19.124/24 dev eth2
	ip addr show dev eth2
	-> inet 192.168.19.123/24 brd 192.168.19.255 scope global secondary eth2:2
	-> inet 192.168.19.124/24 scope global secondary eth2


c'ya
sven

-- 
Three may keep a secret, if two of them are dead.
- Ben F.

Re: multiple external IP's - virtual NIC - DNAT problems

[koen.news]

> Not pre-up, put them in up / post-up

> 

> You can also use eth0:1 eth0:2 interface definitions in debian 

> /etc/network/interfaces and use "-i eth0 -d $ip" in your firewall 

> config.

> 

> The eth0:X interfaces are not really network interfaces, they are just 

> secondary ip addresses on the base interface with a different label 

> attached to them for ifconfig backward compatibility.

> 

> Example:

> 	ifconfig eth2:2 192.168.19.123 up

> 	ip addr show dev eth2

> 	-> inet 192.168.19.123/24 brd 192.168.19.255 scope global secondary

eth2:2

> 

> 	ip addr add 192.168.19.124/24 dev eth2

> 	ip addr show dev eth2

> 	-> inet 192.168.19.123/24 brd 192.168.19.255 scope global secondary

eth2:2

> 	-> inet 192.168.19.124/24 scope global secondary eth2

> 

> 

> c'ya

> sven



This is exactly what I needed. Everything works now as expected. 



Sidenote: I first created an extra address with:

ip addr add 192.168.19.124/24 dev eth2



And checked that is was there. THen I put everything in the post-up

command including the one I already did.

invoke-rc.d networking restart didn't activate the other addressess. 

I remove the first one:

ip addr del 192.168.19.124/24 dev eth2



then invoke-rc.d networking restart worked.



Many thanks.

Koen