From: Mike <1100100@gmail.com>
To: Eduardo Spremolla <edspremolla@antel.com.uy>
Cc: netfilter@lists.netfilter.org
Subject: Re: Subnets: Make Static Route or Iptables Rules
Date: Thu, 26 May 2005 12:25:45 -0400 [thread overview]
Message-ID: <8ca42282050526092513d66381@mail.gmail.com> (raw)
In-Reply-To: <1117109375.8314.4.camel@fly.in.iantel.com.uy>
Eduardo,
Thank you for the reply.
I'm wondering if your example should be reversed like this:
$IPTABLES -t filter -A FORWARD -i eth2 --source 192.168.169.0/24 -j ACCEPT
$IPTABLES -t filter -A FORWARD -i eth1 --source 192.168.170.0/24 -j ACCEPT
Hmm, I've tried both ways, and something is still wrong.
I can ping 192.168.170.5 ---> 192.168.169.1
But I cannot ping 192.168.170.5 ---> 192.168.169.2 (the Samba box,
iptables off so no firewall issues).
This is very strange.
Please reply if you have a moment; I can post my whole iptables setup
from the routerbox if that is helpful.
Best regards,
Mike
On 5/26/05, Eduardo Spremolla <edspremolla@antel.com.uy> wrote:
> You need to allow forwarding in both directions:
> $IPTABLES -t filter -A FORWARD -i eth1 --source 192.168.169.0/24 -j
> ACCEPT
> $IPTABLES -t filter -A FORWARD -i eth2 --source 192.168.170.0/24 -j
> ACCEPT
>
> The prerouting Dnat is not required, be sure not to nat eth1 to eth2
> traffic.
>
> LALO
>
> On Wed, 2005-05-25 at 13:20 -0400, Mike wrote:
> > I have a linux routerbox with 3 nics.:
> >
> > ppp0 goes to the internet service provider
> > eth1 serves as gateway to a subnet
> > eth2 serves as gateway to another subnet
> >
> > I want LAN clients from subnet eth2 to be able to access a Samba
> > Server box located on subnet eth1
> >
> > I have tried making a static route using --- route -n add
> > <destination> <gateway> but all I get no matter what I try is:
> > SIOCADDRT: No such device
> >
> > Here's my route -n
> >
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric Ref Use Iface
> > 204.60.4.34 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
> > 64.204.68.128 0.0.0.0 255.255.255.248 U 0 0 0 eth0
> > 192.168.170.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
> > 192.168.169.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> > 127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
> > 0.0.0.0 204.60.4.34 0.0.0.0 UG 0 0 0 ppp0
> >
> > As a result of trying out a few extra iptables rules, I can now ping
> > the eth1 gateway from the eth2 subnet clients, but I still cannot
> > ping/reach the Samba server box on the eth1 subnet.
> >
> > Here's the rules I've added in hopes of making a proper path from
> > subnet eth2 to eth1:
> >
> > $IPTABLES -t nat -A PREROUTING -p tcp -i eth1 --source
> > 192.168.170.0/24 -j DNAT --to-destination 192.168.169.2
> > $IPTABLES -t nat -A PREROUTING -p udp -i eth1 --source
> > 192.168.170.0/24 -j DNAT --to-destination 192.168.169.2
> >
> > and
> >
> > $IPTABLES -t filter -A INPUT -i eth1 --source 192.168.170.0/24 -j ACCEPT
> >
> > and
> >
> > $IPTABLES -t filter -A FORWARD -i eth1 --source 192.168.170.0/24 -j ACCEPT
> >
> > Again, to be clear, clients on subnet eth2 can ping the gateway nic
> > (eth1), but cannot ping the samba box located on subnet eth1.
> >
> > If I can just ping that box, I can config Samba the rest of the way.
> >
> > So I'm not sure if what I need for this is to create a static route,
> > or whether iptables rules are all I need.
> >
> > Thank you for your time and patience in reading this post.
> >
> > Regards,
> >
> > Mike
> >
>
>
> Este e-mail y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información.
> . . . . . . . . .
> This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender inmediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that not is the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.
>
next prev parent reply other threads:[~2005-05-26 16:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-25 14:42 Problem using transparent proxy and iptables 1.3.1 Rafael Vallejo
2005-05-25 17:20 ` Subnets: Make Static Route or Iptables Rules Mike
2005-05-26 12:09 ` Eduardo Spremolla
2005-05-26 16:25 ` Mike [this message]
[not found] ` <1117133286.4318.5.camel@fly.in.iantel.com.uy>
2005-05-26 19:38 ` Mike
2005-05-25 20:33 ` Problem using transparent proxy and iptables 1.3.1 Ron Peterson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8ca42282050526092513d66381@mail.gmail.com \
--to=1100100@gmail.com \
--cc=edspremolla@antel.com.uy \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.