[LARTC] How to

[LARTC] How to

[Neil Aggarwal]

Hello:

I have this setup:
	Internet -- Linux Server -- Switch -- Internal Machine

The Linux server is running Redhat Linux 7.3 and is running
iptables for firewall.

Let say, for example, that the linux server is running 
on IP address 11.22.33.44 and the internal machine is
running on IP address 192.168.1.234

I want to set up the Linux server so that a connection
to my IP address of 11.22.33.55 actually connects to 
192.168.1.234 and vice-versa.

In other words, the outside world should see my internal
machine as 11.22.33.55.

How would I set this up?

Thanks,
	Neil.

--
Neil Aggarwal
JAMM Consulting, Inc.    (972) 612-6056, http://www.JAMMConsulting.com
Custom Internet Development    Websites, Ecommerce, Java, databases

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] How to

[Tony Earnshaw]

[-- Attachment #1: Type: text/plain, Size: 753 bytes --]

lør, 2002-06-01 kl. 07:17 skrev Neil Aggarwal:

> I want to set up the Linux server so that a connection
> to my IP address of 11.22.33.55 actually connects to 
> 192.168.1.234 and vice-versa.

> In other words, the outside world should see my internal
> machine as 11.22.33.55.

In as much as this is a perfectly normal use of Netfilter (iptables), I
reckon that you're asking in the wrong group.

Try netfilter@lists.samba.org.

Best,

Tony

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981



[-- Attachment #2: Dette er en digitalt signert meldingsdel --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [LARTC] How to

[Stef Coene]

> In as much as this is a perfectly normal use of Netfilter (iptables), I
> reckon that you're asking in the wrong group.
Copy-paste can never hurt :)

iptables -t nat -A PREROUTING -p tcp -d $EX_IP --dport 8080 -j DNAT --to 
192.168.1.253:80

All traffic entering the external ip of my firewall on port 8080 is forwarded 
to my internal web-server.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.openprojects.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] How to

[Tony Earnshaw]

[-- Attachment #1: Type: text/plain, Size: 1222 bytes --]

lør, 2002-06-01 kl. 09:37 skrev Stef Coene:

> > In as much as this is a perfectly normal use of Netfilter (iptables), I
> > reckon that you're asking in the wrong group.
> Copy-paste can never hurt :)

> iptables -t nat -A PREROUTING -p tcp -d $EX_IP --dport 8080 -j DNAT --to 
> 192.168.1.253:80

> All traffic entering the external ip of my firewall on port 8080 is forwarded 
> to my internal web-server.

Yerrrs, but now there's the FORWARDing rule, then there's the
POSTROUTING and SNAT rule back etc. etc. that you haven't included. He
won't make it work without them. Then there's the
/proc/sys/net/ipv4/ip_forward that you haven't included, etc. etc.

The bloke is obviously in the wrong group, he'll be having more problems
and these should not be addressed on this list, which is for something
completely different. God knows, iproute2 problems ar complicated enough
as they are.

Best,

Tony

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981



[-- Attachment #2: Dette er en digitalt signert meldingsdel --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: [LARTC] How to

[Greg Scott]

I know the other list is for netfilter stuff but heck, if I can help
I'll give it a try...

Here is a more general script that should work:

**************************************************************

#!/bin/sh
EX_IP="11.22.33.55"
IN_IP="192.168.1.253"
IPTABLES="/sbin/iptables"
#
# Be sure to modprobe the modules you need here - an exercise
# for the reader.
#

echo "Zeroing all iptables, deleting all user defined chains"

$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

echo "Setting up default policies to ACCEPT"

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

echo "setting up masquerading rules"

IPTABLES -t nat -A PREROUTING -d $EX_IP -j DNAT --to $IN_IP
IPTABLES -t nat -A POSTROUTING -s $IN_IP -j SNAT --to $EX_IP

echo "Turning on IP forwarding"

echo "1" > /proc/sys/net/ipv4/ip_forward

exit

****************************************************************


Note that this rule set provides absolutely no security.  Any
packet, any protocol, any port of any protocol (for protocols
like TCP and UDP that have ports) that comes in bound for EX_IP
will be NAT-ed and redirected to IN_IP.  And any new conversation
initiated by IN_IP will be masqueraded to look to the outside
world like it came from EX_IP.  

Also note, I copied and pasted this from sections of my own
firewall script.  I have not tested the above script anyplace, 
so take that for what it's worth.  

- Greg



-----Original Message-----
From: Stef Coene [mailto:stef.coene@docum.org]
Sent: Saturday, June 01, 2002 2:38 AM
To: Tony Earnshaw; Neil Aggarwal
Cc: Linux Advanced Routing & Traffic Control List
Subject: Re: [LARTC] How to


> In as much as this is a perfectly normal use of Netfilter (iptables), I
> reckon that you're asking in the wrong group.
Copy-paste can never hurt :)

iptables -t nat -A PREROUTING -p tcp -d $EX_IP --dport 8080 -j DNAT --to 
192.168.1.253:80

All traffic entering the external ip of my firewall on port 8080 is forwarded 
to my internal web-server.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.openprojects.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] How to

[Tony Earnshaw]

[-- Attachment #1: Type: text/plain, Size: 656 bytes --]

lør, 2002-06-01 kl. 16:55 skrev Greg Scott:

> I know the other list is for netfilter stuff but heck, if I can help
> I'll give it a try...

Sigh.

I don't see any FORWARD rule here. You know, like between the
interfaces. And what's '-t mangle' got to do with anything?

*Let the fellow go to a list that will look after him properly*

Best,

Tony

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981



[-- Attachment #2: Dette er en digitalt signert meldingsdel --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: [LARTC] How to

[Greg Scott]

Take a look here:

http://netfilter.samba.org/documentation/

for pointers to lots and lots of detailed explanations.  The
answers you want are in there - but you'll need to do some studying.

> I don't see any FORWARD rule here. You know, like between the
> interfaces. And what's '-t mangle' got to do with anything?

That's right.  You don't need any for your application.  Remember 
that netfilter rules are generally for **filtering** packets, not 
for forwarding packets.

Take a look at the line towards the bottom of the script I sent 
that turns on IP forwarding.  That line turns your Linux system 
into a router.  It tells the kernel to forward packets from one 
ethernet interface to the other and out to the network on the other 
end.

The -t mangle stuff is just being thorough.  Netfilter has several
tables and the mangle table is one of them.  It's good practice to 
flush and zero all tables when you set these scripts up.  Take it 
out if you want.

- Greg




-----Original Message-----
From: Tony Earnshaw [mailto:tonni@billy.demon.nl]
Sent: Saturday, June 01, 2002 10:05 AM
To: Greg Scott
Cc: Stef Coene; Neil Aggarwal; Linux Advanced Routing & Traffic Control
List
Subject: RE: [LARTC] How to


lør, 2002-06-01 kl. 16:55 skrev Greg Scott:

> I know the other list is for netfilter stuff but heck, if I can help
> I'll give it a try...

Sigh.

I don't see any FORWARD rule here. You know, like between the
interfaces. And what's '-t mangle' got to do with anything?

*Let the fellow go to a list that will look after him properly*

Best,

Tony

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/