[LARTC] Router for giving more than 1 ip

[LARTC] Router for giving more than 1 ip

[carlos lorente]

Hi i have a debian box working as a router.. it works quite well, now 
i want to give more than 1 ip.. is it possible to do it? some of them 
must be an open ip.. i mean.. all ports opened is it possible? how 
should i do it?

Here is my nat.sh script just in case someone wants it.. (comments r 
in spanish.. and not right)

Thanks in advance,

#!/bin/sh

echo "AthoS LaN Generando iptables..." > /dev/tty12


#limpiamos las tablas de iptables
iptables -F
iptables -t nat -F
iptables -t filter -F

#eth1 sera la interfaz de internet
iptables --table nat --append POSTROUTING --out-interface eth1 -j 
MASQUERADE

#eth0 la interfaz de la red local
iptables --append FORWARD --in-interface eth0 -j ACCEPT

#activamos el forward
echo 1 > /proc/sys/net/ipv4/ip_forward


#reglas para enrutado de paketes...

#1.- redirecciona las peticiones del puerto 21 a mi pc
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 
192.168.0.16:21
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -j DNAT --to 
192.168.0.16:143
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 993 -j DNAT --to 
192.168.0.16:993
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 995 -j DNAT --to 
192.168.0.16:995
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 
192.168.0.16:110
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 10000 -j DNAT --
to 192.168.0.16:10000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 
192.168.0.16:80
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j DNAT --to 
192.168.0.16:8000
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 8000 -j DNAT --to 
192.168.0.16:8000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8001 -j DNAT --to 
192.168.0.16:8001
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 8001 -j DNAT --to 
192.168.0.16:8001
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5555 -j DNAT --to 
192.168.0.13:5555
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 5556 -j DNAT --to 
192.168.0.13:5556

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 53 -j DNAT --to 
192.168.0.16:53
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to 
192.168.0.16:53
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 23 -j DNAT --to 
192.168.0.16:23
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 23 -j DNAT --to 
192.168.0.16:23
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 
192.168.0.16:25
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 
192.168.0.16:110
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3306 -j DNAT --to 
192.168.0.16:3306
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -j DNAT --to 
192.168.0.16:143
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 143 -j DNAT --to 
192.168.0.16:143
#2.- redirecciona los dccs a mi pc
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4502:4510 -j 
DNAT --to 192.168.0.13:4502-4510
#3.- puertos para el msn (para enviar)
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6891:6899 -j 
DNAT --to 192.168.0.13:6891-6899
#4.- puertos para el emule

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5800 -j DNAT --to 
192.168.0.165:5800
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1433 -j DNAT --to 
192.168.0.165:1433
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4500 -j DNAT --to 
192.168.0.13:4500
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5900 -j DNAT --to 
192.168.0.165:5900
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6900 -j DNAT --to 
192.168.0.166:6900
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2593 -j DNAT --to 
192.168.0.165:2593
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4501 -j DNAT --to 
192.168.0.166:4501
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4000 -j DNAT --to 
192.168.0.166:4000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7000 -j DNAT --to 
192.168.0.166:7000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6901 -j DNAT --to 
192.168.0.113:6901



iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4661 -j DNAT --to 
192.168.0.13:4661
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4662 -j DNAT --to 
192.168.0.13:4662
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6699 -j DNAT --to 
192.168.0.13:6699
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7751 -j DNAT --to 
192.168.0.13:7751
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 6257 -j DNAT --to 
192.168.0.13:6257

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4668 -j DNAT --to 
192.168.0.62:4668
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7373 -j DNAT --to 
192.168.0.8:7373
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7372 -j DNAT --to 
192.168.0.8:7372
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 20 -j DNAT --to 
192.168.0.8:20
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7373 -j DNAT --to 
192.168.0.8:7373

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4666 -j DNAT --to 
192.168.0.8:4666
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4669 -j DNAT --to 
192.168.0.61:4669

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 22 -j DNAT --to 
192.168.0.16:22
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 27960 -j DNAT --
to 192.168.0.13:27960
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 27960 -j DNAT --
to 192.168.0.13:27960
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2037 -j DNAT --to 
192.168.0.13:2037
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 2037 -j DNAT --to 
192.168.0.13:2037
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6969 -j DNAT --to 
192.168.0.2:6969


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Router for giving more than 1 ip

[carlos lorente]

Hi i have a debian box working as a router.. it works quite well, now 
i want to give more than 1 ip.. is it possible to do it? some of them 
must be an open ip.. i mean.. all ports opened is it possible? how 
should i do it?

Here is my nat.sh script just in case someone wants it.. (comments r 
in spanish.. and not right)

Thanks in advance,

#!/bin/sh

echo "AthoS LaN Generando iptables..." > /dev/tty12


#limpiamos las tablas de iptables
iptables -F
iptables -t nat -F
iptables -t filter -F

#eth1 sera la interfaz de internet
iptables --table nat --append POSTROUTING --out-interface eth1 -j 
MASQUERADE

#eth0 la interfaz de la red local
iptables --append FORWARD --in-interface eth0 -j ACCEPT

#activamos el forward
echo 1 > /proc/sys/net/ipv4/ip_forward


#reglas para enrutado de paketes...

#1.- redirecciona las peticiones del puerto 21 a mi pc
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 
192.168.0.16:21
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -j DNAT --to 
192.168.0.16:143
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 993 -j DNAT --to 
192.168.0.16:993
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 995 -j DNAT --to 
192.168.0.16:995
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 
192.168.0.16:110
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 10000 -j DNAT --
to 192.168.0.16:10000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 
192.168.0.16:80
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j DNAT --to 
192.168.0.16:8000
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 8000 -j DNAT --to 
192.168.0.16:8000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8001 -j DNAT --to 
192.168.0.16:8001
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 8001 -j DNAT --to 
192.168.0.16:8001
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5555 -j DNAT --to 
192.168.0.13:5555
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 5556 -j DNAT --to 
192.168.0.13:5556

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 53 -j DNAT --to 
192.168.0.16:53
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to 
192.168.0.16:53
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 23 -j DNAT --to 
192.168.0.16:23
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 23 -j DNAT --to 
192.168.0.16:23
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 
192.168.0.16:25
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 
192.168.0.16:110
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3306 -j DNAT --to 
192.168.0.16:3306
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -j DNAT --to 
192.168.0.16:143
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 143 -j DNAT --to 
192.168.0.16:143
#2.- redirecciona los dccs a mi pc
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4502:4510 -j 
DNAT --to 192.168.0.13:4502-4510
#3.- puertos para el msn (para enviar)
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6891:6899 -j 
DNAT --to 192.168.0.13:6891-6899
#4.- puertos para el emule

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5800 -j DNAT --to 
192.168.0.165:5800
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1433 -j DNAT --to 
192.168.0.165:1433
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4500 -j DNAT --to 
192.168.0.13:4500
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5900 -j DNAT --to 
192.168.0.165:5900
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6900 -j DNAT --to 
192.168.0.166:6900
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2593 -j DNAT --to 
192.168.0.165:2593
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4501 -j DNAT --to 
192.168.0.166:4501
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4000 -j DNAT --to 
192.168.0.166:4000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7000 -j DNAT --to 
192.168.0.166:7000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6901 -j DNAT --to 
192.168.0.113:6901



iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4661 -j DNAT --to 
192.168.0.13:4661
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4662 -j DNAT --to 
192.168.0.13:4662
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6699 -j DNAT --to 
192.168.0.13:6699
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7751 -j DNAT --to 
192.168.0.13:7751
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 6257 -j DNAT --to 
192.168.0.13:6257

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4668 -j DNAT --to 
192.168.0.62:4668
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7373 -j DNAT --to 
192.168.0.8:7373
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7372 -j DNAT --to 
192.168.0.8:7372
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 20 -j DNAT --to 
192.168.0.8:20
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7373 -j DNAT --to 
192.168.0.8:7373

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4666 -j DNAT --to 
192.168.0.8:4666
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4669 -j DNAT --to 
192.168.0.61:4669

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 22 -j DNAT --to 
192.168.0.16:22
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 27960 -j DNAT --
to 192.168.0.13:27960
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 27960 -j DNAT --
to 192.168.0.13:27960
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2037 -j DNAT --to 
192.168.0.13:2037
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 2037 -j DNAT --to 
192.168.0.13:2037
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6969 -j DNAT --to 
192.168.0.2:6969


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Router for giving more than 1 ip

[Martin A. Brown]

 : Hi i have a debian box working as a router.. it works quite well, now i
 : want to give more than 1 ip.. is it possible to do it?

You want to host more than one IP on your box?  Easily done.

# ip addr add eth1 $SECONDARY_OUTSIDE_IP/32

 : some of them must be an open ip.. i mean.. all ports opened is it
 : possible? how should i do it?

Sure, it's possible*.  Note, though, that in this command, you have not
specified a destination address on these DNAT commands, so you'll need to
change them.

 : iptables -t nat -A PREROUTING \
 : -i eth1 -p tcp --dport 110 -j DNAT --to 192.168.0.16:25

This should be something more like this:

  iptables -t nat -A PREROUTING -j DNAT --to 192.168.0.16:25 \
    -i eth1 -p tcp --dport 110 -s 0/0 -d $PRIMARY_OUTSIDE_IP

 : iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

If you wish to have more control over the source address of these packets,
you can use "-j SNAT --to $PRIMARY_OUTSIDE_IP".

[ many DNAT commands snipped ]

* in order to open all ports to a given internal IP, try the following:

  iptables -t nat -A PREROUTING -j DNAT --to $GAPING_SECURITY_HOLE \
    -i eth1 -s 0/0 -d $SECONDARY_OUTSIDE_IP

That should do it!  Be forewarned, that application layer protocols which
embed network layer information in their messages will be
confused....consider the usual NAT problems with FTP.

Best of luck,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/