Multiple IP addresses

Multiple IP addresses

[Brei, Matt]

Greetings,

I'm using netfilter to nat/firewall my cable connection to my lan.  I
currently have 5 static IP addresses and would like to know if it is
possible to alias all 5 addresses on the inet_iface and then forward to
different machines on the lan_iface based on destination IP.  For
instance, there are 3 web servers on the lan say 10.1.1.1 - 10.1.1.3 and
I want all port 80/443 that comes to the netfilter machine on the
inet_address 1.2.3.4 to go to lan_address 10.1.1.1 and all port 80/443
from inet_address 4.3.2.1 to forward to 10.1.1.2 etc.  Is this possible?
If so, how about a point in the right direction.

TIA

Matt 

RE: Multiple IP addresses

[George Vieira]

Yes, almost anything is possible.

>For instance, there are 3 web servers on the lan say 10.1.1.1 - 10.1.1.3 and
>I want all port 80/443 that comes to the netfilter machine on the
>inet_address 1.2.3.4 to go to lan_address 10.1.1.1 

iptables -A PREROUTING -i $EXTDEV -d 1.2.3.4 -p tcp --dport 80 -j DNAT 10.1.1.1 
# If I understand what you said is that "on the inet_address" meanin the -d destintion address..??


>and all port 80/443 from inet_address 4.3.2.1 to forward to 10.1.1.2 etc.  Is this possible?

iptables -A PREROUTING -i $EXTDEV -s 4.3.2.1 -p tcp --dport 443 -j DNAT 10.1.1.1
# Also you said "from inet_address"..

>If so, how about a point in the right direction.


So what your doing is making everybody browse 10.1.1.1 but yourself coming from a different source IP outside to view a different webserver?? right??

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Brei, Matt [mailto:mbrei@medclaiminc.com]
Sent: Thursday, May 22, 2003 9:02 AM
To: netfilter@lists.netfilter.org
Subject: Multiple IP addresses


Greetings,

I'm using netfilter to nat/firewall my cable connection to my lan.  I
currently have 5 static IP addresses and would like to know if it is
possible to alias all 5 addresses on the inet_iface and then forward to
different machines on the lan_iface based on destination IP.  For
instance, there are 3 web servers on the lan say 10.1.1.1 - 10.1.1.3 and
I want all port 80/443 that comes to the netfilter machine on the
inet_address 1.2.3.4 to go to lan_address 10.1.1.1 and all port 80/443
from inet_address 4.3.2.1 to forward to 10.1.1.2 etc.  Is this possible?
If so, how about a point in the right direction.

TIA

Matt 

RE: Multiple IP addresses

[Brei, Matt]

Yes, almost anything is possible.

>For instance, there are 3 web servers on the lan say 10.1.1.1 -
10.1.1.3 and
>I want all port 80/443 that comes to the netfilter machine on the
>inet_address 1.2.3.4 to go to lan_address 10.1.1.1 

iptables -A PREROUTING -i $EXTDEV -d 1.2.3.4 -p tcp --dport 80 -j DNAT
10.1.1.1 
# If I understand what you said is that "on the inet_address" meanin the
-d destintion address..??


>and all port 80/443 from inet_address 4.3.2.1 to forward to 10.1.1.2
etc.  Is this possible?

iptables -A PREROUTING -i $EXTDEV -s 4.3.2.1 -p tcp --dport 443 -j DNAT
10.1.1.1
# Also you said "from inet_address"..
I'm sorry, what I meant was "TO", I apologize.
>If so, how about a point in the right direction.


So what your doing is making everybody browse 10.1.1.1 but yourself
coming from a different source IP outside to view a different
webserver?? right??

Yes and no.  I actually hadn't thought of it that way.  The idea was to
be able to split up multiple sites on different servers each using
Apache's virtual hosts, say 10 or so per server.

Thanks a bunch for the help.
Matt
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Brei, Matt [mailto:mbrei@medclaiminc.com]
Sent: Thursday, May 22, 2003 9:02 AM
To: netfilter@lists.netfilter.org
Subject: Multiple IP addresses


Greetings,

I'm using netfilter to nat/firewall my cable connection to my lan.  I
currently have 5 static IP addresses and would like to know if it is
possible to alias all 5 addresses on the inet_iface and then forward to
different machines on the lan_iface based on destination IP.  For
instance, there are 3 web servers on the lan say 10.1.1.1 - 10.1.1.3 and
I want all port 80/443 that comes to the netfilter machine on the
inet_address 1.2.3.4 to go to lan_address 10.1.1.1 and all port 80/443
from inet_address 4.3.2.1 to forward to 10.1.1.2 etc.  Is this possible?
If so, how about a point in the right direction.

TIA

Matt 

RE: Multiple IP addresses

[George Vieira]

OK well you have to write the rules a little differently then.
You can write it this way which redirects ALL port 80/443 including the other IP (4.3.2.1), then add a rule for the 1 address (4.3.2.1) and redirect that to 10.1.1.2 example below....

# Redirect for this one IP to it's server
iptables -A PREROUTING -t nat -i $EXTDEV -d 4.3.2.1 -p tcp --dport 80 -j DNAT 10.1.1.2
# Everything else goes to 10.1.1.1 server.
iptables -A PREROUTING -t nat -i $EXTDEV            -p tcp --dport 80 -j DNAT 10.1.1.1 


does that make better sense now..??

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
 

-----Original Message-----
From: Brei, Matt [mailto:mbrei@medclaiminc.com]
Sent: Thursday, May 22, 2003 11:25 AM
To: netfilter@lists.netfilter.org; George Vieira
Subject: RE: Multiple IP addresses





Yes, almost anything is possible.

>For instance, there are 3 web servers on the lan say 10.1.1.1 -
10.1.1.3 and
>I want all port 80/443 that comes to the netfilter machine on the
>inet_address 1.2.3.4 to go to lan_address 10.1.1.1 

iptables -A PREROUTING -i $EXTDEV -d 1.2.3.4 -p tcp --dport 80 -j DNAT
10.1.1.1 
# If I understand what you said is that "on the inet_address" meanin the
-d destintion address..??


>and all port 80/443 from inet_address 4.3.2.1 to forward to 10.1.1.2
etc.  Is this possible?

iptables -A PREROUTING -i $EXTDEV -s 4.3.2.1 -p tcp --dport 443 -j DNAT
10.1.1.1
# Also you said "from inet_address"..
I'm sorry, what I meant was "TO", I apologize.
>If so, how about a point in the right direction.


So what your doing is making everybody browse 10.1.1.1 but yourself
coming from a different source IP outside to view a different
webserver?? right??

Yes and no.  I actually hadn't thought of it that way.  The idea was to
be able to split up multiple sites on different servers each using
Apache's virtual hosts, say 10 or so per server.

Thanks a bunch for the help.
Matt
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Brei, Matt [mailto:mbrei@medclaiminc.com]
Sent: Thursday, May 22, 2003 9:02 AM
To: netfilter@lists.netfilter.org
Subject: Multiple IP addresses


Greetings,

I'm using netfilter to nat/firewall my cable connection to my lan.  I
currently have 5 static IP addresses and would like to know if it is
possible to alias all 5 addresses on the inet_iface and then forward to
different machines on the lan_iface based on destination IP.  For
instance, there are 3 web servers on the lan say 10.1.1.1 - 10.1.1.3 and
I want all port 80/443 that comes to the netfilter machine on the
inet_address 1.2.3.4 to go to lan_address 10.1.1.1 and all port 80/443
from inet_address 4.3.2.1 to forward to 10.1.1.2 etc.  Is this possible?
If so, how about a point in the right direction.

TIA

Matt 

Multiple IP addresses

[Will Twomey]

I apologize if this is the wrong list, but...

I would like to have several (3?) ip addresses on one interface (eth0,
eth0:1, etc.), and forward each of those IP addresses to another
interface (192.168.0.1, 192.168.1.1, 192.168.2.1, etc.)

Does anyone have an advice for me, or a good place to learn how to do this?

If someone has an iptables/netfilter script that does this, I'd love
to see it. :D

Thanks!

--
Will Twomey
http://UnhandledExceptions.com

Re: Multiple IP addresses

[Mike Wright]

Will Twomey wrote:
> I apologize if this is the wrong list, but...
> 
> I would like to have several (3?) ip addresses on one interface (eth0,
> eth0:1, etc.), 

Aliasing your network card isn't necessary.  Just assign IP's to it.

ip address add 192.168.0.1/24 dev eth0
ip address add 192.168.1.1/24 dev eth0
ip address add 192.168.2.1/24 dev eth0

> and forward each of those IP addresses to another
> interface (192.168.0.1, 192.168.1.1, 192.168.2.1, etc.)

I think these might work.

iptables -A FORWARD -d 192.168.0.0/24 -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -d 192.168.2.0/24 -i eth0 -o eth3 -j ACCEPT


> Does anyone have an advice for me, or a good place to learn how to do this?
> 
> If someone has an iptables/netfilter script that does this, I'd love
> to see it. :D
> 
> Thanks!
> 
> --
> Will Twomey
> http://UnhandledExceptions.com

Re: Multiple IP addresses

[Martijn Lievaart]

Will Twomey zei:
> I apologize if this is the wrong list, but...
>
> I would like to have several (3?) ip addresses on one interface (eth0,
> eth0:1, etc.), and forward each of those IP addresses to another
> interface (192.168.0.1, 192.168.1.1, 192.168.2.1, etc.)

What exactly do you mean? Do you want to send packets addressed to one of
those addresses to another ip? Or do you want to fake those addresses and
send them on to the machine that really has that address? Or do you want
to route packets not addressed to any of those addresses but based on the
address the previous router used as a next hop?

In the first case, just use DNAT. In the second case, create a static arp
entry and use normal routing rules. The third is not (easily) possible as
the packet that arrives just has the final IP destination and the MAC
address of eth0. Which is not enough information to figure out what IP was
used to route the packet.

Maybe you can explain better what you want to achieve?

M4

Re: Multiple IP addresses

[John A. Sullivan III]

On Sun, 2006-03-26 at 19:53 -0600, Will Twomey wrote:
> I apologize if this is the wrong list, but...
> 
> I would like to have several (3?) ip addresses on one interface (eth0,
> eth0:1, etc.), and forward each of those IP addresses to another
> interface (192.168.0.1, 192.168.1.1, 192.168.2.1, etc.)
> 
> Does anyone have an advice for me, or a good place to learn how to do this?
> 
> If someone has an iptables/netfilter script that does this, I'd love
> to see it. :D
> 
<snip>
I'm not entirely sure of what you mean by forwarding each to another
interface.  Packets destined for the network associated with each
address will route there naturally.  You will need to bind the
individual addresses to the cards using iproute2, e.g., 

ip add add 192.168.1.1/24 dev eth0 brd +

To find more information on this, look for a file in your distribution
ip-cref.ps

If you mean implementing access controls and/or NAT, you will also need
to invoke iptables FORWARD and nat rules.

ISCS (http://iscs.sourceforge.net) will do all of this automatically for
you including files and dynamic changes to bind the ip addresses, access
control and NAT even in the most complex environments (e.g.,
overlapping, nested, many-to-some, some-to-many NAT).

You can find some slide shows on both iproute2 and iptables in the
training section of the ISCS web page (although a bit dated) and there
is an excellent iptables tutorial at
http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Good luck - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Multiple IP addresses

[Eduardo Spremolla]

On Sun, 2006-03-26 at 19:53 -0600, Will Twomey wrote:
> I apologize if this is the wrong list, but...
> 
> I would like to have several (3?) ip addresses on one interface (eth0,
> eth0:1, etc.), and forward each of those IP addresses to another
> interface (192.168.0.1, 192.168.1.1, 192.168.2.1, etc.)

-t nat PREROUTING -i eth0 -d myip1 -j DNAT --to 192.168.0.1
-t nat PREROUTING -i eth0 -d myip2 -j DNAT --to 192.168.1.1
-t nat PREROUTING -i eth0 -d myip3 -j DNAT --to 192.168.2.1




> Does anyone have an advice for me, or a good place to learn how to do this?
> 
> If someone has an iptables/netfilter script that does this, I'd love
> to see it. :D
> 
> Thanks!
> 
> --
> Will Twomey
> http://UnhandledExceptions.com
> 


Este e-mail y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información.
. . . . . . . . .
This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.