RE: natting help needed urgently.

RE: natting help needed urgently.

[Mark E. Donaldson]

Here is an example for HTTP.  All the services will work the same except for
the destination port number.  This needs to be done in two stages basically:

Step 1 is to DNAT the requests from the firewall box to your internal
Windows server (prerouting):

####################################################################
# SET VARIABLES
####################################################################
WINDOWS_IP="192.168.10.3"

####################################################################
# HTTP/SHTTP
####################################################################
# send all new incoming web requests to HTTP server (HTTP & SHTTP)
if [ "$WINDOWS_HTTP_AVAILABLE" = "1" ] && [ "$HTTP_SERVER" = "1" ];
then
	$IPT -t nat -A PREROUTING -p tcp --destination-port 80 -i $FW_INET_IFACE -j
LOG --log-prefix "DNAT IN WINDOWS HTTP: "
	$IPT -t nat -A PREROUTING -p tcp --destination-port 80 -i $FW_INET_IFACE -j
DNAT --to $WINDOWS_IP:80
	$IPT -t nat -A PREROUTING -p tcp --destination-port 443 -i
$FW_INET_IFACE -j LOG --log-prefix "DNAT IN WINDOWS SHTTP: "
	$IPT -t nat -A PREROUTING -p tcp --destination-port 443 -i
$FW_INET_IFACE -j DNAT --to $WINDOWS_IP:443
fi

Step 2 is to accept the packets after they have been DNATed:

$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -d $WINDOWS_IP -p
tcp --source-port $UNPRIVPORTS --destination-port 80 -m state --state NEW -j
LOG --log-prefix "WEB ACCESS -> WINDOWS BOX: "
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -d $WINDOWS_IP -p
tcp --source-port $UNPRIVPORTS --destination-port 80 -m state --state NEW -j
ACCEPT
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -d $WINDOWS_IP -p
tcp --source-port $UNPRIVPORTS --destination-port 443 -m state --state
NEW -j LOG --log-prefix "SWEB ACCESS -> WINDOWS BOX: "
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE $WINDOWS_IP -p
tcp --source-port $UNPRIVPORTS --destination-port 443 -m state --state
NEW -j ACCEPT

Hope this helps.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Payal Rathod
Sent: Sunday, September 07, 2003 4:04 AM
To: netfilter@lists.netfilter.org
Subject: natting help needed urgently.


Hi,
I have asked this before but nobody responded. Is this un-do-able?
I have a windows box which is on intertnal ip 192.168.10.3. I want the
outside world to access the servers (ftp, http, smtp, pop3) from it.
The scene is something like this,


+----------+       +--------------+         +---------------+
|          +---><--+ Linux        +---->--<-+win2k          |
|router    |       |  (1.2.3.4)   |         | (192.168.10.3)|
+----------+       +--------------+         +---------------+

I am not able to redirect any request for windows box from outside world
to internal machine 192.168.10.3

Please help me to solve this problem.

Waiting eagerly for any help on this.

With warm regards,
-Payal

--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.

natting help needed urgently.

[Payal Rathod]

Hi,
I have asked this before but nobody responded. Is this un-do-able?
I have a windows box which is on intertnal ip 192.168.10.3. I want the
outside world to access the servers (ftp, http, smtp, pop3) from it.
The scene is something like this,


+----------+       +--------------+         +---------------+
|          +---><--+ Linux        +---->--<-+win2k          |
|router    |       |  (1.2.3.4)   |         | (192.168.10.3)|
+----------+       +--------------+         +---------------+
                                  
I am not able to redirect any request for windows box from outside world
to internal machine 192.168.10.3

Please help me to solve this problem.

Waiting eagerly for any help on this.

With warm regards,
-Payal

-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.

Re: natting help needed urgently.

[Dharmendra.T]

[-- Attachment #1: Type: text/plain, Size: 1184 bytes --]

Hi Payal,

What error you get while connecting from outside? This info will help us
in solving your problem.
-- 
Regards
Dharmendra.T
dharmu@nsecure.net
Linux Security and Administrator.


On Sun, 2003-09-07 at 16:34, Payal Rathod wrote:

    Hi,
    I have asked this before but nobody responded. Is this un-do-able?
    I have a windows box which is on intertnal ip 192.168.10.3. I want the
    outside world to access the servers (ftp, http, smtp, pop3) from it.
    The scene is something like this,
    
    
    +----------+       +--------------+         +---------------+
    |          +---><--+ Linux        +---->--<-+win2k          |
    |router    |       |  (1.2.3.4)   |         | (192.168.10.3)|
    +----------+       +--------------+         +---------------+
                                      
    I am not able to redirect any request for windows box from outside world
    to internal machine 192.168.10.3
    
    Please help me to solve this problem.
    
    Waiting eagerly for any help on this.
    
    With warm regards,
    -Payal
    
    -- 
    "Visit GNU/Linux Success Stories"
    http://payal.staticky.com
    Guest-Book Section Updated.
    



[-- Attachment #2: Type: text/html, Size: 3153 bytes --]

Re: natting help needed urgently.

[Payal Rathod]

On Mon, Sep 08, 2003 at 10:19:30AM +0530, Dharmendra.T wrote:
> Hi Payal,
> 
> What error you get while connecting from outside? This info will help us
> in solving your problem.

Thanks but I solved it myself. I will get back on this in case of more
difficulties.

With warm regards,
-Payal

-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.

Re: natting help needed urgently.

[ads nat]

[-- Attachment #1: Type: text/plain, Size: 632 bytes --]

Requesting you to specify how you have solved yourself. It will help us .
Thanks


Payal Rathod <payal-iptables@staticky.com> wrote:
On Mon, Sep 08, 2003 at 10:19:30AM +0530, Dharmendra.T wrote:
> Hi Payal,
> 
> What error you get while connecting from outside? This info will help us
> in solving your problem.

Thanks but I solved it myself. I will get back on this in case of more
difficulties.

With warm regards,
-Payal

-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

[-- Attachment #2: Type: text/html, Size: 925 bytes --]

Re: natting help needed urgently.

[Payal Rathod]

On Tue, Sep 09, 2003 at 01:09:18AM -0700, ads nat wrote:
> Requesting you to specify how you have solved yourself. It will help us .
> Thanks

I made an alias for eth0:1 for that external ip on linux box.
That made linux box accept the traffic. Then I made a nat rule like,

iptables -A PREROUTING -t nat -d <ext ip> -j DNAT --to <int ip>

Thanks all again.
With warm regards,
-Payal

-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.

Re: natting help needed urgently.

[Ranjeet Shetye]

On Tue, 2003-09-09 at 04:11, Payal Rathod wrote:
> On Tue, Sep 09, 2003 at 01:09:18AM -0700, ads nat wrote:
> > Requesting you to specify how you have solved yourself. It will help us .
> > Thanks
> 
> I made an alias for eth0:1 for that external ip on linux box.
> That made linux box accept the traffic. Then I made a nat rule like,
> 
> iptables -A PREROUTING -t nat -d <ext ip> -j DNAT --to <int ip>
> 
> Thanks all again.
> With warm regards,
> -Payal

For the benefit of the list:

ifconfig and route are limited in capability due to the need for
backward compatibility etc. IP aliasing is being deprecated in favour of
newer tools like the iproute2 suite by Alexey Kuznetsov @
ftp://ftp.inr.ac.ru/ip-routing/ . These new tools will let you twiddle a
lot more knobs in the linux network stack.

for instance, in this case, you can use "ip addr add dev eth0
<neededip>/<netmask>" to assign more than one IP address to a single
interface.

"ip addr" or "ip addr show" for ip level details
"ip link" or "ip link show" for link level details
"ip route" or "ip route show" for routing table details

"ip addr del dev eth0 <ip>/<netmask>" to remove an IP.

More info @ http://www.linuxgrill.com/iproute2-toc.html

Off topic but, "vconfig" will let you create VLAN interfaces, if that's
next on your agenda.

-- 

Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or
approved by Zultys.