* Packet forwarding. @ 2004-04-07 17:00 bdameron 2004-04-07 17:14 ` Antony Stone 2004-04-07 17:28 ` Alexis 0 siblings, 2 replies; 7+ messages in thread From: bdameron @ 2004-04-07 17:00 UTC (permalink / raw) To: netfilter I have 2 linux machines. One is accessable via the outside world (Internet machine) the other has no outside connectivity (LAN Machine). I need to redirect port 443 traffic to and from the LAN server via the Internet machine. Is this possible with Iptables? I have setup packet forwarding but then the LAN server tries to connect directly to the client machine instead of to the Internet machine. Any direction appreciated. -- Thank you, Brad Dameron ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Packet forwarding. 2004-04-07 17:00 Packet forwarding bdameron @ 2004-04-07 17:14 ` Antony Stone 2004-04-07 17:25 ` bdameron 2004-04-07 17:28 ` Alexis 1 sibling, 1 reply; 7+ messages in thread From: Antony Stone @ 2004-04-07 17:14 UTC (permalink / raw) To: netfilter On Wednesday 07 April 2004 6:00 pm, bdameron@tscnet.net wrote: > I have 2 linux machines. One is accessable via the outside world (Internet > machine) the other has no outside connectivity (LAN Machine). I need to > redirect port 443 traffic to and from the LAN server via the Internet > machine. Is this possible with Iptables? Yes. Have you read any of the tutorials or HOWTOs available from http://www.netfilter.org to find out what it can do and how to make it do it? > I have setup packet forwarding but then the LAN server tries to connect > directly to the client machine instead of to the Internet machine. Any > direction appreciated. If you tell us what your rules are and give us some more detail about your network setup, we might be able to help, however a better solution for you is to look at some of the excellent documentation available to learn how to do it yourself. This is not a hard problem, and you will be able to manage your system much better in future if you understand more about how it works. One very important detail which is not clear from your description above is: where is the "client machine" located? Regards, Antony. -- In Heaven, the police are British, the chefs are Italian, the beer is Belgian, the mechanics are German, the lovers are French, the entertainment is American, and everything is organised by the Swiss. In Hell, the police are German, the chefs are British, the beer is American, the mechanics are French, the lovers are Swiss, the entertainment is Belgian, and everything is organised by the Italians. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Packet forwarding. 2004-04-07 17:14 ` Antony Stone @ 2004-04-07 17:25 ` bdameron 2004-04-07 17:37 ` Antony Stone 0 siblings, 1 reply; 7+ messages in thread From: bdameron @ 2004-04-07 17:25 UTC (permalink / raw) To: netfilter Quoting Antony Stone <Antony@Soft-Solutions.co.uk>: > On Wednesday 07 April 2004 6:00 pm, bdameron@tscnet.net wrote: > > > I have 2 linux machines. One is accessable via the outside world > (Internet > > machine) the other has no outside connectivity (LAN Machine). I need to > > redirect port 443 traffic to and from the LAN server via the Internet > > machine. Is this possible with Iptables? > > Yes. Have you read any of the tutorials or HOWTOs available from > http://www.netfilter.org to find out what it can do and how to make it do > it? > > > I have setup packet forwarding but then the LAN server tries to connect > > directly to the client machine instead of to the Internet machine. Any > > direction appreciated. > > If you tell us what your rules are and give us some more detail about your > network setup, we might be able to help, however a better solution for you is > > to look at some of the excellent documentation available to learn how to do > it yourself. This is not a hard problem, and you will be able to manage > your system much better in future if you understand more about how it works. > > One very important detail which is not clear from your description above is: > > where is the "client machine" located? > > Regards, > > Antony. > Client machine being anyone from the outside world. And I have looked over some of the documentation. Basically there is no current firewall policies. Just want anything coming in on xxx.xxx.xxx.xxx:443 (Internet Machine) to be routed to 10.10.1.110:443 (Internal Lan Machine). Looks like I need to mangle the packet header so that the Lan machine thinks that the Internet machine is sending the packet and then have the Internet machine redirect the packet to the client. Client again being someone on the Internet. Not sure if this can be done or not. Correct me if I am wrong. -- Thank you, Brad Dameron ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Packet forwarding. 2004-04-07 17:25 ` bdameron @ 2004-04-07 17:37 ` Antony Stone 2004-04-07 20:04 ` bdameron 0 siblings, 1 reply; 7+ messages in thread From: Antony Stone @ 2004-04-07 17:37 UTC (permalink / raw) To: netfilter On Wednesday 07 April 2004 6:25 pm, bdameron@tscnet.net wrote: > > If you tell us what your rules are and give us some more detail about > > your network setup, we might be able to help, however a better solution > > for you is to look at some of the excellent documentation available to > > learn how to do it yourself. This is not a hard problem, and you will be > > able to manage your system much better in future if you understand more > > about how it works. > > > > One very important detail which is not clear from your description above > > is: where is the "client machine" located? > > Client machine being anyone from the outside world. And I have looked > over some of the documentation. Basically there is no current firewall > policies. Just want anything coming in on xxx.xxx.xxx.xxx:443 (Internet > Machine) to be routed to 10.10.1.110:443 (Internal Lan Machine). > > Looks like I need to mangle the packet header so that the Lan machine thinks > that the Internet machine is sending the packet and then have the Internet > machine redirect the packet to the client. Client again being someone on the > Internet. Not sure if this can be done or not. Correct me if I am wrong. With all due respect, yes, you are very wrong. This is a simple "nat + forward" situation. Since you haven't said what your ruleset is, I shall assume none, and give you an example of how to make work what you have asked for: iptables -F iptables -F -t nat iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -p tcp --dport 443 -d 10.10.1.110 -j ACCEPT iptables -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.10.1.110 If eth0 is not your external interface then change it in the above two rules for whatever your external interface is. Regards, Antony. -- Abandon hope, all ye who enter here. You'll feel much better about things once you do. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Packet forwarding. 2004-04-07 17:37 ` Antony Stone @ 2004-04-07 20:04 ` bdameron 2004-04-07 20:30 ` Antony Stone 0 siblings, 1 reply; 7+ messages in thread From: bdameron @ 2004-04-07 20:04 UTC (permalink / raw) To: netfilter Quoting Antony Stone <Antony@Soft-Solutions.co.uk>: > On Wednesday 07 April 2004 6:25 pm, bdameron@tscnet.net wrote: > > > > If you tell us what your rules are and give us some more detail about > > > your network setup, we might be able to help, however a better solution > > > for you is to look at some of the excellent documentation available to > > > learn how to do it yourself. This is not a hard problem, and you will > be > > > able to manage your system much better in future if you understand more > > > about how it works. > > > > > > One very important detail which is not clear from your description above > > > is: where is the "client machine" located? > > > > Client machine being anyone from the outside world. And I have looked > > over some of the documentation. Basically there is no current firewall > > policies. Just want anything coming in on xxx.xxx.xxx.xxx:443 (Internet > > Machine) to be routed to 10.10.1.110:443 (Internal Lan Machine). > > > > Looks like I need to mangle the packet header so that the Lan machine > thinks > > that the Internet machine is sending the packet and then have the Internet > > machine redirect the packet to the client. Client again being someone on > the > > Internet. Not sure if this can be done or not. Correct me if I am wrong. > > With all due respect, yes, you are very wrong. This is a simple "nat + > forward" situation. > > Since you haven't said what your ruleset is, I shall assume none, and give > you > an example of how to make work what you have asked for: > > iptables -F > iptables -F -t nat > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i eth0 -p tcp --dport 443 -d 10.10.1.110 -j ACCEPT > iptables -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.10.1.110 > > If eth0 is not your external interface then change it in the above two rules > > for whatever your external interface is. > > Regards, > > Antony. > I found an easier way to do this. xinetd can do port redirect. Worked perfectly. Thanks for your help. -- Thank you, Brad Dameron ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Packet forwarding. 2004-04-07 20:04 ` bdameron @ 2004-04-07 20:30 ` Antony Stone 0 siblings, 0 replies; 7+ messages in thread From: Antony Stone @ 2004-04-07 20:30 UTC (permalink / raw) To: netfilter On Wednesday 07 April 2004 9:04 pm, bdameron@tscnet.net wrote: > I found an easier way to do this. xinetd can do port redirect. Worked > perfectly. Thanks for your help. You're welcome. Please call back again when you want to set up a secure firewall. Regards, Antony. -- If you can't find an Open Source solution for it, then it isn't a real problem. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Packet forwarding. 2004-04-07 17:00 Packet forwarding bdameron 2004-04-07 17:14 ` Antony Stone @ 2004-04-07 17:28 ` Alexis 1 sibling, 0 replies; 7+ messages in thread From: Alexis @ 2004-04-07 17:28 UTC (permalink / raw) To: bdameron, Netfilter On Wed, 2004-04-07 at 14:00, bdameron@tscnet.net wrote: > I have 2 linux machines. One is accessable via the outside world (Internet > machine) the other has no outside connectivity (LAN Machine). I need to redirect > port 443 traffic to and from the LAN server via the Internet machine. Is this > possible with Iptables? I have setup packet forwarding but then the LAN server > tries to connect directly to the client machine instead of to the Internet > machine. Any direction appreciated. having ACCEPT in FORWARD policy do this in the "internet" box echo '1' > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --sport 443 -j DNAT --to LAN_IP:443 iptables -t nat -A POSTROUTING -o WAN_IF -j MASQUERADE and set the "internet" machine as the default gateway of the LAN box. This is a bad idea (its only an approach), perhaps you _must_ read about connection tracking, SNAT and DNAT, then change some policies to DROP and improve these rules. see http://www.netfilter.org/documentation/index.html Regards -- Tus problemas no se pueden resolver en el mismo nivel mental que tenías cuando los creaste. Albert Einstein ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-04-07 20:30 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-04-07 17:00 Packet forwarding bdameron 2004-04-07 17:14 ` Antony Stone 2004-04-07 17:25 ` bdameron 2004-04-07 17:37 ` Antony Stone 2004-04-07 20:04 ` bdameron 2004-04-07 20:30 ` Antony Stone 2004-04-07 17:28 ` Alexis
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox