* Packet forwarding.
@ 2004-04-07 17:00 bdameron
2004-04-07 17:14 ` Antony Stone
2004-04-07 17:28 ` Alexis
0 siblings, 2 replies; 7+ messages in thread
From: bdameron @ 2004-04-07 17:00 UTC (permalink / raw)
To: netfilter
I have 2 linux machines. One is accessable via the outside world (Internet
machine) the other has no outside connectivity (LAN Machine). I need to redirect
port 443 traffic to and from the LAN server via the Internet machine. Is this
possible with Iptables? I have setup packet forwarding but then the LAN server
tries to connect directly to the client machine instead of to the Internet
machine. Any direction appreciated.
--
Thank you,
Brad Dameron
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Packet forwarding.
2004-04-07 17:00 Packet forwarding bdameron
@ 2004-04-07 17:14 ` Antony Stone
2004-04-07 17:25 ` bdameron
2004-04-07 17:28 ` Alexis
1 sibling, 1 reply; 7+ messages in thread
From: Antony Stone @ 2004-04-07 17:14 UTC (permalink / raw)
To: netfilter
On Wednesday 07 April 2004 6:00 pm, bdameron@tscnet.net wrote:
> I have 2 linux machines. One is accessable via the outside world (Internet
> machine) the other has no outside connectivity (LAN Machine). I need to
> redirect port 443 traffic to and from the LAN server via the Internet
> machine. Is this possible with Iptables?
Yes. Have you read any of the tutorials or HOWTOs available from
http://www.netfilter.org to find out what it can do and how to make it do it?
> I have setup packet forwarding but then the LAN server tries to connect
> directly to the client machine instead of to the Internet machine. Any
> direction appreciated.
If you tell us what your rules are and give us some more detail about your
network setup, we might be able to help, however a better solution for you is
to look at some of the excellent documentation available to learn how to do
it yourself. This is not a hard problem, and you will be able to manage
your system much better in future if you understand more about how it works.
One very important detail which is not clear from your description above is:
where is the "client machine" located?
Regards,
Antony.
--
In Heaven, the police are British, the chefs are Italian, the beer is Belgian,
the mechanics are German, the lovers are French, the entertainment is
American, and everything is organised by the Swiss.
In Hell, the police are German, the chefs are British, the beer is American,
the mechanics are French, the lovers are Swiss, the entertainment is Belgian,
and everything is organised by the Italians.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Packet forwarding.
2004-04-07 17:14 ` Antony Stone
@ 2004-04-07 17:25 ` bdameron
2004-04-07 17:37 ` Antony Stone
0 siblings, 1 reply; 7+ messages in thread
From: bdameron @ 2004-04-07 17:25 UTC (permalink / raw)
To: netfilter
Quoting Antony Stone <Antony@Soft-Solutions.co.uk>:
> On Wednesday 07 April 2004 6:00 pm, bdameron@tscnet.net wrote:
>
> > I have 2 linux machines. One is accessable via the outside world
> (Internet
> > machine) the other has no outside connectivity (LAN Machine). I need to
> > redirect port 443 traffic to and from the LAN server via the Internet
> > machine. Is this possible with Iptables?
>
> Yes. Have you read any of the tutorials or HOWTOs available from
> http://www.netfilter.org to find out what it can do and how to make it do
> it?
>
> > I have setup packet forwarding but then the LAN server tries to connect
> > directly to the client machine instead of to the Internet machine. Any
> > direction appreciated.
>
> If you tell us what your rules are and give us some more detail about your
> network setup, we might be able to help, however a better solution for you is
>
> to look at some of the excellent documentation available to learn how to do
> it yourself. This is not a hard problem, and you will be able to manage
> your system much better in future if you understand more about how it works.
>
> One very important detail which is not clear from your description above is:
>
> where is the "client machine" located?
>
> Regards,
>
> Antony.
>
Client machine being anyone from the outside world. And I have looked over
some of the documentation. Basically there is no current firewall policies. Just
want anything coming in on xxx.xxx.xxx.xxx:443 (Internet Machine) to be routed
to 10.10.1.110:443 (Internal Lan Machine). Looks like I need to mangle the
packet header so that the Lan machine thinks that the Internet machine is
sending the packet and then have the Internet machine redirect the packet to the
client. Client again being someone on the Internet. Not sure if this can be done
or not. Correct me if I am wrong.
--
Thank you,
Brad Dameron
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Packet forwarding.
2004-04-07 17:00 Packet forwarding bdameron
2004-04-07 17:14 ` Antony Stone
@ 2004-04-07 17:28 ` Alexis
1 sibling, 0 replies; 7+ messages in thread
From: Alexis @ 2004-04-07 17:28 UTC (permalink / raw)
To: bdameron, Netfilter
On Wed, 2004-04-07 at 14:00, bdameron@tscnet.net wrote:
> I have 2 linux machines. One is accessable via the outside world (Internet
> machine) the other has no outside connectivity (LAN Machine). I need to redirect
> port 443 traffic to and from the LAN server via the Internet machine. Is this
> possible with Iptables? I have setup packet forwarding but then the LAN server
> tries to connect directly to the client machine instead of to the Internet
> machine. Any direction appreciated.
having ACCEPT in FORWARD policy do this in the "internet" box
echo '1' > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --sport 443 -j DNAT --to LAN_IP:443
iptables -t nat -A POSTROUTING -o WAN_IF -j MASQUERADE
and set the "internet" machine as the default gateway of the LAN box.
This is a bad idea (its only an approach), perhaps you _must_ read about
connection tracking, SNAT and DNAT, then change some policies to DROP
and improve these rules.
see http://www.netfilter.org/documentation/index.html
Regards
--
Tus problemas no se pueden resolver en el mismo
nivel mental que tenías cuando los creaste.
Albert Einstein
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Packet forwarding.
2004-04-07 17:25 ` bdameron
@ 2004-04-07 17:37 ` Antony Stone
2004-04-07 20:04 ` bdameron
0 siblings, 1 reply; 7+ messages in thread
From: Antony Stone @ 2004-04-07 17:37 UTC (permalink / raw)
To: netfilter
On Wednesday 07 April 2004 6:25 pm, bdameron@tscnet.net wrote:
> > If you tell us what your rules are and give us some more detail about
> > your network setup, we might be able to help, however a better solution
> > for you is to look at some of the excellent documentation available to
> > learn how to do it yourself. This is not a hard problem, and you will be
> > able to manage your system much better in future if you understand more
> > about how it works.
> >
> > One very important detail which is not clear from your description above
> > is: where is the "client machine" located?
>
> Client machine being anyone from the outside world. And I have looked
> over some of the documentation. Basically there is no current firewall
> policies. Just want anything coming in on xxx.xxx.xxx.xxx:443 (Internet
> Machine) to be routed to 10.10.1.110:443 (Internal Lan Machine).
>
> Looks like I need to mangle the packet header so that the Lan machine thinks
> that the Internet machine is sending the packet and then have the Internet
> machine redirect the packet to the client. Client again being someone on the
> Internet. Not sure if this can be done or not. Correct me if I am wrong.
With all due respect, yes, you are very wrong. This is a simple "nat +
forward" situation.
Since you haven't said what your ruleset is, I shall assume none, and give you
an example of how to make work what you have asked for:
iptables -F
iptables -F -t nat
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 443 -d 10.10.1.110 -j ACCEPT
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.10.1.110
If eth0 is not your external interface then change it in the above two rules
for whatever your external interface is.
Regards,
Antony.
--
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Packet forwarding.
2004-04-07 17:37 ` Antony Stone
@ 2004-04-07 20:04 ` bdameron
2004-04-07 20:30 ` Antony Stone
0 siblings, 1 reply; 7+ messages in thread
From: bdameron @ 2004-04-07 20:04 UTC (permalink / raw)
To: netfilter
Quoting Antony Stone <Antony@Soft-Solutions.co.uk>:
> On Wednesday 07 April 2004 6:25 pm, bdameron@tscnet.net wrote:
>
> > > If you tell us what your rules are and give us some more detail about
> > > your network setup, we might be able to help, however a better solution
> > > for you is to look at some of the excellent documentation available to
> > > learn how to do it yourself. This is not a hard problem, and you will
> be
> > > able to manage your system much better in future if you understand more
> > > about how it works.
> > >
> > > One very important detail which is not clear from your description above
> > > is: where is the "client machine" located?
> >
> > Client machine being anyone from the outside world. And I have looked
> > over some of the documentation. Basically there is no current firewall
> > policies. Just want anything coming in on xxx.xxx.xxx.xxx:443 (Internet
> > Machine) to be routed to 10.10.1.110:443 (Internal Lan Machine).
> >
> > Looks like I need to mangle the packet header so that the Lan machine
> thinks
> > that the Internet machine is sending the packet and then have the Internet
> > machine redirect the packet to the client. Client again being someone on
> the
> > Internet. Not sure if this can be done or not. Correct me if I am wrong.
>
> With all due respect, yes, you are very wrong. This is a simple "nat +
> forward" situation.
>
> Since you haven't said what your ruleset is, I shall assume none, and give
> you
> an example of how to make work what you have asked for:
>
> iptables -F
> iptables -F -t nat
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i eth0 -p tcp --dport 443 -d 10.10.1.110 -j ACCEPT
> iptables -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.10.1.110
>
> If eth0 is not your external interface then change it in the above two rules
>
> for whatever your external interface is.
>
> Regards,
>
> Antony.
>
I found an easier way to do this. xinetd can do port redirect. Worked perfectly.
Thanks for your help.
--
Thank you,
Brad Dameron
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Packet forwarding.
2004-04-07 20:04 ` bdameron
@ 2004-04-07 20:30 ` Antony Stone
0 siblings, 0 replies; 7+ messages in thread
From: Antony Stone @ 2004-04-07 20:30 UTC (permalink / raw)
To: netfilter
On Wednesday 07 April 2004 9:04 pm, bdameron@tscnet.net wrote:
> I found an easier way to do this. xinetd can do port redirect. Worked
> perfectly. Thanks for your help.
You're welcome.
Please call back again when you want to set up a secure firewall.
Regards,
Antony.
--
If you can't find an Open Source solution for it, then it isn't a real
problem.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-04-07 20:30 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-07 17:00 Packet forwarding bdameron
2004-04-07 17:14 ` Antony Stone
2004-04-07 17:25 ` bdameron
2004-04-07 17:37 ` Antony Stone
2004-04-07 20:04 ` bdameron
2004-04-07 20:30 ` Antony Stone
2004-04-07 17:28 ` Alexis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox