Routing problem...

Routing problem...

[Michelle Konzack]

[-- Attachment #1: Type: text/plain, Size: 1572 bytes --]

*************************************************************************
* Do not Cc: me, because I am on THIS list, if I write here             *
* Keine Cc: am mich senden, bin auf DIESER Liste wenn ich hier schreibe *
*************************************************************************

Hello, 

I have 4 NICs in my Router and with two I have a problem:

eth0	-> public network with Servers
eth1    -> private network with Workstations.

I have following rules:

  ____ ( 'stdin' ) _____________________________________________________
 /
|  iptables -P INPUT ACCEPT
|  iptables -F INPUT 
|  iptables -P OUTPUT ACCEPT
|  iptables -F OUTPUT 
|  iptables -P FORWARD DROP
|  iptables -F FORWARD 
|  
|  iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

OK, I can SEND packages from my Workstations in eth1 
to the Servers in eth0

|  iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

Here comes the Packages from the Servers back and 
I allow to come into my private Network

 \______________________________________________________________________

But if I execute the script, I get: 

iptables: No chain/target/match by that name

Whats wrong ?
I have compiled Linux with ALL netfilter modules in.

Greetings
Michelle

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/ 
Michelle Konzack   Apt. 917                  ICQ #328449886
                   50, rue de Soultz         MSM LinuxMichi
0033/3/88452356    67100 Strasbourg/France   IRC #Debian (irc.icq.com)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Routing problem...

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 755 bytes --]


Hi Michelle,

On Tue, Jul 27, 2004 at 09:23:29AM +0200, Michelle Konzack told us:
> 
>  \______________________________________________________________________
> 
> But if I execute the script, I get: 
> 
> iptables: No chain/target/match by that name
> 

at which iptables invocation do you get this error exactly?? Try
executing the script with "sh -x scriptname" and look where the
error occurs.
What kernel version are you using, what version of iptables?


Sven

> Whats wrong ?
> I have compiled Linux with ALL netfilter modules in.
> 
> Greetings
> Michelle



-- 
Linux zion 2.6.8-rc2 #1 Sun Jul 18 15:00:48 CEST 2004 i686 athlon i386 GNU/Linux
 09:40:33  up 8 days, 11:08,  1 user,  load average: 2.14, 2.07, 2.01

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Routing problem...

[Michelle Konzack]

[-- Attachment #1: Type: text/plain, Size: 737 bytes --]

Good morning Sven, 

Am 2004-07-27 09:42:51, schrieb Sven Schuster:
>
>Hi Michelle,

>at which iptables invocation do you get this error exactly?? Try
>executing the script with "sh -x scriptname" and look where the
>error occurs.
>What kernel version are you using, what version of iptables?

It is the line with the ESTABLISHED,RELATED

I have found the lines in the Firewall-HOWTO 
and on <http://www.debianforum.de/>

>Sven

Greetings
Michelle

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/ 
Michelle Konzack   Apt. 917                  ICQ #328449886
                   50, rue de Soultz         MSM LinuxMichi
0033/3/88452356    67100 Strasbourg/France   IRC #Debian (irc.icq.com)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Routing problem...

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 797 bytes --]


Hi Michelle,

On Tue, Jul 27, 2004 at 10:06:23AM +0200, Michelle Konzack told us:
> >at which iptables invocation do you get this error exactly?? Try
> >executing the script with "sh -x scriptname" and look where the
> >error occurs.

What kernel version are you using, what version of iptables? Is
your kernel a vanilla kernel.org kernel, are the iptables
matches/targets build into the kernel or are they built as
modules??


Sven

>
> It is the line with the ESTABLISHED,RELATED
>
> I have found the lines in the Firewall-HOWTO 
> and on <http://www.debianforum.de/>
>
> >Sven
>
> Greetings
> Michelle
>


-- 
Linux zion 2.6.8-rc2 #1 Sun Jul 18 15:00:48 CEST 2004 i686 athlon i386 GNU/Linux
 16:19:26  up 8 days, 17:47,  1 user,  load average: 0.10, 0.07, 0.10

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Routing problem...

[Michelle Konzack]

[-- Attachment #1: Type: text/plain, Size: 1614 bytes --]

hello Sven, 

Am 2004-07-27 16:21:32, schrieb Sven Schuster:
>
>Hi Michelle,

>What kernel version are you using, what version of iptables? Is
>your kernel a vanilla kernel.org kernel, are the iptables
>matches/targets build into the kernel or are they built as
>modules??

Note:	My router is running Debian GNU/Linux 3.0r2 (WOODY)

  ____ ( 'apt-cache policy kernel-image-2.4.26 iptables' ) _____________
 /
|  kernel-source-2.4.26:
|    Installed: 2.4.26-4
|    Candidate: 2.4.26-4
|    Version Table:
|   *** 2.4.26-4 0
|          475 ftp://woody.debian.tamay-dogan.net woody/compile/main Packages
|       2.4.26-3 0
|          450 http://woody.debian.tamay-dogan.net woody/backports/main Packages
|          400 http://www.backports.org woody/all Packages
|  iptables:
|    Installed: 1.2.6a-5
|    Candidate: 1.2.6a-5
|    Version Table:
|       1.2.9-9.backports.org.1 0
|          450 http://woody.debian.tamay-dogan.net woody/backports/main Packages
|          400 http://www.backports.org woody/all Packages
|   *** 1.2.6a-5 0
|          600 http://woody.debian.tamay-dogan.net woody/main Packages
|          500 ftp://ftp.de.debian.org woody/main Packages
|          100 /var/lib/dpkg/status
 \______________________________________________________________________

>Sven


Greetings
Michelle

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/ 
Michelle Konzack   Apt. 917                  ICQ #328449886
                   50, rue de Soultz         MSM LinuxMichi
0033/3/88452356    67100 Strasbourg/France   IRC #Debian (irc.icq.com)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Routing problem

[Carlos Fernandez Sanz]

[-- Attachment #1: Type: text/plain, Size: 1251 bytes --]

I have a small problem setting up a routing exception here.

We have a small LAN with NAT-based internet access. Nothing special here. 
The router is a Linux box, with two NICs. One of them has a private address. The other one has a WAN address (it's a requirement of our provider that we use this address even if we have public addresses). 

Anyway, one of our users needs to go out using a public IP, and NAT doesn't do, because he needs to establish a connection encrypted where the IP address is part of a signature.

We do have spare IPs. The problem is that I can't add a route to him, route returns "network is unreachable".

Suppose NIC A in the linux box (route) is 192.168.21.1. NIC B is our public IP 1 (of a pool of five) A.B.C.1. Everyone gets out using this IP and NAT.
Now I want someone in the LAN to own the public IP A.B.C.2, however he is connected to the internal switch. 
I tried to do this

route add A.B.C.2 gw A.B.C.2 dev eth0 

But I get "network unreachable".

Before you ask: I can't connect this special computer to the same place I connect the linux box (which would be the obvious solution) because the carrier expects traffic to come from one WAN IP, owned by the linux box. 

All suggestions welcome.

[-- Attachment #2: Type: text/html, Size: 2443 bytes --]

Re: Routing problem

[Antony Stone]

On Friday 13 February 2004 3:39 pm, Carlos Fernandez Sanz wrote:

> I have a small problem setting up a routing exception here.
>
> We have a small LAN with NAT-based internet access. Nothing special here.
> The router is a Linux box, with two NICs. One of them has a private
> address. The other one has a WAN address (it's a requirement of our
> provider that we use this address even if we have public addresses).
>
> Before you ask: I can't connect this special computer to the same place I
> connect the linux box (which would be the obvious solution) because the
> carrier expects traffic to come from one WAN IP, owned by the linux box.

How do they expect you to use any of the other IPs in the pool they have given 
you?

Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Routing problem

[Carlos Fernandez Sanz]

> >
> > Before you ask: I can't connect this special computer to the same place
I
> > connect the linux box (which would be the obvious solution) because the
> > carrier expects traffic to come from one WAN IP, owned by the linux box.
>
> How do they expect you to use any of the other IPs in the pool they have
given
> you?

I do use them by redirecting traffic from the linux box to the destination
boxes (such as all trafic for public IP 2 goes to 192.168.21.2, for
example). This works fine, *except* in this particular case, where any
NATing is not an option. I need the computer behind the linux box to
actually own the public address, because it signs packets with it.

Re: Routing problem

[Antony Stone]

On Friday 13 February 2004 4:30 pm, Carlos Fernandez Sanz wrote:

> > > Before you ask: I can't connect this special computer to the same place
> > > I connect the linux box (which would be the obvious solution) because
> > > the carrier expects traffic to come from one WAN IP, owned by the linux
> > > box.
> >
> > How do they expect you to use any of the other IPs in the pool they have
> > given you?
>
> I do use them by redirecting traffic from the linux box to the destination
> boxes (such as all trafic for public IP 2 goes to 192.168.21.2, for
> example). This works fine, *except* in this particular case, where any
> NATing is not an option. I need the computer behind the linux box to
> actually own the public address, because it signs packets with it.

I still don't understand.   One of your above statements must be incorrect:

 - either the ISP requires all your outgoing traffic to come from a single 
public address,

 - or you can send traffic from IP1, IP2, IP3 etc as you wish.

If the first is true (you have to send all traffic from just a single address) 
then I don't see how you can do NAT from IP2 to 192.168.21.2, because the 
reply packets going back out to the Internet are going to have the source 
address (after de-NATting) of IP2 - therefore you *are* being allowed to send 
from more than one public IP.

If the second is true (you can send from IP1, IP2, IP3 etc as you wish) then 
as you said in the first place, you can connect the user who wants to use 
some nasty protocol which embeds OSI layer 3 information into OSI layer 7 
traffic to the same place as your existing Linux box and give them a real 
public IP of their own.

What does your ISP claim will happen if you use more than one of your assigned 
pool of IP addresses for the source address of outgoing traffic?

Antony.

-- 
The first fifty percent of an engineering project takes ninety percent of the 
time, and the remaining fifty percent takes another ninety percent of the 
time.

Re: Routing problem

[Carlos Fernandez Sanz]

I'll try to express it more clearly, since you're not the only one who
didn't get me right :-)

The link between the carrier and the linux box happens using WAN addresses,
ie. 172.x.y.1 (them) <--> 172.x.y.99 (us). All traffic is exchanged using
those two addresses - they just won't route traffic not being routed from
172.x.y.99.

We own *5* public addresses, and they route the traffic to all those
addresses via 172.x.y.99 (our router).

The route also has 192.168.21.1 on another NIC, which is connected to our
own LAN. It also has our first public address - so traffic we generate to
internet uses this public address, and traffic coming from internet goes to
this public address. (being routed through the 172.x.y.z) addresses.

OK, so I said we have 5 public addresses, one being used for the router for
general internet access and 4 spare.

So far, when I needed someone to have a public IP (whatever the reason), I
just said in iptables "all packets from this internal IP address goes out
using this external IP address, and all packets coming from the outside for
this external address we send to this internal IP". Works fine.

Problem is, we have a specific situation where the real IP of the computer
behind the firewall matters, because it's used as part of the signature. So
I need this computer to actually *own* the address, and have the router just
forward the traffic from one interface to the other with no NAT whatsoever.

Just for the record, our user is a SAP employee who needs to access the SAP
internal network from our office. They have a setup to allow workers to
connect from home, etc, but obviously they didn't thought they could connect
from another LAN...

----- Original Message ----- 
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Friday, February 13, 2004 18:12
Subject: Re: Routing problem


> On Friday 13 February 2004 4:30 pm, Carlos Fernandez Sanz wrote:
>
> > > > Before you ask: I can't connect this special computer to the same
place
> > > > I connect the linux box (which would be the obvious solution)
because
> > > > the carrier expects traffic to come from one WAN IP, owned by the
linux
> > > > box.
> > >
> > > How do they expect you to use any of the other IPs in the pool they
have
> > > given you?
> >
> > I do use them by redirecting traffic from the linux box to the
destination
> > boxes (such as all trafic for public IP 2 goes to 192.168.21.2, for
> > example). This works fine, *except* in this particular case, where any
> > NATing is not an option. I need the computer behind the linux box to
> > actually own the public address, because it signs packets with it.
>
> I still don't understand.   One of your above statements must be
incorrect:
>
>  - either the ISP requires all your outgoing traffic to come from a single
> public address,
>
>  - or you can send traffic from IP1, IP2, IP3 etc as you wish.
>
> If the first is true (you have to send all traffic from just a single
address)
> then I don't see how you can do NAT from IP2 to 192.168.21.2, because the
> reply packets going back out to the Internet are going to have the source
> address (after de-NATting) of IP2 - therefore you *are* being allowed to
send
> from more than one public IP.
>
> If the second is true (you can send from IP1, IP2, IP3 etc as you wish)
then
> as you said in the first place, you can connect the user who wants to use
> some nasty protocol which embeds OSI layer 3 information into OSI layer 7
> traffic to the same place as your existing Linux box and give them a real
> public IP of their own.
>
> What does your ISP claim will happen if you use more than one of your
assigned
> pool of IP addresses for the source address of outgoing traffic?
>
> Antony.
>
> -- 
> The first fifty percent of an engineering project takes ninety percent of
the
> time, and the remaining fifty percent takes another ninety percent of the
> time.
>
>

Re: Routing problem

[Antony Stone]

On Saturday 14 February 2004 8:41 am, Carlos Fernandez Sanz wrote:

> The link between the carrier and the linux box happens using WAN addresses,
> ie. 172.x.y.1 (them) <--> 172.x.y.99 (us). All traffic is exchanged using
> those two addresses - they just won't route traffic not being routed from
> 172.x.y.99.

Oh, so when you say "WAN address", you actually mean another private address 
(172.x.x.1), not the public address you've been assigned as part of your 
pool?

I think I understand now - you're talking about the router addresses which can 
talk to each other, not the source addresses of the packets being routed...

> We own *5* public addresses, and they route the traffic to all those
> addresses via 172.x.y.99 (our router).

Okay.

> The route also has 192.168.21.1 on another NIC, which is connected to our
> own LAN. It also has our first public address - so traffic we generate to
> internet uses this public address, and traffic coming from internet goes to
> this public address. (being routed through the 172.x.y.z) addresses.

What (exactly) do you mean by "It also has our first public address"?   Is 
that public IP assigned to one of your router's interfaces?   If it is, then 
simply connect the machine needing the second public IP address on it to that 
interface, pointing to the first public IP as the default route.   Provided 
your NAT rules are only applied to what was originally 192.168.21.x traffic, 
then those packets with (source address = second public IP) will simply go 
through the router and work without NAT.

If, on the other hand, you don't mean that the first public IP has been 
assigned to one of the interfaces on your router, then I see you have three 
choices (no doubt there are others, maybe some will be suggested by people):

1. Add another interface to the router, assign it your first public IP, and 
proceed as described in the paragraph above.

2. Add another interface to the machine requiring the public IP, make sure the 
software running on it binds to the public IP and not the private one, and 
set up a route on your router telling it "public IP number 2 can be found via 
this gateway", giving it the private address of the special machine as the 
gateway address.

3. Add an interface to the router and assign it some completely new IP 
address, outside any of the network ranges you are currently using (eg 
192.168.250.1), and create a point-to-point link to the machine requiring the 
public IP (which now needs only one interface, and is assigned that public 
IP, but again using a point-to-point route).

You might be able to achieve any of the above using a virtual interface 
instead of a physical one, but that would be harder to debug in the event of 
problems.

I hope we're getting somewhere now :)

> Just for the record, our user is a SAP employee who needs to access the SAP
> internal network from our office. They have a setup to allow workers to
> connect from home, etc, but obviously they didn't thought they could connect
> from another LAN...

Why don't they just use a VPN?

Antony.

-- 
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac

Re: Routing problem

[Carlos Fernandez Sanz]

> > The link between the carrier and the linux box happens using WAN
addresses,
> > ie. 172.x.y.1 (them) <--> 172.x.y.99 (us). All traffic is exchanged
using
> > those two addresses - they just won't route traffic not being routed
from
> > 172.x.y.99.
>
> Oh, so when you say "WAN address", you actually mean another private
address
> (172.x.x.1), not the public address you've been assigned as part of your
> pool?

Exactly. WAN is the term the carrier uses for this.
>
> I think I understand now - you're talking about the router addresses which
can
> talk to each other, not the source addresses of the packets being
routed...

Exactly. Those are always public IP addresses.

> > The route also has 192.168.21.1 on another NIC, which is connected to
our
> > own LAN. It also has our first public address - so traffic we generate
to
> > internet uses this public address, and traffic coming from internet goes
to
> > this public address. (being routed through the 172.x.y.z) addresses.
>
> What (exactly) do you mean by "It also has our first public address"?   Is
> that public IP assigned to one of your router's interfaces?   If it is,
then
> simply connect the machine needing the second public IP address on it to
that
> interface, pointing to the first public IP as the default route.
Provided
> your NAT rules are only applied to what was originally 192.168.21.x
traffic,
> then those packets with (source address = second public IP) will simply go
> through the router and work without NAT.
>
> If, on the other hand, you don't mean that the first public IP has been
> assigned to one of the interfaces on your router, then I see you have
three
> choices (no doubt there are others, maybe some will be suggested by
people):
>
> 1. Add another interface to the router, assign it your first public IP,
and
> proceed as described in the paragraph above.
>
> 2. Add another interface to the machine requiring the public IP, make sure
the
> software running on it binds to the public IP and not the private one, and
> set up a route on your router telling it "public IP number 2 can be found
via
> this gateway", giving it the private address of the special machine as the
> gateway address.
>
> 3. Add an interface to the router and assign it some completely new IP
> address, outside any of the network ranges you are currently using (eg
> 192.168.250.1), and create a point-to-point link to the machine requiring
the
> public IP (which now needs only one interface, and is assigned that public
> IP, but again using a point-to-point route).
>
> You might be able to achieve any of the above using a virtual interface
> instead of a physical one, but that would be harder to debug in the event
of
> problems.
>
> I hope we're getting somewhere now :)
>
> > Just for the record, our user is a SAP employee who needs to access the
SAP
> > internal network from our office. They have a setup to allow workers to
> > connect from home, etc, but obviously they didn't thought they could
connect
> > from another LAN...
>
> Why don't they just use a VPN?
>
> Antony.
>
> -- 
> In science, one tries to tell people
> in such a way as to be understood by everyone
> something that no-one ever knew before.
>
> In poetry, it is the exact opposite.
>
>  - Paul Dirac
>
>

Re: Routing problem

[Carlos Fernandez Sanz]

(sorry, the first time it went out incomplete)

> > The link between the carrier and the linux box happens using WAN
addresses,
> > ie. 172.x.y.1 (them) <--> 172.x.y.99 (us). All traffic is exchanged
using
> > those two addresses - they just won't route traffic not being routed
from
> > 172.x.y.99.
>
> Oh, so when you say "WAN address", you actually mean another private
address
> (172.x.x.1), not the public address you've been assigned as part of your
> pool?

Exactly. WAN is the term the carrier uses for this.
>
> I think I understand now - you're talking about the router addresses which
can
> talk to each other, not the source addresses of the packets being
routed...

Exactly. Those are always public IP addresses.

> > The route also has 192.168.21.1 on another NIC, which is connected to
our
> > own LAN. It also has our first public address - so traffic we generate
to
> > internet uses this public address, and traffic coming from internet goes
to
> > this public address. (being routed through the 172.x.y.z) addresses.
>
> What (exactly) do you mean by "It also has our first public address"?   Is
> that public IP assigned to one of your router's interfaces?   If it is,

Actually I don't have it *assigned*, because the interface where packets
come from internet has 172.x.y.99... so when anything comes to our first
public address, I DNAT it to the router private address. I guess I could 'ip
addr add' the IP instead of doing this.
then
> simply connect the machine needing the second public IP address on it to
that
> interface,

How? By connecting the router interface, the second machine, and the carrier
gateway to the same switch/hub? I'm not sure that would do, remember that
packets to the internet must come from the router using the 172.x.y.99
address...so the second machine and the carrier gateway can't talk to each
other directly.


Carlos.

Re: Routing problem

[Antony Stone]

On Saturday 14 February 2004 3:19 pm, Carlos Fernandez Sanz wrote:

> > What (exactly) do you mean by "It also has our first public address"?  
> > Is that public IP assigned to one of your router's interfaces?   If it
> > is,
>
> Actually I don't have it *assigned*, because the interface where packets
> come from internet has 172.x.y.99... so when anything comes to our first
> public address, I DNAT it to the router private address. I guess I could
> 'ip addr add' the IP instead of doing this.

> > then simply connect the machine needing the second public IP address on it
> > to that interface,
>
> How? By connecting the router interface, the second machine, and the
> carrier gateway to the same switch/hub?

No, the router (external I/F) is connected to the carrier gateway (these are 
talking to each other ising 172.x.y.z).   Leave these as they are and connect 
nothing else to them.

Assign public IP number 1 as a second address to the router's internal 
interface (alongside 192.168.21.1), and assign public IP number 2 to the 
machine which is causing all the trouble.   That machine is already connected 
to your internal hub/switch, so therefore it can talk to the router, using 
public IP number 1 as its default gateway address.

Hope this is clear now.

Why didn't the user requiring secure access to the system just use a VPN?

Antony.

-- 
My New Year's resolution is not to make any resolutions I can't keep.

I'm wondering whether I've failed already.

Re: Routing problem

[Scott MacKay]

AH, I think I get what you are saying.  
You have a linux doing NAT, 1 public IP on the outside
and 1 private on the inside.  You also have a spare
public IP which you want to put on a client so they
can do some funky things which requires them having a
real IP address.
1 question about your statement.  Where you say
"carrier expects traffic to come from one WAN IP"
kinda goes against what you implied by "public IP 2". 
If you have 2 pubic IPs, they they cannot expect your
traffic to come from 1 WAN IP.  Even if you NAT a
private address explicitly to the 2nd public IP
address that counts as 2.  Do you have 1 or 2 public
IP addresses?  
If you are given 2, then you should be able to do the
config mentioned, putting the client on the same side
as the router's public IP (since they are both in the
same class C).  If you have 1, well you are SOL.








--- Carlos Fernandez Sanz <cfs-netfilter@nisupu.com>
wrote:
> > >
> > > Before you ask: I can't connect this special
> computer to the same place
> I
> > > connect the linux box (which would be the
> obvious solution) because the
> > > carrier expects traffic to come from one WAN IP,
> owned by the linux box.
> >
> > How do they expect you to use any of the other IPs
> in the pool they have
> given
> > you?
> 
> I do use them by redirecting traffic from the linux
> box to the destination
> boxes (such as all trafic for public IP 2 goes to
> 192.168.21.2, for
> example). This works fine, *except* in this
> particular case, where any
> NATing is not an option. I need the computer behind
> the linux box to
> actually own the public address, because it signs
> packets with it.
> 
> 


__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html

Re: Routing problem

[Carlos Fernandez Sanz]

Scott,

By "carrier expects traffic to come from one WAN IP" I don't mean it has to
have that origin IP but come from a router with that IP.

Obviously they assumed that the regular setup is

Internet <----> their router <-----> our router <------> Box with IP #1
(could be a firewall) <-----> NAT

(i.e. there would be one router whose job in life is to get traffic from
their router and direct it to us)

However we are a small company and we need to have everything in one box,
i.e. the router that connects with the carrier, the firewall, the web
server, etc :-)



----- Original Message ----- 
From: "Scott MacKay" <scottmackay@yahoo.com>
To: "Carlos Fernandez Sanz" <cfs-netfilter@nisupu.com>; "netfilter"
<netfilter@lists.netfilter.org>
Sent: Friday, February 13, 2004 18:16
Subject: Re: Routing problem


> AH, I think I get what you are saying.
> You have a linux doing NAT, 1 public IP on the outside
> and 1 private on the inside.  You also have a spare
> public IP which you want to put on a client so they
> can do some funky things which requires them having a
> real IP address.
> 1 question about your statement.  Where you say
> "carrier expects traffic to come from one WAN IP"
> kinda goes against what you implied by "public IP 2".
> If you have 2 pubic IPs, they they cannot expect your
> traffic to come from 1 WAN IP.  Even if you NAT a
> private address explicitly to the 2nd public IP
> address that counts as 2.  Do you have 1 or 2 public
> IP addresses?
> If you are given 2, then you should be able to do the
> config mentioned, putting the client on the same side
> as the router's public IP (since they are both in the
> same class C).  If you have 1, well you are SOL.
>
>
>
>
>
>
>
>
> --- Carlos Fernandez Sanz <cfs-netfilter@nisupu.com>
> wrote:
> > > >
> > > > Before you ask: I can't connect this special
> > computer to the same place
> > I
> > > > connect the linux box (which would be the
> > obvious solution) because the
> > > > carrier expects traffic to come from one WAN IP,
> > owned by the linux box.
> > >
> > > How do they expect you to use any of the other IPs
> > in the pool they have
> > given
> > > you?
> >
> > I do use them by redirecting traffic from the linux
> > box to the destination
> > boxes (such as all trafic for public IP 2 goes to
> > 192.168.21.2, for
> > example). This works fine, *except* in this
> > particular case, where any
> > NATing is not an option. I need the computer behind
> > the linux box to
> > actually own the public address, because it signs
> > packets with it.
> >
> >
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing online.
> http://taxes.yahoo.com/filing.html
>

Re: Routing problem

[John A. Sullivan III]

On Fri, 2004-02-13 at 10:39, Carlos Fernandez Sanz wrote:
> I have a small problem setting up a routing exception here.
>  
> We have a small LAN with NAT-based internet access. Nothing special
> here. 
> The router is a Linux box, with two NICs. One of them has a private
> address. The other one has a WAN address (it's a requirement of our
> provider that we use this address even if we have public addresses). 
>  
> Anyway, one of our users needs to go out using a public IP, and NAT
> doesn't do, because he needs to establish a connection encrypted where
> the IP address is part of a signature.
>  
> We do have spare IPs. The problem is that I can't add a route to him,
> route returns "network is unreachable".
>  
> Suppose NIC A in the linux box (route) is 192.168.21.1. NIC B is our
> public IP 1 (of a pool of five) A.B.C.1. Everyone gets out using this
> IP and NAT.
> Now I want someone in the LAN to own the public IP A.B.C.2, however he
> is connected to the internal switch. 
> I tried to do this
>  
> route add A.B.C.2 gw A.B.C.2 dev eth0 
>  
> But I get "network unreachable".
>  
> Before you ask: I can't connect this special computer to the same
> place I connect the linux box (which would be the obvious solution)
> because the carrier expects traffic to come from one WAN IP, owned by
> the linux box. 
>  
> All suggestions welcome.

Hmmm . . . what type of encryption are you doing? I assume it is not
IPSec as that should work with a one-to-one NAT.

I have never tried to use iptables in a bridging rather than routing
scenario.  I do not know if it would be possible to set up the user's
computer on a separate network that speaks to a third interface on the
gateway as a bridged rather than routed network.

If it is not the act of NAT itself that breaks the packet but rather
having a different IP header address than the IP address embedded in
layer 7, I wonder if you could do something as outrageous as a double
NAT.  In other words, the user lives on their own network with the
A.B.C.2 address.  They are connected to the internal network through a
NAT gateway which translates A.B.C.2 into 192.168.21.2 (or whatever
fixed address you want).  The Internet gateway then NATs 192.168.21.2
into A.B.C.2.

As you can probably tell, I haven't thought through any of these ideas. 
They may be entirely foolhardy but just thought I'd throw out some quick
outside-the-box (every pun intended) thoughts.  Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Routing problem

[GG Noris]

Hello.
I have a problem  in my network. i need to substitute my internet line
with 16 public ip with another line with other 16 ip.

my current functioning situation is:

1 lan 192.168.100.0/24
1 dmz	10.100.200.0/24
1 public zone 80.x.x.16/29

this 3 network are connected wit an iptables machine. fot lan i use nat
for navigate, for dmz i use port traslation to public my service in the
public zone.

all function well for 2 years.

now i need to change my public zone without loss of services.
my little brain have thinked to up another firewall box iptables and put
it with 1 nic in dmz to serve as new GW and another nic in the new
public zone. afther i public the same services with this new FW in the
new public zone. sure do not function... i have tryed but not.

in this new configuration the service from server1 smtp ( that have
always the old GW to goin out ) is functioning to the old public zone,
but when i contact the server1 smtp ftom the new public zone, my server
recive only SYN packet. but do not respond and the service smtp do not
function.

My problem is to find a solution for the migration.

my little brain.. tel me to put another nic an the old FW and use this
with 2 public zones and having only one PAT and NAT machine... is this
the solution or there is a good solution ???


THANX in adv. 

GG

Routing Problem

[Tom Fischer]

Hi,

I have 2 Machines connected to the Internet via DSL. The first machine 
is the default gateway on all machines in the LAN. I've 2 Machines 
because i want to use the second as a fallback. But now i want to route 
a few services over the second machine, like E-Mail.

For testing i wanted to route a host over the second machine. I followed 
the Adv-Routing-HOWTO and placed:

iptables -I PREROUTING -i eth0 -t mangle -p tcp -s host -j MARK --set-mark 1
echo 201 test >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table test
ip route add default via xxx.xxx.xxx.xxx dev eth2 table test

xxx.xxx.xxx.xxx is the IP of the second Machine connected to the first 
via a Crossover-Cable. This works fine, both machines can ping the other.

This setup didn't work. Did i miss something?

Hope anybody can help me out.

Regards, Tom

-- 
Tom Fischer			ABH Marketingservice GmbH
System Administrator		Weisshaustrasse 23a
Tel: 0221-94400446		50939 Koeln
http://www.abh.de