Re: netfilter question

Re: netfilter question

[John Black]

>
>this assumption is because you're saying 161.x.x.x/21  as destination,
>all other destinations that doesnt belong to 161.x.x.x to
>161.x.x+8.x+255 will be not nat'ed
>

right now i just have 1 class C private network.

At work i have a static class B ipaddress of 161.x.x.x/255.255.252.0 with the
private class C network 192.168.0.0/255.255.255.0

john
http://www.arbbs.net/

Re: netfilter question

[Antony Stone]

On Thursday 19 February 2004 4:23 pm, John Black wrote:

> >this assumption is because you're saying 161.x.x.x/21  as destination,
> >all other destinations that doesnt belong to 161.x.x.x to
> >161.x.x+8.x+255 will be not nat'ed
>
> right now i just have 1 class C private network.
>
> At work i have a static class B ipaddress of 161.x.x.x/255.255.252.0 with
> the private class C network 192.168.0.0/255.255.255.0

We are talking about the *destination* address of your packets.

The SNAT rule you currently have:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -d 161.x.x.x/21 -j 
SNAT --to 161.x.x.x

Says:

 - for packets which have a source address in the range 192.168.0.0/24
 - and are going out of interface eth0
 - and have a destination address in the range 161.x.x.x/21
translate the source address to 161.x.x.x

Any other packets (eg: ones with a destination address of the netfilter 
website server) will not match this rule, and will not be translated.

I think you simply need to remove the "-d 161.x.x.x/21" from your rule and 
things will start working the way you want.

Regards,

Antony.

-- 
Ramdisk is not an installation procedure.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: netfilter question

[John Black]

>I think you simply need to remove the "-d 161.x.x.x/21" from your rule and

>things will start working the way you want.
>
>Regards,
>

just wanted to make sure this is right.
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0  -j SNAT --to 161.x.x.x


<iptables -t nat -L -n> gives me

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
 
Chain POSTROUTING (policy ACCEPT) 
target     prot opt source               destination
SNAT       all  --  192.168.0.0/24       0.0.0.0/0          to:161.x.x.x

is that right? so that should mask my internetwork?  

john
 

http://www.arbbs.net/

Re: netfilter question

[Antony Stone]

On Thursday 19 February 2004 8:25 pm, John Black wrote:

> >I think you simply need to remove the "-d 161.x.x.x/21" from your rule and
> >
> >things will start working the way you want.
>
> just wanted to make sure this is right.
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0  -j SNAT --to
> 161.x.x.x

Yes, that's what I meant.

> <iptables -t nat -L -n> gives me
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> SNAT       all  --  192.168.0.0/24       0.0.0.0/0          to:161.x.x.x

A better command is "iptables -t nat -l -nv" because the v option also shows 
the interface names.

Regards,

Antony.

-- 
I'm pink, therefore I'm Spam.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: netfilter question

[John Black]

>
> - for packets which have a source address in the range 192.168.0.0/24
> - and are going out of interface eth0
> - and have a destination address in the range 161.x.x.x/21
>translate the source address to 161.x.x.x
>
>Any other packets (eg: ones with a destination address of the netfilter 
>website server) will not match this rule, and will not be translated.
>
>I think you simply need to remove the "-d 161.x.x.x/21" from your rule and

>things will start working the way you want.
>
>Regards,
>
>Antony.
thanks i will try it when i get to work.

john
http://www.arbbs.net/

Re: netfilter question

[John Black]

>if 24 bits define a mask that is considered as Class C
>
>24-21 = 3 
>2 power 3 = 8 
>
>so, its 8 /24 or 8 Class C networks.

sorry it has been awhile since i have had basic networking.
http://www.arbbs.net/

Re: netfilter question

[John Black]

>
>Okay, so that rule is going to hide your 192.168.0.0/24 >network behind the
public address of the firewall for all >packets going to addresses in the range
161.x.x.x/21 (ie 8 >Class C's in size).
8 Class C's?

>How are you testing this and deciding it doesn't work?
im testing it with my windows machine going to the msn chat rooms, because i
know i will show you what ip address you are coming from.  is there a better
way to check it.

>(By the way, why are you only translating packets which are >going to (presumably)
your ISP?   What about packets going >anywhere else on the Internet?).

I thought that translated all of the packets?  How is it only translating packets
to the ISP?

john
http://www.arbbs.net/

Re: netfilter question

[Alexis]

On Thu, 2004-02-19 at 11:13, John Black wrote:
> >
> >Okay, so that rule is going to hide your 192.168.0.0/24 >network behind the
> public address of the firewall for all >packets going to addresses in the range
> 161.x.x.x/21 (ie 8 >Class C's in size).
> 8 Class C's?

if 24 bits define a mask that is considered as Class C

24-21 = 3 
2 power 3 = 8 

so, its 8 /24 or 8 Class C networks.



> 
> >How are you testing this and deciding it doesn't work?
> im testing it with my windows machine going to the msn chat rooms, because i
> know i will show you what ip address you are coming from.  is there a better
> way to check it.

www.whatsmyipaddress.com is a lazy but effective way :)

or just simply log or sniff output packets


> >(By the way, why are you only translating packets which are >going to (presumably)
> your ISP?   What about packets going >anywhere else on the Internet?).
> 
> I thought that translated all of the packets?  How is it only translating packets
> to the ISP?
> 

this assumption is because you're saying 161.x.x.x/21  as destination,
all other destinations that doesnt belong to 161.x.x.x to
161.x.x+8.x+255 will be not nat'ed




> john
> http://www.arbbs.net/
-- 
Alexis <alexis@attla.net.ar>

Re: netfilter question

[John Black]

>Please post your complete ruleset, including the definitions >of variables such

>

here are the rule sets.  
iptables -A FORWARD -i eth0 -o eth1 -m state --state \ESTABLISHED, RELATED -j
ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -j LOG

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 \
-d 161.x.x.x/21 -j SNAT --to 161.x.x.x

<iptables -L -nvx>

Chain INPUT (policy ACCEPT 127 packets, 9436 bytes)
pkts  bytes target  prot opt in   out   source   destination


Chain FORWARD (policy ACCEPT 36 packets, 1709 bytes)
pkts     bytes target      prot opt    in    out     source
destination
 0       0    ACCEPT   all     --    eth0  eth1   0.0.0.0/0    0.0.0.0/0 state
RELATED, ESTABLISHED

 0       0    ACCEPT   all     --    eth1  eth0   0.0.0.0/0    0.0.0.0/0

 0       0    ACCEPT   all     --    *        *      0.0.0.0/0    0.0.0.0/0
LOG flags 0 level 4

Chain OUTPUT (policy ACCEPT 74 packets, 8568 bytes)
pkts  bytes target  prot opt in   out   source   destination

<iptables -t nat -L> 
target  prot opt source            destination 
SNAT    all  --  192.168.0.0/24    161.x.x.x/21 to:161.x.x.x


John
http://www.arbbs.net/

Re: netfilter question

[Antony Stone]

On Thursday 19 February 2004 1:38 pm, John Black wrote:

> here are the rule sets.
> iptables -A FORWARD -i eth0 -o eth1 -m state --state \ESTABLISHED, RELATED
> -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> iptables -A FORWARD -j LOG
>
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 \
> -d 161.x.x.x/21 -j SNAT --to 161.x.x.x

Okay, so that rule is going to hide your 192.168.0.0/24 network behind the 
public address of the firewall for all packets going to addresses in the 
range 161.x.x.x/21 (ie 8 Class C's in size).

How are you testing this and deciding it doesn't work?

(By the way, why are you only translating packets which are going to 
(presumably) your ISP?   What about packets going anywhere else on the 
Internet?).

Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

                                                     Please reply to the list;
                                                           please don't CC me.

netfilter question

[John Black]

I'm trying to install a gateway/router with Red Hat 9 kernel 2.4.24 and the
stock
iptables 1.2.7a, with full NAT compiled into the kernel. I have read the
howto
at netfilter.org, even have the same line of code.  But it sill will not
change
the source address.

here is the line of code and the result of the command <iptables -L -nvx>

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED, RELATED -j
ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -j LOG

Chain INPUT (policy ACCEPT 127 packets, 9436 bytes)
pkts  bytes target  prot opt in   out   source   destination


Chain FORWARD (policy ACCEPT 36 packets, 1709 bytes)
pkts     bytes target      prot opt    in    out     source
destination
 0       0    ACCEPT   all     --    eth0  eth1   0.0.0.0/0    0.0.0.0/0
state RELATED, ESTABLISHED

 0       0    ACCEPT   all     --    eth1  eth0   0.0.0.0/0    0.0.0.0/0

 0       0    ACCEPT   all     --    *        *      0.0.0.0/0    0.0.0.0/0
LOG flags 0 level 4

Chain OUTPUT (policy ACCEPT 74 packets, 8568 bytes)
pkts  bytes target  prot opt in   out   source   destination


I new to security of a network. Am I close?

thanks
john

Re: netfilter question

[Klemen Kecman]

For dynamic IP (ADSL)
$IPT -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE

and for static IP (Cable)
$IPT -A POSTROUTING -t nat -s $IP_LAN_RNG -o $IF_NET -j SNAT --to-source
$IP_NET


That is for routing. If you want to secure your network and the router
itselfe it takes alot more .. like setting up a firewall :)

Klemen Kecman
Sting d.o.o.
Smartinska 106
1000 Ljubljana - SI
+386 1 5246033
+386 41 456421

----- Original Message -----
From: "John Black" <black@arbbs.net>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, February 19, 2004 4:32 AM
Subject: netfilter question


> I'm trying to install a gateway/router with Red Hat 9 kernel 2.4.24 and
the
> stock
> iptables 1.2.7a, with full NAT compiled into the kernel. I have read the
> howto
> at netfilter.org, even have the same line of code.  But it sill will not
> change
> the source address.
>
> here is the line of code and the result of the command <iptables -L -nvx>
>
> iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,
RELATED -j
> ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> iptables -A FORWARD -j LOG
>
> Chain INPUT (policy ACCEPT 127 packets, 9436 bytes)
> pkts  bytes target  prot opt in   out   source   destination
>
>
> Chain FORWARD (policy ACCEPT 36 packets, 1709 bytes)
> pkts     bytes target      prot opt    in    out     source
> destination
>  0       0    ACCEPT   all     --    eth0  eth1   0.0.0.0/0    0.0.0.0/0
> state RELATED, ESTABLISHED
>
>  0       0    ACCEPT   all     --    eth1  eth0   0.0.0.0/0    0.0.0.0/0
>
>  0       0    ACCEPT   all     --    *        *      0.0.0.0/0
0.0.0.0/0
> LOG flags 0 level 4
>
> Chain OUTPUT (policy ACCEPT 74 packets, 8568 bytes)
> pkts  bytes target  prot opt in   out   source   destination
>
>
> I new to security of a network. Am I close?
>
> thanks
> john
>
>
>
>

Re: netfilter question

[Antony Stone]

On Thursday 19 February 2004 8:19 am, Klemen Kecman wrote:

> For dynamic IP (ADSL)
> and for static IP (Cable)

I know this is off-topic, but I just thought I'd point out that these are not 
universal distinctions.   Different operators provide different services.   
For example, I have a dynamic IP cable service from NTL, and a static IP ADSL 
service from BT, here in the UK.

Antony.

-- 
The idea that Bill Gates appeared like a knight in shining armour to lead all 
customers out of a mire of technological chaos neatly ignores the fact that 
it was he who, by peddling second-rate technology, led them into it in the 
first place.

 - Douglas Adams in The Guardian, 25th August 1995

                                                     Please reply to the list;
                                                           please don't CC me.

Re: netfilter question

[John Black]

> $IPT -A POSTROUTING -t nat -s $IP_LAN_RNG -o $IF_NET -j SNAT --to-source
> $IP_NET
i have that line in my firewall script. but it still doesn't mask my
internet work

> That is for routing. If you want to secure your network and the router
> itselfe it takes alot more .. like setting up a firewall :)
>
I have that part setup.  All ports a block but the ones that I need. the
firewall will drop all pings to the outside nic and inside nic.  I just have
to mask the internal network

Re: netfilter question

[Antony Stone]

On Thursday 19 February 2004 1:06 pm, John Black wrote:

> > $IPT -A POSTROUTING -t nat -s $IP_LAN_RNG -o $IF_NET -j SNAT --to-source
> > $IP_NET
>
> i have that line in my firewall script. but it still doesn't mask my
> internet work

Please post your complete ruleset, including the definitions of variables such 
as $IP_LAN_RNG, so we can see if there's something wrong.   By all means 
disguise any public IP's if you wish, but not so much that we can't tell 
which one is which (if you have more than one).

Please also tell us how you are testing the rules and why you think it doesn't 
work (I know that may sound obvious, but every little helps...)

Regards,

Antony.

-- 
Your work is both good and original.  Unfortunately the parts that are good 
aren't original, and the parts that are original aren't good.

 - Samuel Johnson

                                                     Please reply to the list;
                                                           please don't CC me.