Plz i need help.... or i ll be fired :(

Plz i need help.... or i ll be fired :(

[Alaios]

Hi plz take a look at the following example

The laptop has 2 ethernet interfaces
To eth1 comes traffic from src 143.233.222.253
The eth0 has ip address 10.2.4.2 and it is connected
back to back with eth1 of other pc with ip address
10.2.4.1
I want to forward the traffic with src 143.233.222.253
to the 10.2.4.1 pc and if it works i will redo this
for a second pc so as to l send the traffic to a third
on.
Can u help me plz?

I have tried this one
iptables -t nat -A PREROUTING -i eth1 -s
143.233.222.253 -j DNAT --to-destination 10.2.4.1
i have also set the
/proc/sys/net/ipv4/ip_forward to 1
but still i cant see any trafiic to eth0 interface (ip
10.2.4.2)


I have also tested this one
iptables -t nat -A PREROUTING -p tcp -d 143.233.222.77
(laptop eth1 card) --dport 22453 (i have cheched dst
port with tcpdump) 00 -j DNAT --to-destination
10.2.4.1
this still doesnt work
Every time i try to apply a new rule i use first
the iptables -F
iptables -t nat -F command





		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

Re: Plz i need help.... or i ll be fired :(

[Sp0oKeR]

Try add

iptables -I POSTROUTING -t nat -o eth1 -j MASQUERADE

And make sure that second machine has first machine (IP) as gateway.

Att,


On 9/27/05, Alaios <alaios@yahoo.com> wrote:
>
> Hi plz take a look at the following example
>
> The laptop has 2 ethernet interfaces
> To eth1 comes traffic from src 143.233.222.253 <http://143.233.222.253>
> The eth0 has ip address 10.2.4.2 <http://10.2.4.2> and it is connected
> back to back with eth1 of other pc with ip address
> 10.2.4.1 <http://10.2.4.1>
> I want to forward the traffic with src 143.233.222.253<http://143.233.222.253>
> to the 10.2.4.1 <http://10.2.4.1> pc and if it works i will redo this
> for a second pc so as to l send the traffic to a third
> on.
> Can u help me plz?
>
> I have tried this one
> iptables -t nat -A PREROUTING -i eth1 -s
> 143.233.222.253 <http://143.233.222.253> -j DNAT --to-destination 10.2.4.1<http://10.2.4.1>
> i have also set the
> /proc/sys/net/ipv4/ip_forward to 1
> but still i cant see any trafiic to eth0 interface (ip
> 10.2.4.2 <http://10.2.4.2>)
>
>
> I have also tested this one
> iptables -t nat -A PREROUTING -p tcp -d 143.233.222.77<http://143.233.222.77>
> (laptop eth1 card) --dport 22453 (i have cheched dst
> port with tcpdump) 00 -j DNAT --to-destination
> 10.2.4.1 <http://10.2.4.1>
> this still doesnt work
> Every time i try to apply a new rule i use first
> the iptables -F
> iptables -t nat -F command
>
>
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
>
>


--
=====================
Rodrigo Ribeiro Montoro
Desenvolvedor BRMAlinux
spooker@brc.com.br
RHCE/LPIC-I
=====================

Re: Plz i need help.... or i ll be fired :(

[John A. Sullivan III]

On Tue, 2005-09-27 at 07:57 -0700, Alaios wrote:
> Hi plz take a look at the following example
> 
> The laptop has 2 ethernet interfaces
> To eth1 comes traffic from src 143.233.222.253
> The eth0 has ip address 10.2.4.2 and it is connected
> back to back with eth1 of other pc with ip address
> 10.2.4.1
> I want to forward the traffic with src 143.233.222.253
> to the 10.2.4.1 pc and if it works i will redo this
> for a second pc so as to l send the traffic to a third
> on.
> Can u help me plz?
> 
> I have tried this one
> iptables -t nat -A PREROUTING -i eth1 -s
> 143.233.222.253 -j DNAT --to-destination 10.2.4.1
> i have also set the
> /proc/sys/net/ipv4/ip_forward to 1
> but still i cant see any trafiic to eth0 interface (ip
> 10.2.4.2)
> 
> 
> I have also tested this one
> iptables -t nat -A PREROUTING -p tcp -d 143.233.222.77
> (laptop eth1 card) --dport 22453 (i have cheched dst
> port with tcpdump) 00 -j DNAT --to-destination
> 10.2.4.1
> this still doesnt work
> Every time i try to apply a new rule i use first
> the iptables -F
> iptables -t nat -F command
<snip>

I'm a little confused about what you are doing.  I would normally refer
you to Oskar Andreasson's excellent tutorial at
http://iptables-tutorial.frozentux.net/iptables-tutorial.html or the
training slides on the ISCS web site (http://iscs.sourceforge.net) but,
since it appears that you have an emergency, here goes:

First, if the source is 143.233.222.253, you would not want to DNAT it.
DNAT changes the destination.  Thus, your second attempt is the correct
one.  You might want to lock the destination port - it's not likely to
be a problem but, if it ever is, it will be one of those really hard to
diagnose, sporadic problems:
-j DNAT --to-destination 10.2.4.1:22453

Second, this only takes care of the addressing.  You must still allow
the traffic in the FORWARD chain of the filter table, e.g., 

iptables -A FORWARD -d 10.2.4.1 -p 6 --dport 22453 -j ACCEPT

Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: Plz i need help.... or i ll be fired :(

[Jörg Harmuth]

Alaios wrote:
> Hi plz take a look at the following example
> 
> The laptop has 2 ethernet interfaces
> To eth1 comes traffic from src 143.233.222.253
> The eth0 has ip address 10.2.4.2 and it is connected
> back to back with eth1 of other pc with ip address
> 10.2.4.1
> I want to forward the traffic with src 143.233.222.253
> to the 10.2.4.1 pc 

[SNIP]

> i have also set the
> /proc/sys/net/ipv4/ip_forward to 1

Ok.

[SNIP]

> I have also tested this one
> iptables -t nat -A PREROUTING -p tcp -d 143.233.222.77
> (laptop eth1 card) --dport 22453 (i have cheched dst
> port with tcpdump) 00 -j DNAT --to-destination
> 10.2.4.1
> this still doesnt work
> Every time i try to apply a new rule i use first
> the iptables -F
> iptables -t nat -F command


Your PREROUTING rule is probably ok, provided that 143.233.222.77 is the 
IP of eth1. But I think, if the simple approach doesn't work you 
shouldn't it make more complicated. Keep it small and simple and when 
you understand all the details, you may go deeper. So, may be you would 
like to start like this:

## Rewrite destination address
iptables -t nat -A PREROUTING -i eth1 -s 143.233.222.253 \
          -j DNAT --to 10.2.4.1

## Allow packets to pass FORWARD
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
          -j ACCEPT
iptables -A FORWARD -i eth1 -s 143.233.222.253 \
          -j ACCEPT

## Now, SNAT outgoing packets
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 143.233.222.77

If this is a dial-up connection replace the SNAT part with MASQUERADE. 
BTW, you only need the FORWARD rules if your FORWARD policy is DROP or 
REJECT. And if you have other policies in filter table set to DROP or 
REJECT enable loopback. And finally, set all policies in nat and mangle 
to ACCEPT (and in raw, if you have that). This should get you started.

HTH,

Joerg

Re: Plz i need help.... or i ll be fired :(

[Alaios]

Why do u say i should not use dnat? U also sais that
my second example is correct.. havent u see that uses
also dnat.. I think i should use dnat because i want
to alter the ip packet so as to be forwarded to the
other network.. Isn't that correct?

--- "John A. Sullivan III"
<jsullivan@opensourcedevel.com> wrote:

> On Tue, 2005-09-27 at 07:57 -0700, Alaios wrote:
> > Hi plz take a look at the following example
> > 
> > The laptop has 2 ethernet interfaces
> > To eth1 comes traffic from src 143.233.222.253
> > The eth0 has ip address 10.2.4.2 and it is
> connected
> > back to back with eth1 of other pc with ip address
> > 10.2.4.1
> > I want to forward the traffic with src
> 143.233.222.253
> > to the 10.2.4.1 pc and if it works i will redo
> this
> > for a second pc so as to l send the traffic to a
> third
> > on.
> > Can u help me plz?
> > 
> > I have tried this one
> > iptables -t nat -A PREROUTING -i eth1 -s
> > 143.233.222.253 -j DNAT --to-destination 10.2.4.1
> > i have also set the
> > /proc/sys/net/ipv4/ip_forward to 1
> > but still i cant see any trafiic to eth0 interface
> (ip
> > 10.2.4.2)
> > 
> > 
> > I have also tested this one
> > iptables -t nat -A PREROUTING -p tcp -d
> 143.233.222.77
> > (laptop eth1 card) --dport 22453 (i have cheched
> dst
> > port with tcpdump) 00 -j DNAT --to-destination
> > 10.2.4.1
> > this still doesnt work
> > Every time i try to apply a new rule i use first
> > the iptables -F
> > iptables -t nat -F command
> <snip>
> 
> I'm a little confused about what you are doing.  I
> would normally refer
> you to Oskar Andreasson's excellent tutorial at
>
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> or the
> training slides on the ISCS web site
> (http://iscs.sourceforge.net) but,
> since it appears that you have an emergency, here
> goes:
> 
> First, if the source is 143.233.222.253, you would
> not want to DNAT it.
> DNAT changes the destination.  Thus, your second
> attempt is the correct
> one.  You might want to lock the destination port -
> it's not likely to
> be a problem but, if it ever is, it will be one of
> those really hard to
> diagnose, sporadic problems:
> -j DNAT --to-destination 10.2.4.1:22453
> 
> Second, this only takes care of the addressing.  You
> must still allow
> the traffic in the FORWARD chain of the filter
> table, e.g., 
> 
> iptables -A FORWARD -d 10.2.4.1 -p 6 --dport 22453
> -j ACCEPT
> 
> Hope this helps - John
> -- 
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
> 
> If you would like to participate in the development
> of an open source
> enterprise class network security management system,
> please visit
> http://iscs.sourceforge.net
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Plz i need help.... or i ll be fired :(

[John A. Sullivan III]

On Tue, 2005-09-27 at 11:14 -0400, John A. Sullivan III wrote:
> On Tue, 2005-09-27 at 07:57 -0700, Alaios wrote:
> > Hi plz take a look at the following example
> > 
> > The laptop has 2 ethernet interfaces
> > To eth1 comes traffic from src 143.233.222.253
> > The eth0 has ip address 10.2.4.2 and it is connected
> > back to back with eth1 of other pc with ip address
> > 10.2.4.1
> > I want to forward the traffic with src 143.233.222.253
> > to the 10.2.4.1 pc and if it works i will redo this
> > for a second pc so as to l send the traffic to a third
> > on.
> > Can u help me plz?
> > 
> > I have tried this one
> > iptables -t nat -A PREROUTING -i eth1 -s
> > 143.233.222.253 -j DNAT --to-destination 10.2.4.1
> > i have also set the
> > /proc/sys/net/ipv4/ip_forward to 1
> > but still i cant see any trafiic to eth0 interface (ip
> > 10.2.4.2)
> > 
> > 
> > I have also tested this one
> > iptables -t nat -A PREROUTING -p tcp -d 143.233.222.77
> > (laptop eth1 card) --dport 22453 (i have cheched dst
> > port with tcpdump) 00 -j DNAT --to-destination
> > 10.2.4.1
> > this still doesnt work
> > Every time i try to apply a new rule i use first
> > the iptables -F
> > iptables -t nat -F command
> <snip>
> 
> I'm a little confused about what you are doing.  I would normally refer
> you to Oskar Andreasson's excellent tutorial at
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html or the
> training slides on the ISCS web site (http://iscs.sourceforge.net) but,
> since it appears that you have an emergency, here goes:
> 
> First, if the source is 143.233.222.253, you would not want to DNAT it.
> DNAT changes the destination.  Thus, your second attempt is the correct
> one.  You might want to lock the destination port - it's not likely to
> be a problem but, if it ever is, it will be one of those really hard to
> diagnose, sporadic problems:
> -j DNAT --to-destination 10.2.4.1:22453
> 
> Second, this only takes care of the addressing.  You must still allow
> the traffic in the FORWARD chain of the filter table, e.g., 
> 
> iptables -A FORWARD -d 10.2.4.1 -p 6 --dport 22453 -j ACCEPT
> 
> Hope this helps - John

Oh, yes, you wanted to restrict the source address.  Add that to your
filter table rule:
iptables -A FORWARD -s 143.233.222.253 -d 10.2.4.1 -p 6 --dport 22453 -j
ACCEPT
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: Plz i need help.... or i ll be fired :(

[Alaios]

Thx for your quick reply..... i have just tested but
it didnt work... I think that i cant explain what i
need or i am doing sth wrong.. 
i have enabled the packets loging
so executing dmesg prints the following
IN=eth1 OUT= MAC=(the mac addresses)
As u can see the OUT is null which means thats perhaps
the problem... What do u have in mind?

--- "John A. Sullivan III"
<jsullivan@opensourcedevel.com> wrote:

> On Tue, 2005-09-27 at 11:14 -0400, John A. Sullivan
> III wrote:
> > On Tue, 2005-09-27 at 07:57 -0700, Alaios wrote:
> > > Hi plz take a look at the following example
> > > 
> > > The laptop has 2 ethernet interfaces
> > > To eth1 comes traffic from src 143.233.222.253
> > > The eth0 has ip address 10.2.4.2 and it is
> connected
> > > back to back with eth1 of other pc with ip
> address
> > > 10.2.4.1
> > > I want to forward the traffic with src
> 143.233.222.253
> > > to the 10.2.4.1 pc and if it works i will redo
> this
> > > for a second pc so as to l send the traffic to a
> third
> > > on.
> > > Can u help me plz?
> > > 
> > > I have tried this one
> > > iptables -t nat -A PREROUTING -i eth1 -s
> > > 143.233.222.253 -j DNAT --to-destination
> 10.2.4.1
> > > i have also set the
> > > /proc/sys/net/ipv4/ip_forward to 1
> > > but still i cant see any trafiic to eth0
> interface (ip
> > > 10.2.4.2)
> > > 
> > > 
> > > I have also tested this one
> > > iptables -t nat -A PREROUTING -p tcp -d
> 143.233.222.77
> > > (laptop eth1 card) --dport 22453 (i have cheched
> dst
> > > port with tcpdump) 00 -j DNAT --to-destination
> > > 10.2.4.1
> > > this still doesnt work
> > > Every time i try to apply a new rule i use first
> > > the iptables -F
> > > iptables -t nat -F command
> > <snip>
> > 
> > I'm a little confused about what you are doing.  I
> would normally refer
> > you to Oskar Andreasson's excellent tutorial at
> >
>
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> or the
> > training slides on the ISCS web site
> (http://iscs.sourceforge.net) but,
> > since it appears that you have an emergency, here
> goes:
> > 
> > First, if the source is 143.233.222.253, you would
> not want to DNAT it.
> > DNAT changes the destination.  Thus, your second
> attempt is the correct
> > one.  You might want to lock the destination port
> - it's not likely to
> > be a problem but, if it ever is, it will be one of
> those really hard to
> > diagnose, sporadic problems:
> > -j DNAT --to-destination 10.2.4.1:22453
> > 
> > Second, this only takes care of the addressing. 
> You must still allow
> > the traffic in the FORWARD chain of the filter
> table, e.g., 
> > 
> > iptables -A FORWARD -d 10.2.4.1 -p 6 --dport 22453
> -j ACCEPT
> > 
> > Hope this helps - John
> 
> Oh, yes, you wanted to restrict the source address. 
> Add that to your
> filter table rule:
> iptables -A FORWARD -s 143.233.222.253 -d 10.2.4.1
> -p 6 --dport 22453 -j
> ACCEPT
> -- 
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
> 
> If you would like to participate in the development
> of an open source
> enterprise class network security management system,
> please visit
> http://iscs.sourceforge.net
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Plz i need help.... or i ll be fired :(

[Alaios]

Thx for your reply... i want to ask sth is the
ESTABLISHED and RELATED necessary for udp traffic?

--- Jörg Harmuth <harmuth@mnemon.de> wrote:

> Alaios wrote:
> > Hi plz take a look at the following example
> > 
> > The laptop has 2 ethernet interfaces
> > To eth1 comes traffic from src 143.233.222.253
> > The eth0 has ip address 10.2.4.2 and it is
> connected
> > back to back with eth1 of other pc with ip address
> > 10.2.4.1
> > I want to forward the traffic with src
> 143.233.222.253
> > to the 10.2.4.1 pc 
> 
> [SNIP]
> 
> > i have also set the
> > /proc/sys/net/ipv4/ip_forward to 1
> 
> Ok.
> 
> [SNIP]
> 
> > I have also tested this one
> > iptables -t nat -A PREROUTING -p tcp -d
> 143.233.222.77
> > (laptop eth1 card) --dport 22453 (i have cheched
> dst
> > port with tcpdump) 00 -j DNAT --to-destination
> > 10.2.4.1
> > this still doesnt work
> > Every time i try to apply a new rule i use first
> > the iptables -F
> > iptables -t nat -F command
> 
> 
> Your PREROUTING rule is probably ok, provided that
> 143.233.222.77 is the 
> IP of eth1. But I think, if the simple approach
> doesn't work you 
> shouldn't it make more complicated. Keep it small
> and simple and when 
> you understand all the details, you may go deeper.
> So, may be you would 
> like to start like this:
> 
> ## Rewrite destination address
> iptables -t nat -A PREROUTING -i eth1 -s
> 143.233.222.253 \
>           -j DNAT --to 10.2.4.1
> 
> ## Allow packets to pass FORWARD
> iptables -A FORWARD -m state --state
> ESTABLISHED,RELATED \
>           -j ACCEPT
> iptables -A FORWARD -i eth1 -s 143.233.222.253 \
>           -j ACCEPT
> 
> ## Now, SNAT outgoing packets
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to
> 143.233.222.77
> 
> If this is a dial-up connection replace the SNAT
> part with MASQUERADE. 
> BTW, you only need the FORWARD rules if your FORWARD
> policy is DROP or 
> REJECT. And if you have other policies in filter
> table set to DROP or 
> REJECT enable loopback. And finally, set all
> policies in nat and mangle 
> to ACCEPT (and in raw, if you have that). This
> should get you started.
> 
> HTH,
> 
> Joerg
> 
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Plz i need help.... or i ll be fired :(

[John A. Sullivan III]

You are correct to DNAT.  You are incorrect to attempt to DNAT based
upon source address.  One DNATs the destination address.  Of course, I
may have misunderstood what you are trying to do.

On Tue, 2005-09-27 at 08:20 -0700, Alaios wrote:
> Why do u say i should not use dnat? U also sais that
> my second example is correct.. havent u see that uses
> also dnat.. I think i should use dnat because i want
> to alter the ip packet so as to be forwarded to the
> other network.. Isn't that correct?
> 
> --- "John A. Sullivan III"
> <jsullivan@opensourcedevel.com> wrote:
> 
> > On Tue, 2005-09-27 at 07:57 -0700, Alaios wrote:
> > > Hi plz take a look at the following example
> > > 
> > > The laptop has 2 ethernet interfaces
> > > To eth1 comes traffic from src 143.233.222.253
> > > The eth0 has ip address 10.2.4.2 and it is
> > connected
> > > back to back with eth1 of other pc with ip address
> > > 10.2.4.1
> > > I want to forward the traffic with src
> > 143.233.222.253
> > > to the 10.2.4.1 pc and if it works i will redo
> > this
> > > for a second pc so as to l send the traffic to a
> > third
> > > on.
> > > Can u help me plz?
> > > 
> > > I have tried this one
> > > iptables -t nat -A PREROUTING -i eth1 -s
> > > 143.233.222.253 -j DNAT --to-destination 10.2.4.1
> > > i have also set the
> > > /proc/sys/net/ipv4/ip_forward to 1
> > > but still i cant see any trafiic to eth0 interface
> > (ip
> > > 10.2.4.2)
> > > 
> > > 
> > > I have also tested this one
> > > iptables -t nat -A PREROUTING -p tcp -d
> > 143.233.222.77
> > > (laptop eth1 card) --dport 22453 (i have cheched
> > dst
> > > port with tcpdump) 00 -j DNAT --to-destination
> > > 10.2.4.1
> > > this still doesnt work
> > > Every time i try to apply a new rule i use first
> > > the iptables -F
> > > iptables -t nat -F command
> > <snip>
> > 
> > I'm a little confused about what you are doing.  I
> > would normally refer
> > you to Oskar Andreasson's excellent tutorial at
> >
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > or the
> > training slides on the ISCS web site
> > (http://iscs.sourceforge.net) but,
> > since it appears that you have an emergency, here
> > goes:
> > 
> > First, if the source is 143.233.222.253, you would
> > not want to DNAT it.
> > DNAT changes the destination.  Thus, your second
> > attempt is the correct
> > one.  You might want to lock the destination port -
> > it's not likely to
> > be a problem but, if it ever is, it will be one of
> > those really hard to
> > diagnose, sporadic problems:
> > -j DNAT --to-destination 10.2.4.1:22453
> > 
> > Second, this only takes care of the addressing.  You
> > must still allow
> > the traffic in the FORWARD chain of the filter
> > table, e.g., 
> > 
> > iptables -A FORWARD -d 10.2.4.1 -p 6 --dport 22453
> > -j ACCEPT
> > 
> > Hope this helps - John
> > -- 
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> > 
> > If you would like to participate in the development
> > of an open source
> > enterprise class network security management system,
> > please visit
> > http://iscs.sourceforge.net
> > 
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Plz i need help.... or i ll be fired :(

[John A. Sullivan III]

I made some assumptions about other rules you would have had in place.
I believe someone else posted a much more thorough answer.  Did you
create an ESTABLISHED,RELATED rule as that other post suggested?

Would you mind posting your complete rule set (with any sensitive
information edited, of course)? - John

On Tue, 2005-09-27 at 08:30 -0700, Alaios wrote:
> Thx for your quick reply..... i have just tested but
> it didnt work... I think that i cant explain what i
> need or i am doing sth wrong.. 
> i have enabled the packets loging
> so executing dmesg prints the following
> IN=eth1 OUT= MAC=(the mac addresses)
> As u can see the OUT is null which means thats perhaps
> the problem... What do u have in mind?
> 
> --- "John A. Sullivan III"
> <jsullivan@opensourcedevel.com> wrote:
> 
> > On Tue, 2005-09-27 at 11:14 -0400, John A. Sullivan
> > III wrote:
> > > On Tue, 2005-09-27 at 07:57 -0700, Alaios wrote:
> > > > Hi plz take a look at the following example
> > > > 
> > > > The laptop has 2 ethernet interfaces
> > > > To eth1 comes traffic from src 143.233.222.253
> > > > The eth0 has ip address 10.2.4.2 and it is
> > connected
> > > > back to back with eth1 of other pc with ip
> > address
> > > > 10.2.4.1
> > > > I want to forward the traffic with src
> > 143.233.222.253
> > > > to the 10.2.4.1 pc and if it works i will redo
> > this
> > > > for a second pc so as to l send the traffic to a
> > third
> > > > on.
> > > > Can u help me plz?
> > > > 
> > > > I have tried this one
> > > > iptables -t nat -A PREROUTING -i eth1 -s
> > > > 143.233.222.253 -j DNAT --to-destination
> > 10.2.4.1
> > > > i have also set the
> > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > but still i cant see any trafiic to eth0
> > interface (ip
> > > > 10.2.4.2)
> > > > 
> > > > 
> > > > I have also tested this one
> > > > iptables -t nat -A PREROUTING -p tcp -d
> > 143.233.222.77
> > > > (laptop eth1 card) --dport 22453 (i have cheched
> > dst
> > > > port with tcpdump) 00 -j DNAT --to-destination
> > > > 10.2.4.1
> > > > this still doesnt work
> > > > Every time i try to apply a new rule i use first
> > > > the iptables -F
> > > > iptables -t nat -F command
> > > <snip>
> > > 
> > > I'm a little confused about what you are doing.  I
> > would normally refer
> > > you to Oskar Andreasson's excellent tutorial at
> > >
> >
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > or the
> > > training slides on the ISCS web site
> > (http://iscs.sourceforge.net) but,
> > > since it appears that you have an emergency, here
> > goes:
> > > 
> > > First, if the source is 143.233.222.253, you would
> > not want to DNAT it.
> > > DNAT changes the destination.  Thus, your second
> > attempt is the correct
> > > one.  You might want to lock the destination port
> > - it's not likely to
> > > be a problem but, if it ever is, it will be one of
> > those really hard to
> > > diagnose, sporadic problems:
> > > -j DNAT --to-destination 10.2.4.1:22453
> > > 
> > > Second, this only takes care of the addressing. 
> > You must still allow
> > > the traffic in the FORWARD chain of the filter
> > table, e.g., 
> > > 
> > > iptables -A FORWARD -d 10.2.4.1 -p 6 --dport 22453
> > -j ACCEPT
> > > 
> > > Hope this helps - John
> > 
> > Oh, yes, you wanted to restrict the source address. 
> > Add that to your
> > filter table rule:
> > iptables -A FORWARD -s 143.233.222.253 -d 10.2.4.1
> > -p 6 --dport 22453 -j
> > ACCEPT
> > -- 
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> > 
> > If you would like to participate in the development
> > of an open source
> > enterprise class network security management system,
> > please visit
> > http://iscs.sourceforge.net
> > 
> > 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Plz i need help.... or i ll be fired :(

[Alaios]

I have just tested but still i cant see any packets to
the eth0 interface

--- Jörg Harmuth <harmuth@mnemon.de> wrote:

> Alaios wrote:
> > Hi plz take a look at the following example
> > 
> > The laptop has 2 ethernet interfaces
> > To eth1 comes traffic from src 143.233.222.253
> > The eth0 has ip address 10.2.4.2 and it is
> connected
> > back to back with eth1 of other pc with ip address
> > 10.2.4.1
> > I want to forward the traffic with src
> 143.233.222.253
> > to the 10.2.4.1 pc 
> 
> [SNIP]
> 
> > i have also set the
> > /proc/sys/net/ipv4/ip_forward to 1
> 
> Ok.
> 
> [SNIP]
> 
> > I have also tested this one
> > iptables -t nat -A PREROUTING -p tcp -d
> 143.233.222.77
> > (laptop eth1 card) --dport 22453 (i have cheched
> dst
> > port with tcpdump) 00 -j DNAT --to-destination
> > 10.2.4.1
> > this still doesnt work
> > Every time i try to apply a new rule i use first
> > the iptables -F
> > iptables -t nat -F command
> 
> 
> Your PREROUTING rule is probably ok, provided that
> 143.233.222.77 is the 
> IP of eth1. But I think, if the simple approach
> doesn't work you 
> shouldn't it make more complicated. Keep it small
> and simple and when 
> you understand all the details, you may go deeper.
> So, may be you would 
> like to start like this:
> 
> ## Rewrite destination address
> iptables -t nat -A PREROUTING -i eth1 -s
> 143.233.222.253 \
>           -j DNAT --to 10.2.4.1
> 
> ## Allow packets to pass FORWARD
> iptables -A FORWARD -m state --state
> ESTABLISHED,RELATED \
>           -j ACCEPT
> iptables -A FORWARD -i eth1 -s 143.233.222.253 \
>           -j ACCEPT
> 
> ## Now, SNAT outgoing packets
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to
> 143.233.222.77
> 
> If this is a dial-up connection replace the SNAT
> part with MASQUERADE. 
> BTW, you only need the FORWARD rules if your FORWARD
> policy is DROP or 
> REJECT. And if you have other policies in filter
> table set to DROP or 
> REJECT enable loopback. And finally, set all
> policies in nat and mangle 
> to ACCEPT (and in raw, if you have that). This
> should get you started.
> 
> HTH,
> 
> Joerg
> 
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Plz i need help.... or i ll be fired :(

[Edmundo Carmona]

Are you gonna use the inner machine to "serve" the internet? say...
have a web server?

Use the rules I said before... plus these:

iptables -t nat -A PREROUTING -p tcp --dport 80 -d my-public-address
-j DNAT --to-destination the-inner-web-server

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT

On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> Hmm... i dont want to make the web work.... just to
> make my simple task to work
>
> --- Edmundo Carmona <eantoranz@gmail.com> wrote:
>
> > I would recommend to start over.
> >
> > Do this. On the "router" box do this:
> >
> > iptables -F
> > iptables -t nat -F
> >
> > iptables -P FORWARD DROP
> > iptables -P INPUT DROP
> >
> > iptables -A FORWARD -i eth0 -j ACCEPT
> > iptables -A FORWARD -m conntrack --ctstate
> > ESTABLISHED,RELATED -j ACCEPT
> >
> > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> >
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > That should allow the "inner" machine to use the web
> > without a problem.
> >
> > On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> > > Thx for your quick reply..... i have just tested
> > but
> > > it didnt work... I think that i cant explain what
> > i
> > > need or i am doing sth wrong..
> > > i have enabled the packets loging
> > > so executing dmesg prints the following
> > > IN=eth1 OUT= MAC=(the mac addresses)
> > > As u can see the OUT is null which means thats
> > perhaps
> > > the problem... What do u have in mind?
> > >
> > > --- "John A. Sullivan III"
> > > <jsullivan@opensourcedevel.com> wrote:
> > >
> > > > On Tue, 2005-09-27 at 11:14 -0400, John A.
> > Sullivan
> > > > III wrote:
> > > > > On Tue, 2005-09-27 at 07:57 -0700, Alaios
> > wrote:
> > > > > > Hi plz take a look at the following example
> > > > > >
> > > > > > The laptop has 2 ethernet interfaces
> > > > > > To eth1 comes traffic from src
> > 143.233.222.253
> > > > > > The eth0 has ip address 10.2.4.2 and it is
> > > > connected
> > > > > > back to back with eth1 of other pc with ip
> > > > address
> > > > > > 10.2.4.1
> > > > > > I want to forward the traffic with src
> > > > 143.233.222.253
> > > > > > to the 10.2.4.1 pc and if it works i will
> > redo
> > > > this
> > > > > > for a second pc so as to l send the traffic
> > to a
> > > > third
> > > > > > on.
> > > > > > Can u help me plz?
> > > > > >
> > > > > > I have tried this one
> > > > > > iptables -t nat -A PREROUTING -i eth1 -s
> > > > > > 143.233.222.253 -j DNAT --to-destination
> > > > 10.2.4.1
> > > > > > i have also set the
> > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > but still i cant see any trafiic to eth0
> > > > interface (ip
> > > > > > 10.2.4.2)
> > > > > >
> > > > > >
> > > > > > I have also tested this one
> > > > > > iptables -t nat -A PREROUTING -p tcp -d
> > > > 143.233.222.77
> > > > > > (laptop eth1 card) --dport 22453 (i have
> > cheched
> > > > dst
> > > > > > port with tcpdump) 00 -j DNAT
> > --to-destination
> > > > > > 10.2.4.1
> > > > > > this still doesnt work
> > > > > > Every time i try to apply a new rule i use
> > first
> > > > > > the iptables -F
> > > > > > iptables -t nat -F command
> > > > > <snip>
> > > > >
> > > > > I'm a little confused about what you are
> > doing.  I
> > > > would normally refer
> > > > > you to Oskar Andreasson's excellent tutorial
> > at
> > > > >
> > > >
> > >
> >
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > or the
> > > > > training slides on the ISCS web site
> > > > (http://iscs.sourceforge.net) but,
> > > > > since it appears that you have an emergency,
> > here
> > > > goes:
> > > > >
> > > > > First, if the source is 143.233.222.253, you
> > would
> > > > not want to DNAT it.
> > > > > DNAT changes the destination.  Thus, your
> > second
> > > > attempt is the correct
> > > > > one.  You might want to lock the destination
> > port
> > > > - it's not likely to
> > > > > be a problem but, if it ever is, it will be
> > one of
> > > > those really hard to
> > > > > diagnose, sporadic problems:
> > > > > -j DNAT --to-destination 10.2.4.1:22453
> > > > >
> > > > > Second, this only takes care of the
> > addressing.
> > > > You must still allow
> > > > > the traffic in the FORWARD chain of the filter
> > > > table, e.g.,
> > > > >
> > > > > iptables -A FORWARD -d 10.2.4.1 -p 6 --dport
> > 22453
> > > > -j ACCEPT
> > > > >
> > > > > Hope this helps - John
> > > >
> > > > Oh, yes, you wanted to restrict the source
> > address.
> > > > Add that to your
> > > > filter table rule:
> > > > iptables -A FORWARD -s 143.233.222.253 -d
> > 10.2.4.1
> > > > -p 6 --dport 22453 -j
> > > > ACCEPT
> > > > --
> > > > John A. Sullivan III
> > > > Open Source Development Corporation
> > > > +1 207-985-7880
> > > > jsullivan@opensourcedevel.com
> > > >
> > > > If you would like to participate in the
> > development
> > > > of an open source
> > > > enterprise class network security management
> > system,
> > > > please visit
> > > > http://iscs.sourceforge.net
> > > >
> > > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam
> > protection around
> > > http://mail.yahoo.com
> > >
> > >
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>

Re: Plz i need help.... or i ll be fired :(

[John A. Sullivan III]

Yes - John

On Tue, 2005-09-27 at 08:34 -0700, Alaios wrote:
> Thx for your reply... i want to ask sth is the
> ESTABLISHED and RELATED necessary for udp traffic?
> 
> --- Jörg Harmuth <harmuth@mnemon.de> wrote:
> 
> > Alaios wrote:
> > > Hi plz take a look at the following example
> > > 
> > > The laptop has 2 ethernet interfaces
> > > To eth1 comes traffic from src 143.233.222.253
> > > The eth0 has ip address 10.2.4.2 and it is
> > connected
> > > back to back with eth1 of other pc with ip address
> > > 10.2.4.1
> > > I want to forward the traffic with src
> > 143.233.222.253
> > > to the 10.2.4.1 pc 
> > 
> > [SNIP]
> > 
> > > i have also set the
> > > /proc/sys/net/ipv4/ip_forward to 1
> > 
> > Ok.
> > 
> > [SNIP]
> > 
> > > I have also tested this one
> > > iptables -t nat -A PREROUTING -p tcp -d
> > 143.233.222.77
> > > (laptop eth1 card) --dport 22453 (i have cheched
> > dst
> > > port with tcpdump) 00 -j DNAT --to-destination
> > > 10.2.4.1
> > > this still doesnt work
> > > Every time i try to apply a new rule i use first
> > > the iptables -F
> > > iptables -t nat -F command
> > 
> > 
> > Your PREROUTING rule is probably ok, provided that
> > 143.233.222.77 is the 
> > IP of eth1. But I think, if the simple approach
> > doesn't work you 
> > shouldn't it make more complicated. Keep it small
> > and simple and when 
> > you understand all the details, you may go deeper.
> > So, may be you would 
> > like to start like this:
> > 
> > ## Rewrite destination address
> > iptables -t nat -A PREROUTING -i eth1 -s
> > 143.233.222.253 \
> >           -j DNAT --to 10.2.4.1
> > 
> > ## Allow packets to pass FORWARD
> > iptables -A FORWARD -m state --state
> > ESTABLISHED,RELATED \
> >           -j ACCEPT
> > iptables -A FORWARD -i eth1 -s 143.233.222.253 \
> >           -j ACCEPT
> > 
> > ## Now, SNAT outgoing packets
> > iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to
> > 143.233.222.77
> > 
> > If this is a dial-up connection replace the SNAT
> > part with MASQUERADE. 
> > BTW, you only need the FORWARD rules if your FORWARD
> > policy is DROP or 
> > REJECT. And if you have other policies in filter
> > table set to DROP or 
> > REJECT enable loopback. And finally, set all
> > policies in nat and mangle 
> > to ACCEPT (and in raw, if you have that). This
> > should get you started.
> > 
> > HTH,
> > 
> > Joerg
> > 
> > 
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Plz i need help.... or i ll be fired :(

[John A. Sullivan III]

It sounds like you really need to learn the basics.  I would suggest you
go through the links I mentioned below.  What exactly do you want to do?

It sounds like you want traffic coming in from 143.233.222.253 on tcp
destination port 22453 (are you sure this is the destination port and
not the source port?????) on the laptop interface eth1 with IP address
143.233.222.77 to be sent to 10.2.4.1 on the eth0 interface.  I am
assuming that 143.233.222.77 and 143.233.222.253 are on the same
network, i.e., the subnet mask is 255.255.255.0 or less.  I also
assuming that you have enabled forwarding as you said you did.

Then you would do something like:

iptables -F
iptables -t nat -F
iptables -P FORWARD DROP
iptables -t nat -P ACCEPT
iptables -t nat -A PREROUTING -i eth1 -d 143.233.222.77 --dport 22453 -j
DNAT --to-destination 10.2.4.1:22453
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 143.233.222.253 -d 10.2.4.1 -p 6 --dport 22453 -j
ACCEPT

I have a sneaking suspicion that 22453 is not the destination port.
What service is 10.2.4.1 providing to 143.233.222.253?

I'm afraid I'm running out of time today.  I probably cannot help much
more.  I'm sure someone else can jump in.  Take care - John

On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> My complete rule set??? Hm... there is nothing like
> that... I work to a solution for 4-5 hours and still
> havent finded any iptable rule to work.. in my pc i
> dont have any ip rules loaded at all nor a firewall
> applied.. I just want to do only this to work.. Do u
> have anything else in mind plz?
> 
> --- "John A. Sullivan III"
> <jsullivan@opensourcedevel.com> wrote:
> 
> > I made some assumptions about other rules you would
> > have had in place.
> > I believe someone else posted a much more thorough
> > answer.  Did you
> > create an ESTABLISHED,RELATED rule as that other
> > post suggested?
> > 
> > Would you mind posting your complete rule set (with
> > any sensitive
> > information edited, of course)? - John
> > 
> > On Tue, 2005-09-27 at 08:30 -0700, Alaios wrote:
> > > Thx for your quick reply..... i have just tested
> > but
> > > it didnt work... I think that i cant explain what
> > i
> > > need or i am doing sth wrong.. 
> > > i have enabled the packets loging
> > > so executing dmesg prints the following
> > > IN=eth1 OUT= MAC=(the mac addresses)
> > > As u can see the OUT is null which means thats
> > perhaps
> > > the problem... What do u have in mind?
> > > 
> > > --- "John A. Sullivan III"
> > > <jsullivan@opensourcedevel.com> wrote:
> > > 
> > > > On Tue, 2005-09-27 at 11:14 -0400, John A.
> > Sullivan
> > > > III wrote:
> > > > > On Tue, 2005-09-27 at 07:57 -0700, Alaios
> > wrote:
> > > > > > Hi plz take a look at the following example
> > > > > > 
> > > > > > The laptop has 2 ethernet interfaces
> > > > > > To eth1 comes traffic from src
> > 143.233.222.253
> > > > > > The eth0 has ip address 10.2.4.2 and it is
> > > > connected
> > > > > > back to back with eth1 of other pc with ip
> > > > address
> > > > > > 10.2.4.1
> > > > > > I want to forward the traffic with src
> > > > 143.233.222.253
> > > > > > to the 10.2.4.1 pc and if it works i will
> > redo
> > > > this
> > > > > > for a second pc so as to l send the traffic
> > to a
> > > > third
> > > > > > on.
> > > > > > Can u help me plz?
> > > > > > 
> > > > > > I have tried this one
> > > > > > iptables -t nat -A PREROUTING -i eth1 -s
> > > > > > 143.233.222.253 -j DNAT --to-destination
> > > > 10.2.4.1
> > > > > > i have also set the
> > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > but still i cant see any trafiic to eth0
> > > > interface (ip
> > > > > > 10.2.4.2)
> > > > > > 
> > > > > > 
> > > > > > I have also tested this one
> > > > > > iptables -t nat -A PREROUTING -p tcp -d
> > > > 143.233.222.77
> > > > > > (laptop eth1 card) --dport 22453 (i have
> > cheched
> > > > dst
> > > > > > port with tcpdump) 00 -j DNAT
> > --to-destination
> > > > > > 10.2.4.1
> > > > > > this still doesnt work
> > > > > > Every time i try to apply a new rule i use
> > first
> > > > > > the iptables -F
> > > > > > iptables -t nat -F command
> > > > > <snip>
> > > > > 
> > > > > I'm a little confused about what you are
> > doing.  I
> > > > would normally refer
> > > > > you to Oskar Andreasson's excellent tutorial
> > at
> > > > >
> > > >
> > >
> >
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > or the
> > > > > training slides on the ISCS web site
> > > > (http://iscs.sourceforge.net) but,
> > > > > since it appears that you have an emergency,
> > here
> > > > goes:
> > > > > 
> > > > > First, if the source is 143.233.222.253, you
> > would
> > > > not want to DNAT it.
> > > > > DNAT changes the destination.  Thus, your
> > second
> > > > attempt is the correct
> > > > > one.  You might want to lock the destination
> > port
> > > > - it's not likely to
> > > > > be a problem but, if it ever is, it will be
> > one of
> > > > those really hard to
> > > > > diagnose, sporadic problems:
> > > > > -j DNAT --to-destination 10.2.4.1:22453
> > > > > 
> > > > > Second, this only takes care of the
> > addressing. 
> > > > You must still allow
> > > > > the traffic in the FORWARD chain of the filter
> > > > table, e.g., 
> > > > > 
> > > > > iptables -A FORWARD -d 10.2.4.1 -p 6 --dport
> > 22453
> > > > -j ACCEPT
> > > > > 
> > > > > Hope this helps - John
> > > > 
> > > > Oh, yes, you wanted to restrict the source
> > address. 
> > > > Add that to your
> > > > filter table rule:
> > > > iptables -A FORWARD -s 143.233.222.253 -d
> > 10.2.4.1
> > > > -p 6 --dport 22453 -j
> > > > ACCEPT
> > > > -- 
> > > > John A. Sullivan III
> > > > Open Source Development Corporation
> > > > +1 207-985-7880
> > > > jsullivan@opensourcedevel.com
> > > > 
> > > > If you would like to participate in the
> > development
> > > > of an open source
> > > > enterprise class network security management
> > system,
> > > > please visit
> > > > http://iscs.sourceforge.net
> > > > 
> > > > 
> > > 
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam
> > protection around 
> > > http://mail.yahoo.com 
> > -- 
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> > 
> > Financially sustainable open source development
> > http://www.opensourcedevel.com
> > 
> > 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Plz i need help.... or i ll be fired :(

[Alaios]

I have done absolutely what u have said.. I have
rechecked the source port and destination and are the
same.... The programme is a packet generator that
creates bulk data. We use it to test oure network....
I have applied your commands but with a little changes
iptables -nat -A PREROUTING -i eth1 -d 143.233.222.77
-p udp --destination-port 22453 -j DNAT
--to-destination 10.2.4.1:22453
My problem is that still i cant see any packages in
the eth0 interface.. What know what else should i do
now

--- "John A. Sullivan III"
<jsullivan@opensourcedevel.com> wrote:

> It sounds like you really need to learn the basics. 
> I would suggest you
> go through the links I mentioned below.  What
> exactly do you want to do?
> 
> It sounds like you want traffic coming in from
> 143.233.222.253 on tcp
> destination port 22453 (are you sure this is the
> destination port and
> not the source port?????) on the laptop interface
> eth1 with IP address
> 143.233.222.77 to be sent to 10.2.4.1 on the eth0
> interface.  I am
> assuming that 143.233.222.77 and 143.233.222.253 are
> on the same
> network, i.e., the subnet mask is 255.255.255.0 or
> less.  I also
> assuming that you have enabled forwarding as you
> said you did.
> 
> Then you would do something like:
> 
> iptables -F
> iptables -t nat -F
> iptables -P FORWARD DROP
> iptables -t nat -P ACCEPT
> iptables -t nat -A PREROUTING -i eth1 -d
> 143.233.222.77 --dport 22453 -j
> DNAT --to-destination 10.2.4.1:22453
> iptables -A FORWARD -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -s 143.233.222.253 -d 10.2.4.1
> -p 6 --dport 22453 -j
> ACCEPT
> 
> I have a sneaking suspicion that 22453 is not the
> destination port.
> What service is 10.2.4.1 providing to
> 143.233.222.253?
> 
> I'm afraid I'm running out of time today.  I
> probably cannot help much
> more.  I'm sure someone else can jump in.  Take care
> - John
> 
> On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> > My complete rule set??? Hm... there is nothing
> like
> > that... I work to a solution for 4-5 hours and
> still
> > havent finded any iptable rule to work.. in my pc
> i
> > dont have any ip rules loaded at all nor a
> firewall
> > applied.. I just want to do only this to work.. Do
> u
> > have anything else in mind plz?
> > 
> > --- "John A. Sullivan III"
> > <jsullivan@opensourcedevel.com> wrote:
> > 
> > > I made some assumptions about other rules you
> would
> > > have had in place.
> > > I believe someone else posted a much more
> thorough
> > > answer.  Did you
> > > create an ESTABLISHED,RELATED rule as that other
> > > post suggested?
> > > 
> > > Would you mind posting your complete rule set
> (with
> > > any sensitive
> > > information edited, of course)? - John
> > > 
> > > On Tue, 2005-09-27 at 08:30 -0700, Alaios wrote:
> > > > Thx for your quick reply..... i have just
> tested
> > > but
> > > > it didnt work... I think that i cant explain
> what
> > > i
> > > > need or i am doing sth wrong.. 
> > > > i have enabled the packets loging
> > > > so executing dmesg prints the following
> > > > IN=eth1 OUT= MAC=(the mac addresses)
> > > > As u can see the OUT is null which means thats
> > > perhaps
> > > > the problem... What do u have in mind?
> > > > 
> > > > --- "John A. Sullivan III"
> > > > <jsullivan@opensourcedevel.com> wrote:
> > > > 
> > > > > On Tue, 2005-09-27 at 11:14 -0400, John A.
> > > Sullivan
> > > > > III wrote:
> > > > > > On Tue, 2005-09-27 at 07:57 -0700, Alaios
> > > wrote:
> > > > > > > Hi plz take a look at the following
> example
> > > > > > > 
> > > > > > > The laptop has 2 ethernet interfaces
> > > > > > > To eth1 comes traffic from src
> > > 143.233.222.253
> > > > > > > The eth0 has ip address 10.2.4.2 and it
> is
> > > > > connected
> > > > > > > back to back with eth1 of other pc with
> ip
> > > > > address
> > > > > > > 10.2.4.1
> > > > > > > I want to forward the traffic with src
> > > > > 143.233.222.253
> > > > > > > to the 10.2.4.1 pc and if it works i
> will
> > > redo
> > > > > this
> > > > > > > for a second pc so as to l send the
> traffic
> > > to a
> > > > > third
> > > > > > > on.
> > > > > > > Can u help me plz?
> > > > > > > 
> > > > > > > I have tried this one
> > > > > > > iptables -t nat -A PREROUTING -i eth1 -s
> > > > > > > 143.233.222.253 -j DNAT --to-destination
> > > > > 10.2.4.1
> > > > > > > i have also set the
> > > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > > but still i cant see any trafiic to eth0
> > > > > interface (ip
> > > > > > > 10.2.4.2)
> > > > > > > 
> > > > > > > 
> > > > > > > I have also tested this one
> > > > > > > iptables -t nat -A PREROUTING -p tcp -d
> > > > > 143.233.222.77
> > > > > > > (laptop eth1 card) --dport 22453 (i have
> > > cheched
> > > > > dst
> > > > > > > port with tcpdump) 00 -j DNAT
> > > --to-destination
> > > > > > > 10.2.4.1
> > > > > > > this still doesnt work
> > > > > > > Every time i try to apply a new rule i
> use
> > > first
> > > > > > > the iptables -F
> > > > > > > iptables -t nat -F command
> > > > > > <snip>
> > > > > > 
> > > > > > I'm a little confused about what you are
> > > doing.  I
> > > > > would normally refer
> > > > > > you to Oskar Andreasson's excellent
> tutorial
> > > at
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > > or the
> > > > > > training slides on the ISCS web site
> > > > > (http://iscs.sourceforge.net) but,
> > > > > > since it appears that you have an
> emergency,
> > > here
> > > > > goes:
> > > > > > 
> > > > > > First, if the source is 143.233.222.253,
> you
> > > would
> > > > > not want to DNAT it.
> > > > > > DNAT changes the destination.  Thus, your
> > > second
> > > > > attempt is the correct
> > > > > > one.  You might want to lock the
> destination
> > > port
> > > > > - it's not likely to
> > > > > > be a problem but, if it ever is, it will
> be
> > > one of
> > > > > those really hard to
> > > > > > diagnose, sporadic problems:
> > > > > > -j DNAT --to-destination 10.2.4.1:22453
> > > > > > 
> > > > > > Second, this only takes care of the
> > > addressing. 
> > > > > You must still allow
> > > > > > the traffic in the FORWARD chain of the
> filter
> > > > > table, e.g., 
> > > > > > 
> > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
> --dport
> > > 22453
> > > > > -j ACCEPT
> > > > > > 
> > > > > > Hope this helps - John
> > > > > 
> > > > > Oh, yes, you wanted to restrict the source
> > > address. 
> > > > > Add that to your
> > > > > filter table rule:
> > > > > iptables -A FORWARD -s 143.233.222.253 -d
> > > 10.2.4.1
> > > > > -p 6 --dport 22453 -j
> > > > > ACCEPT
> > > > > -- 
> > > > > John A. Sullivan III
> > > > > Open Source Development Corporation
> > > > > +1 207-985-7880
> > > > > jsullivan@opensourcedevel.com
> > > > > 
> > > > > If you would like to participate in the
> > > development
> > > > > of an open source
> > > > > enterprise class network security management
> > > system,
> > > > > please visit
> > > > > http://iscs.sourceforge.net
> > > > > 
> > > > > 
> > > > 
> > > >
> __________________________________________________
> > > > Do You Yahoo!?
> > > > Tired of spam?  Yahoo! Mail has the best spam
> > > protection around 
> > > > http://mail.yahoo.com 
> > > -- 
> > > John A. Sullivan III
> > > Open Source Development Corporation
> > > +1 207-985-7880
> > > jsullivan@opensourcedevel.com
> > > 
> > > Financially sustainable open source development
> > > http://www.opensourcedevel.com
> > > 
> > > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> > http://mail.yahoo.com 
> -- 
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
> 
> Financially sustainable open source development
> http://www.opensourcedevel.com
> 
> 



		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

Re: Plz i need help.... or i ll be fired :(

[Edmundo Carmona]

Remove the UDP/port from the rule, that will allow you to PING the
box, and the inner box should respond.

Anyway, let's go to the basics... what is the output of

ifconfig
route -n

??

On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> I have done absolutely what u have said.. I have
> rechecked the source port and destination and are the
> same.... The programme is a packet generator that
> creates bulk data. We use it to test oure network....
> I have applied your commands but with a little changes
> iptables -nat -A PREROUTING -i eth1 -d 143.233.222.77
> -p udp --destination-port 22453 -j DNAT
> --to-destination 10.2.4.1:22453
> My problem is that still i cant see any packages in
> the eth0 interface.. What know what else should i do
> now
>
> --- "John A. Sullivan III"
> <jsullivan@opensourcedevel.com> wrote:
>
> > It sounds like you really need to learn the basics.
> > I would suggest you
> > go through the links I mentioned below.  What
> > exactly do you want to do?
> >
> > It sounds like you want traffic coming in from
> > 143.233.222.253 on tcp
> > destination port 22453 (are you sure this is the
> > destination port and
> > not the source port?????) on the laptop interface
> > eth1 with IP address
> > 143.233.222.77 to be sent to 10.2.4.1 on the eth0
> > interface.  I am
> > assuming that 143.233.222.77 and 143.233.222.253 are
> > on the same
> > network, i.e., the subnet mask is 255.255.255.0 or
> > less.  I also
> > assuming that you have enabled forwarding as you
> > said you did.
> >
> > Then you would do something like:
> >
> > iptables -F
> > iptables -t nat -F
> > iptables -P FORWARD DROP
> > iptables -t nat -P ACCEPT
> > iptables -t nat -A PREROUTING -i eth1 -d
> > 143.233.222.77 --dport 22453 -j
> > DNAT --to-destination 10.2.4.1:22453
> > iptables -A FORWARD -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -s 143.233.222.253 -d 10.2.4.1
> > -p 6 --dport 22453 -j
> > ACCEPT
> >
> > I have a sneaking suspicion that 22453 is not the
> > destination port.
> > What service is 10.2.4.1 providing to
> > 143.233.222.253?
> >
> > I'm afraid I'm running out of time today.  I
> > probably cannot help much
> > more.  I'm sure someone else can jump in.  Take care
> > - John
> >
> > On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> > > My complete rule set??? Hm... there is nothing
> > like
> > > that... I work to a solution for 4-5 hours and
> > still
> > > havent finded any iptable rule to work.. in my pc
> > i
> > > dont have any ip rules loaded at all nor a
> > firewall
> > > applied.. I just want to do only this to work.. Do
> > u
> > > have anything else in mind plz?
> > >
> > > --- "John A. Sullivan III"
> > > <jsullivan@opensourcedevel.com> wrote:
> > >
> > > > I made some assumptions about other rules you
> > would
> > > > have had in place.
> > > > I believe someone else posted a much more
> > thorough
> > > > answer.  Did you
> > > > create an ESTABLISHED,RELATED rule as that other
> > > > post suggested?
> > > >
> > > > Would you mind posting your complete rule set
> > (with
> > > > any sensitive
> > > > information edited, of course)? - John
> > > >
> > > > On Tue, 2005-09-27 at 08:30 -0700, Alaios wrote:
> > > > > Thx for your quick reply..... i have just
> > tested
> > > > but
> > > > > it didnt work... I think that i cant explain
> > what
> > > > i
> > > > > need or i am doing sth wrong..
> > > > > i have enabled the packets loging
> > > > > so executing dmesg prints the following
> > > > > IN=eth1 OUT= MAC=(the mac addresses)
> > > > > As u can see the OUT is null which means thats
> > > > perhaps
> > > > > the problem... What do u have in mind?
> > > > >
> > > > > --- "John A. Sullivan III"
> > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > >
> > > > > > On Tue, 2005-09-27 at 11:14 -0400, John A.
> > > > Sullivan
> > > > > > III wrote:
> > > > > > > On Tue, 2005-09-27 at 07:57 -0700, Alaios
> > > > wrote:
> > > > > > > > Hi plz take a look at the following
> > example
> > > > > > > >
> > > > > > > > The laptop has 2 ethernet interfaces
> > > > > > > > To eth1 comes traffic from src
> > > > 143.233.222.253
> > > > > > > > The eth0 has ip address 10.2.4.2 and it
> > is
> > > > > > connected
> > > > > > > > back to back with eth1 of other pc with
> > ip
> > > > > > address
> > > > > > > > 10.2.4.1
> > > > > > > > I want to forward the traffic with src
> > > > > > 143.233.222.253
> > > > > > > > to the 10.2.4.1 pc and if it works i
> > will
> > > > redo
> > > > > > this
> > > > > > > > for a second pc so as to l send the
> > traffic
> > > > to a
> > > > > > third
> > > > > > > > on.
> > > > > > > > Can u help me plz?
> > > > > > > >
> > > > > > > > I have tried this one
> > > > > > > > iptables -t nat -A PREROUTING -i eth1 -s
> > > > > > > > 143.233.222.253 -j DNAT --to-destination
> > > > > > 10.2.4.1
> > > > > > > > i have also set the
> > > > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > > > but still i cant see any trafiic to eth0
> > > > > > interface (ip
> > > > > > > > 10.2.4.2)
> > > > > > > >
> > > > > > > >
> > > > > > > > I have also tested this one
> > > > > > > > iptables -t nat -A PREROUTING -p tcp -d
> > > > > > 143.233.222.77
> > > > > > > > (laptop eth1 card) --dport 22453 (i have
> > > > cheched
> > > > > > dst
> > > > > > > > port with tcpdump) 00 -j DNAT
> > > > --to-destination
> > > > > > > > 10.2.4.1
> > > > > > > > this still doesnt work
> > > > > > > > Every time i try to apply a new rule i
> > use
> > > > first
> > > > > > > > the iptables -F
> > > > > > > > iptables -t nat -F command
> > > > > > > <snip>
> > > > > > >
> > > > > > > I'm a little confused about what you are
> > > > doing.  I
> > > > > > would normally refer
> > > > > > > you to Oskar Andreasson's excellent
> > tutorial
> > > > at
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > > > or the
> > > > > > > training slides on the ISCS web site
> > > > > > (http://iscs.sourceforge.net) but,
> > > > > > > since it appears that you have an
> > emergency,
> > > > here
> > > > > > goes:
> > > > > > >
> > > > > > > First, if the source is 143.233.222.253,
> > you
> > > > would
> > > > > > not want to DNAT it.
> > > > > > > DNAT changes the destination.  Thus, your
> > > > second
> > > > > > attempt is the correct
> > > > > > > one.  You might want to lock the
> > destination
> > > > port
> > > > > > - it's not likely to
> > > > > > > be a problem but, if it ever is, it will
> > be
> > > > one of
> > > > > > those really hard to
> > > > > > > diagnose, sporadic problems:
> > > > > > > -j DNAT --to-destination 10.2.4.1:22453
> > > > > > >
> > > > > > > Second, this only takes care of the
> > > > addressing.
> > > > > > You must still allow
> > > > > > > the traffic in the FORWARD chain of the
> > filter
> > > > > > table, e.g.,
> > > > > > >
> > > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
> > --dport
> > > > 22453
> > > > > > -j ACCEPT
> > > > > > >
> > > > > > > Hope this helps - John
> > > > > >
> > > > > > Oh, yes, you wanted to restrict the source
> > > > address.
> > > > > > Add that to your
> > > > > > filter table rule:
> > > > > > iptables -A FORWARD -s 143.233.222.253 -d
> > > > 10.2.4.1
> > > > > > -p 6 --dport 22453 -j
> > > > > > ACCEPT
> > > > > > --
> > > > > > John A. Sullivan III
> > > > > > Open Source Development Corporation
> > > > > > +1 207-985-7880
> > > > > > jsullivan@opensourcedevel.com
> > > > > >
> > > > > > If you would like to participate in the
> > > > development
> > > > > > of an open source
> > > > > > enterprise class network security management
> > > > system,
> > > > > > please visit
> > > > > > http://iscs.sourceforge.net
> > > > > >
> > > > > >
> > > > >
> > > > >
> > __________________________________________________
> > > > > Do You Yahoo!?
> > > > > Tired of spam?  Yahoo! Mail has the best spam
> > > > protection around
> > > > > http://mail.yahoo.com
> > > > --
> > > > John A. Sullivan III
> > > > Open Source Development Corporation
> > > > +1 207-985-7880
> > > > jsullivan@opensourcedevel.com
> > > >
> > > > Financially sustainable open source development
> > > > http://www.opensourcedevel.com
> > > >
> > > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam
> > protection around
> > > http://mail.yahoo.com
> > --
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> >
> > Financially sustainable open source development
> > http://www.opensourcedevel.com
> >
> >
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
>
>

Re: Plz i need help.... or i ll be fired :(

[Alaios]

eth0      Link encap:Ethernet  HWaddr
00:02:3F:6D:70:3E  
          inet addr:10.2.4.1  Bcast:10.255.255.255 
Mask:255.0.0.0
          inet6 addr: fe80::202:3fff:fe6d:703e/64
Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500 
Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0
frame:0
          TX packets:394 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:218 (218.0 b)  TX bytes:24983 (24.3
Kb)
          Interrupt:11 Base address:0x6800 

eth1      Link encap:Ethernet  HWaddr
00:02:2D:3B:1D:96  
          inet addr:143.233.222.77 
Bcast:255.255.255.255  Mask:255.255.255.192
          inet6 addr: fe80::202:2dff:fe3b:1d96/64
Scope:Link
          UP BROADCAST NOTRAILERS RUNNING MULTICAST 
MTU:1500  Metric:1
          RX packets:293209 errors:0 dropped:0
overruns:0 frame:0
          TX packets:74 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:364527709 (347.6 Mb)  TX
bytes:19400 (18.9 Kb)
          Interrupt:3 Base address:0x100 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:54 errors:0 dropped:0 overruns:0
frame:0
          TX packets:54 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3528 (3.4 Kb)  TX bytes:3528 (3.4
Kb)

Kernel IP routing table
Destination     Gateway         Genmask         Flags
Metric Ref    Use Iface
143.233.222.64  0.0.0.0         255.255.255.192 U    
0      0        0 eth1
10.0.0.0        0.0.0.0         255.0.0.0       U    
0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U    
0      0        0 lo



--- Edmundo Carmona <eantoranz@gmail.com> wrote:

> Remove the UDP/port from the rule, that will allow
> you to PING the
> box, and the inner box should respond.
> 
> Anyway, let's go to the basics... what is the output
> of
> 
> ifconfig
> route -n
> 
> ??
> 
> On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> > I have done absolutely what u have said.. I have
> > rechecked the source port and destination and are
> the
> > same.... The programme is a packet generator that
> > creates bulk data. We use it to test oure
> network....
> > I have applied your commands but with a little
> changes
> > iptables -nat -A PREROUTING -i eth1 -d
> 143.233.222.77
> > -p udp --destination-port 22453 -j DNAT
> > --to-destination 10.2.4.1:22453
> > My problem is that still i cant see any packages
> in
> > the eth0 interface.. What know what else should i
> do
> > now
> >
> > --- "John A. Sullivan III"
> > <jsullivan@opensourcedevel.com> wrote:
> >
> > > It sounds like you really need to learn the
> basics.
> > > I would suggest you
> > > go through the links I mentioned below.  What
> > > exactly do you want to do?
> > >
> > > It sounds like you want traffic coming in from
> > > 143.233.222.253 on tcp
> > > destination port 22453 (are you sure this is the
> > > destination port and
> > > not the source port?????) on the laptop
> interface
> > > eth1 with IP address
> > > 143.233.222.77 to be sent to 10.2.4.1 on the
> eth0
> > > interface.  I am
> > > assuming that 143.233.222.77 and 143.233.222.253
> are
> > > on the same
> > > network, i.e., the subnet mask is 255.255.255.0
> or
> > > less.  I also
> > > assuming that you have enabled forwarding as you
> > > said you did.
> > >
> > > Then you would do something like:
> > >
> > > iptables -F
> > > iptables -t nat -F
> > > iptables -P FORWARD DROP
> > > iptables -t nat -P ACCEPT
> > > iptables -t nat -A PREROUTING -i eth1 -d
> > > 143.233.222.77 --dport 22453 -j
> > > DNAT --to-destination 10.2.4.1:22453
> > > iptables -A FORWARD -m state --state
> > > ESTABLISHED,RELATED -j ACCEPT
> > > iptables -A FORWARD -s 143.233.222.253 -d
> 10.2.4.1
> > > -p 6 --dport 22453 -j
> > > ACCEPT
> > >
> > > I have a sneaking suspicion that 22453 is not
> the
> > > destination port.
> > > What service is 10.2.4.1 providing to
> > > 143.233.222.253?
> > >
> > > I'm afraid I'm running out of time today.  I
> > > probably cannot help much
> > > more.  I'm sure someone else can jump in.  Take
> care
> > > - John
> > >
> > > On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> > > > My complete rule set??? Hm... there is nothing
> > > like
> > > > that... I work to a solution for 4-5 hours and
> > > still
> > > > havent finded any iptable rule to work.. in my
> pc
> > > i
> > > > dont have any ip rules loaded at all nor a
> > > firewall
> > > > applied.. I just want to do only this to
> work.. Do
> > > u
> > > > have anything else in mind plz?
> > > >
> > > > --- "John A. Sullivan III"
> > > > <jsullivan@opensourcedevel.com> wrote:
> > > >
> > > > > I made some assumptions about other rules
> you
> > > would
> > > > > have had in place.
> > > > > I believe someone else posted a much more
> > > thorough
> > > > > answer.  Did you
> > > > > create an ESTABLISHED,RELATED rule as that
> other
> > > > > post suggested?
> > > > >
> > > > > Would you mind posting your complete rule
> set
> > > (with
> > > > > any sensitive
> > > > > information edited, of course)? - John
> > > > >
> > > > > On Tue, 2005-09-27 at 08:30 -0700, Alaios
> wrote:
> > > > > > Thx for your quick reply..... i have just
> > > tested
> > > > > but
> > > > > > it didnt work... I think that i cant
> explain
> > > what
> > > > > i
> > > > > > need or i am doing sth wrong..
> > > > > > i have enabled the packets loging
> > > > > > so executing dmesg prints the following
> > > > > > IN=eth1 OUT= MAC=(the mac addresses)
> > > > > > As u can see the OUT is null which means
> thats
> > > > > perhaps
> > > > > > the problem... What do u have in mind?
> > > > > >
> > > > > > --- "John A. Sullivan III"
> > > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > > >
> > > > > > > On Tue, 2005-09-27 at 11:14 -0400, John
> A.
> > > > > Sullivan
> > > > > > > III wrote:
> > > > > > > > On Tue, 2005-09-27 at 07:57 -0700,
> Alaios
> > > > > wrote:
> > > > > > > > > Hi plz take a look at the following
> > > example
> > > > > > > > >
> > > > > > > > > The laptop has 2 ethernet interfaces
> > > > > > > > > To eth1 comes traffic from src
> > > > > 143.233.222.253
> > > > > > > > > The eth0 has ip address 10.2.4.2 and
> it
> > > is
> > > > > > > connected
> > > > > > > > > back to back with eth1 of other pc
> with
> > > ip
> > > > > > > address
> > > > > > > > > 10.2.4.1
> > > > > > > > > I want to forward the traffic with
> src
> > > > > > > 143.233.222.253
> > > > > > > > > to the 10.2.4.1 pc and if it works i
> > > will
> > > > > redo
> > > > > > > this
> > > > > > > > > for a second pc so as to l send the
> > > traffic
> > > > > to a
> > > > > > > third
> > > > > > > > > on.
> > > > > > > > > Can u help me plz?
> > > > > > > > >
> > > > > > > > > I have tried this one
> > > > > > > > > iptables -t nat -A PREROUTING -i
> eth1 -s
> > > > > > > > > 143.233.222.253 -j DNAT
> --to-destination
> > > > > > > 10.2.4.1
> > > > > > > > > i have also set the
> > > > > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > > > > but still i cant see any trafiic to
> eth0
> > > > > > > interface (ip
> > > > > > > > > 10.2.4.2)
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > I have also tested this one
> > > > > > > > > iptables -t nat -A PREROUTING -p tcp
> -d
> > > > > > > 143.233.222.77
> > > > > > > > > (laptop eth1 card) --dport 22453 (i
> have
> > > > > cheched
> > > > > > > dst
> > > > > > > > > port with tcpdump) 00 -j DNAT
> > > > > --to-destination
> > > > > > > > > 10.2.4.1
> > > > > > > > > this still doesnt work
> > > > > > > > > Every time i try to apply a new rule
> i
> > > use
> > > > > first
> > > > > > > > > the iptables -F
> > > > > > > > > iptables -t nat -F command
> > > > > > > > <snip>
> > > > > > > >
> > > > > > > > I'm a little confused about what you
> are
> > > > > doing.  I
> > > > > > > would normally refer
> > > > > > > > you to Oskar Andreasson's excellent
> > > tutorial
> > > > > at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > > > > or the
> > > > > > > > training slides on the ISCS web site
> > > > > > > (http://iscs.sourceforge.net) but,
> > > > > > > > since it appears that you have an
> > > emergency,
> > > > > here
> > > > > > > goes:
> > > > > > > >
> > > > > > > > First, if the source is
> 143.233.222.253,
> > > you
> > > > > would
> > > > > > > not want to DNAT it.
> > > > > > > > DNAT changes the destination.  Thus,
> your
> > > > > second
> > > > > > > attempt is the correct
> > > > > > > > one.  You might want to lock the
> > > destination
> > > > > port
> > > > > > > - it's not likely to
> > > > > > > > be a problem but, if it ever is, it
> will
> > > be
> > > > > one of
> > > > > > > those really hard to
> > > > > > > > diagnose, sporadic problems:
> > > > > > > > -j DNAT --to-destination
> 10.2.4.1:22453
> > > > > > > >
> > > > > > > > Second, this only takes care of the
> > > > > addressing.
> > > > > > > You must still allow
> > > > > > > > the traffic in the FORWARD chain of
> the
> > > filter
> > > > > > > table, e.g.,
> > > > > > > >
> > > > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
> > > --dport
> > > > > 22453
> > > > > > > -j ACCEPT
> > > > > > > >
> > > > > > > > Hope this helps - John
> > > > > > >
> > > > > > > Oh, yes, you wanted to restrict the
> source
> > > > > address.
> > > > > > > Add that to your
> > > > > > > filter table rule:
> > > > > > > iptables -A FORWARD -s 143.233.222.253
> -d
> > > > > 10.2.4.1
> > > > > > > -p 6 --dport 22453 -j
> > > > > > > ACCEPT
> > > > > > > --
> > > > > > > John A. Sullivan III
> > > > > > > Open Source Development Corporation
> > > > > > > +1 207-985-7880
> > > > > > > jsullivan@opensourcedevel.com
> > > > > > >
> > > > > > > If you would like to participate in the
> > > > > development
> > > > > > > of an open source
> > > > > > > enterprise class network security
> management
> > > > > system,
> > > > > > > please visit
> > > > > > > http://iscs.sourceforge.net
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > >
> __________________________________________________
> > > > > > Do You Yahoo!?
> > > > > > Tired of spam?  Yahoo! Mail has the best
> spam
> > > > > protection around
> > > > > > http://mail.yahoo.com
> > > > > --
> > > > > John A. Sullivan III
> > > > > Open Source Development Corporation
> > > > > +1 207-985-7880
> > > > > jsullivan@opensourcedevel.com
> > > > >
> > > > > Financially sustainable open source
> development
> > > > > http://www.opensourcedevel.com
> > > > >
> > > > >
> > > >
> > > >
> __________________________________________________
> > > > Do You Yahoo!?
> > > > Tired of spam?  Yahoo! Mail has the best spam
> > > protection around
> > > > http://mail.yahoo.com
> > > --
> > > John A. Sullivan III
> > > Open Source Development Corporation
> > > +1 207-985-7880
> > > jsullivan@opensourcedevel.com
> > >
> > > Financially sustainable open source development
> > > http://www.opensourcedevel.com
> > >
> > >
> >
> >
> >
> >
> > __________________________________
> > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > http://mail.yahoo.com
> >
> >
> 
> 



		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

Re: Plz i need help.... or i ll be fired :(

[Edmundo Carmona]

Look at the IP of eth0. its 10.2.4.1, and you said it was 10.2.4.2 and
wanted to forward it to another host with ip 10.2.4.1 (according to
your very first mail).

On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> eth0      Link encap:Ethernet  HWaddr
> 00:02:3F:6D:70:3E
>           inet addr:10.2.4.1  Bcast:10.255.255.255
> Mask:255.0.0.0
>           inet6 addr: fe80::202:3fff:fe6d:703e/64
> Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500
> Metric:1
>           RX packets:3 errors:0 dropped:0 overruns:0
> frame:0
>           TX packets:394 errors:0 dropped:0 overruns:0
> carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:218 (218.0 b)  TX bytes:24983 (24.3
> Kb)
>           Interrupt:11 Base address:0x6800
>
> eth1      Link encap:Ethernet  HWaddr
> 00:02:2D:3B:1D:96
>           inet addr:143.233.222.77
> Bcast:255.255.255.255  Mask:255.255.255.192
>           inet6 addr: fe80::202:2dff:fe3b:1d96/64
> Scope:Link
>           UP BROADCAST NOTRAILERS RUNNING MULTICAST
> MTU:1500  Metric:1
>           RX packets:293209 errors:0 dropped:0
> overruns:0 frame:0
>           TX packets:74 errors:0 dropped:0 overruns:0
> carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:364527709 (347.6 Mb)  TX
> bytes:19400 (18.9 Kb)
>           Interrupt:3 Base address:0x100
>
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:54 errors:0 dropped:0 overruns:0
> frame:0
>           TX packets:54 errors:0 dropped:0 overruns:0
> carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:3528 (3.4 Kb)  TX bytes:3528 (3.4
> Kb)
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags
> Metric Ref    Use Iface
> 143.233.222.64  0.0.0.0         255.255.255.192 U
> 0      0        0 eth1
> 10.0.0.0        0.0.0.0         255.0.0.0       U
> 0      0        0 eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U
> 0      0        0 lo
>
>
>
> --- Edmundo Carmona <eantoranz@gmail.com> wrote:
>
> > Remove the UDP/port from the rule, that will allow
> > you to PING the
> > box, and the inner box should respond.
> >
> > Anyway, let's go to the basics... what is the output
> > of
> >
> > ifconfig
> > route -n
> >
> > ??
> >
> > On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> > > I have done absolutely what u have said.. I have
> > > rechecked the source port and destination and are
> > the
> > > same.... The programme is a packet generator that
> > > creates bulk data. We use it to test oure
> > network....
> > > I have applied your commands but with a little
> > changes
> > > iptables -nat -A PREROUTING -i eth1 -d
> > 143.233.222.77
> > > -p udp --destination-port 22453 -j DNAT
> > > --to-destination 10.2.4.1:22453
> > > My problem is that still i cant see any packages
> > in
> > > the eth0 interface.. What know what else should i
> > do
> > > now
> > >
> > > --- "John A. Sullivan III"
> > > <jsullivan@opensourcedevel.com> wrote:
> > >
> > > > It sounds like you really need to learn the
> > basics.
> > > > I would suggest you
> > > > go through the links I mentioned below.  What
> > > > exactly do you want to do?
> > > >
> > > > It sounds like you want traffic coming in from
> > > > 143.233.222.253 on tcp
> > > > destination port 22453 (are you sure this is the
> > > > destination port and
> > > > not the source port?????) on the laptop
> > interface
> > > > eth1 with IP address
> > > > 143.233.222.77 to be sent to 10.2.4.1 on the
> > eth0
> > > > interface.  I am
> > > > assuming that 143.233.222.77 and 143.233.222.253
> > are
> > > > on the same
> > > > network, i.e., the subnet mask is 255.255.255.0
> > or
> > > > less.  I also
> > > > assuming that you have enabled forwarding as you
> > > > said you did.
> > > >
> > > > Then you would do something like:
> > > >
> > > > iptables -F
> > > > iptables -t nat -F
> > > > iptables -P FORWARD DROP
> > > > iptables -t nat -P ACCEPT
> > > > iptables -t nat -A PREROUTING -i eth1 -d
> > > > 143.233.222.77 --dport 22453 -j
> > > > DNAT --to-destination 10.2.4.1:22453
> > > > iptables -A FORWARD -m state --state
> > > > ESTABLISHED,RELATED -j ACCEPT
> > > > iptables -A FORWARD -s 143.233.222.253 -d
> > 10.2.4.1
> > > > -p 6 --dport 22453 -j
> > > > ACCEPT
> > > >
> > > > I have a sneaking suspicion that 22453 is not
> > the
> > > > destination port.
> > > > What service is 10.2.4.1 providing to
> > > > 143.233.222.253?
> > > >
> > > > I'm afraid I'm running out of time today.  I
> > > > probably cannot help much
> > > > more.  I'm sure someone else can jump in.  Take
> > care
> > > > - John
> > > >
> > > > On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> > > > > My complete rule set??? Hm... there is nothing
> > > > like
> > > > > that... I work to a solution for 4-5 hours and
> > > > still
> > > > > havent finded any iptable rule to work.. in my
> > pc
> > > > i
> > > > > dont have any ip rules loaded at all nor a
> > > > firewall
> > > > > applied.. I just want to do only this to
> > work.. Do
> > > > u
> > > > > have anything else in mind plz?
> > > > >
> > > > > --- "John A. Sullivan III"
> > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > >
> > > > > > I made some assumptions about other rules
> > you
> > > > would
> > > > > > have had in place.
> > > > > > I believe someone else posted a much more
> > > > thorough
> > > > > > answer.  Did you
> > > > > > create an ESTABLISHED,RELATED rule as that
> > other
> > > > > > post suggested?
> > > > > >
> > > > > > Would you mind posting your complete rule
> > set
> > > > (with
> > > > > > any sensitive
> > > > > > information edited, of course)? - John
> > > > > >
> > > > > > On Tue, 2005-09-27 at 08:30 -0700, Alaios
> > wrote:
> > > > > > > Thx for your quick reply..... i have just
> > > > tested
> > > > > > but
> > > > > > > it didnt work... I think that i cant
> > explain
> > > > what
> > > > > > i
> > > > > > > need or i am doing sth wrong..
> > > > > > > i have enabled the packets loging
> > > > > > > so executing dmesg prints the following
> > > > > > > IN=eth1 OUT= MAC=(the mac addresses)
> > > > > > > As u can see the OUT is null which means
> > thats
> > > > > > perhaps
> > > > > > > the problem... What do u have in mind?
> > > > > > >
> > > > > > > --- "John A. Sullivan III"
> > > > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > > > >
> > > > > > > > On Tue, 2005-09-27 at 11:14 -0400, John
> > A.
> > > > > > Sullivan
> > > > > > > > III wrote:
> > > > > > > > > On Tue, 2005-09-27 at 07:57 -0700,
> > Alaios
> > > > > > wrote:
> > > > > > > > > > Hi plz take a look at the following
> > > > example
> > > > > > > > > >
> > > > > > > > > > The laptop has 2 ethernet interfaces
> > > > > > > > > > To eth1 comes traffic from src
> > > > > > 143.233.222.253
> > > > > > > > > > The eth0 has ip address 10.2.4.2 and
> > it
> > > > is
> > > > > > > > connected
> > > > > > > > > > back to back with eth1 of other pc
> > with
> > > > ip
> > > > > > > > address
> > > > > > > > > > 10.2.4.1
> > > > > > > > > > I want to forward the traffic with
> > src
> > > > > > > > 143.233.222.253
> > > > > > > > > > to the 10.2.4.1 pc and if it works i
> > > > will
> > > > > > redo
> > > > > > > > this
> > > > > > > > > > for a second pc so as to l send the
> > > > traffic
> > > > > > to a
> > > > > > > > third
> > > > > > > > > > on.
> > > > > > > > > > Can u help me plz?
> > > > > > > > > >
> > > > > > > > > > I have tried this one
> > > > > > > > > > iptables -t nat -A PREROUTING -i
> > eth1 -s
> > > > > > > > > > 143.233.222.253 -j DNAT
> > --to-destination
> > > > > > > > 10.2.4.1
> > > > > > > > > > i have also set the
> > > > > > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > > > > > but still i cant see any trafiic to
> > eth0
> > > > > > > > interface (ip
> > > > > > > > > > 10.2.4.2)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > I have also tested this one
> > > > > > > > > > iptables -t nat -A PREROUTING -p tcp
> > -d
> > > > > > > > 143.233.222.77
> > > > > > > > > > (laptop eth1 card) --dport 22453 (i
> > have
> > > > > > cheched
> > > > > > > > dst
> > > > > > > > > > port with tcpdump) 00 -j DNAT
> > > > > > --to-destination
> > > > > > > > > > 10.2.4.1
> > > > > > > > > > this still doesnt work
> > > > > > > > > > Every time i try to apply a new rule
> > i
> > > > use
> > > > > > first
> > > > > > > > > > the iptables -F
> > > > > > > > > > iptables -t nat -F command
> > > > > > > > > <snip>
> > > > > > > > >
> > > > > > > > > I'm a little confused about what you
> > are
> > > > > > doing.  I
> > > > > > > > would normally refer
> > > > > > > > > you to Oskar Andreasson's excellent
> > > > tutorial
> > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > > > > > or the
> > > > > > > > > training slides on the ISCS web site
> > > > > > > > (http://iscs.sourceforge.net) but,
> > > > > > > > > since it appears that you have an
> > > > emergency,
> > > > > > here
> > > > > > > > goes:
> > > > > > > > >
> > > > > > > > > First, if the source is
> > 143.233.222.253,
> > > > you
> > > > > > would
> > > > > > > > not want to DNAT it.
> > > > > > > > > DNAT changes the destination.  Thus,
> > your
> > > > > > second
> > > > > > > > attempt is the correct
> > > > > > > > > one.  You might want to lock the
> > > > destination
> > > > > > port
> > > > > > > > - it's not likely to
> > > > > > > > > be a problem but, if it ever is, it
> > will
> > > > be
> > > > > > one of
> > > > > > > > those really hard to
> > > > > > > > > diagnose, sporadic problems:
> > > > > > > > > -j DNAT --to-destination
> > 10.2.4.1:22453
> > > > > > > > >
> > > > > > > > > Second, this only takes care of the
> > > > > > addressing.
> > > > > > > > You must still allow
> > > > > > > > > the traffic in the FORWARD chain of
> > the
> > > > filter
> > > > > > > > table, e.g.,
> > > > > > > > >
> > > > > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
> > > > --dport
> > > > > > 22453
> > > > > > > > -j ACCEPT
> > > > > > > > >
> > > > > > > > > Hope this helps - John
> > > > > > > >
> > > > > > > > Oh, yes, you wanted to restrict the
> > source
> > > > > > address.
> > > > > > > > Add that to your
> > > > > > > > filter table rule:
> > > > > > > > iptables -A FORWARD -s 143.233.222.253
> > -d
> > > > > > 10.2.4.1
> > > > > > > > -p 6 --dport 22453 -j
> > > > > > > > ACCEPT
> > > > > > > > --
> > > > > > > > John A. Sullivan III
> > > > > > > > Open Source Development Corporation
> > > > > > > > +1 207-985-7880
> > > > > > > > jsullivan@opensourcedevel.com
> > > > > > > >
> > > > > > > > If you would like to participate in the
> > > > > > development
> > > > > > > > of an open source
> > > > > > > > enterprise class network security
> > management
> > > > > > system,
> > > > > > > > please visit
> > > > > > > > http://iscs.sourceforge.net
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > >
> > __________________________________________________
> > > > > > > Do You Yahoo!?
> > > > > > > Tired of spam?  Yahoo! Mail has the best
> > spam
> > > > > > protection around
> > > > > > > http://mail.yahoo.com
> > > > > > --
> > > > > > John A. Sullivan III
> > > > > > Open Source Development Corporation
> > > > > > +1 207-985-7880
> > > > > > jsullivan@opensourcedevel.com
> > > > > >
> > > > > > Financially sustainable open source
> > development
> > > > > > http://www.opensourcedevel.com
> > > > > >
> > > > > >
> > > > >
> > > > >
> > __________________________________________________
> > > > > Do You Yahoo!?
> > > > > Tired of spam?  Yahoo! Mail has the best spam
> > > > protection around
> > > > > http://mail.yahoo.com
> > > > --
> > > > John A. Sullivan III
> > > > Open Source Development Corporation
> > > > +1 207-985-7880
> > > > jsullivan@opensourcedevel.com
> > > >
> > > > Financially sustainable open source development
> > > > http://www.opensourcedevel.com
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > http://mail.yahoo.com
> > >
> > >
> >
> >
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
>

Re: Plz i need help.... or i ll be fired :(

[Edmundo Carmona]

Let's retry.

ahost: 143.233.222.253  | eth1:143.233.222.77 box1 eth0:10.2.4.1 |
eth0:10.2.4.2 box2

Is that correct? You want the traffic from ahost to reach box2, right?

Please.... (I beg you :'() try this on box1 (don't change it... it's
just a test):

iptables -t nat -F
iptables -F

iptables -P FORWARD ACCEPT

iptables -t nat -A PREROUTING -s 143.233.222.253 -j DNAT
--to-destination 10.2.4.2

echo 1 > /blah/blah

Then ping box1 from ahost. It should respond.... but it should have
been box2 the one that responded (as a matter of fact).

Am I correct?

On 9/27/05, Edmundo Carmona <eantoranz@gmail.com> wrote:
> Look at the IP of eth0. its 10.2.4.1, and you said it was 10.2.4.2 and
> wanted to forward it to another host with ip 10.2.4.1 (according to
> your very first mail).
>
> On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> > eth0      Link encap:Ethernet  HWaddr
> > 00:02:3F:6D:70:3E
> >           inet addr:10.2.4.1  Bcast:10.255.255.255
> > Mask:255.0.0.0
> >           inet6 addr: fe80::202:3fff:fe6d:703e/64
> > Scope:Link
> >           UP BROADCAST RUNNING MULTICAST  MTU:1500
> > Metric:1
> >           RX packets:3 errors:0 dropped:0 overruns:0
> > frame:0
> >           TX packets:394 errors:0 dropped:0 overruns:0
> > carrier:0
> >           collisions:0 txqueuelen:1000
> >           RX bytes:218 (218.0 b)  TX bytes:24983 (24.3
> > Kb)
> >           Interrupt:11 Base address:0x6800
> >
> > eth1      Link encap:Ethernet  HWaddr
> > 00:02:2D:3B:1D:96
> >           inet addr:143.233.222.77
> > Bcast:255.255.255.255  Mask:255.255.255.192
> >           inet6 addr: fe80::202:2dff:fe3b:1d96/64
> > Scope:Link
> >           UP BROADCAST NOTRAILERS RUNNING MULTICAST
> > MTU:1500  Metric:1
> >           RX packets:293209 errors:0 dropped:0
> > overruns:0 frame:0
> >           TX packets:74 errors:0 dropped:0 overruns:0
> > carrier:0
> >           collisions:0 txqueuelen:1000
> >           RX bytes:364527709 (347.6 Mb)  TX
> > bytes:19400 (18.9 Kb)
> >           Interrupt:3 Base address:0x100
> >
> > lo        Link encap:Local Loopback
> >           inet addr:127.0.0.1  Mask:255.0.0.0
> >           inet6 addr: ::1/128 Scope:Host
> >           UP LOOPBACK RUNNING  MTU:16436  Metric:1
> >           RX packets:54 errors:0 dropped:0 overruns:0
> > frame:0
> >           TX packets:54 errors:0 dropped:0 overruns:0
> > carrier:0
> >           collisions:0 txqueuelen:0
> >           RX bytes:3528 (3.4 Kb)  TX bytes:3528 (3.4
> > Kb)
> >
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags
> > Metric Ref    Use Iface
> > 143.233.222.64  0.0.0.0         255.255.255.192 U
> > 0      0        0 eth1
> > 10.0.0.0        0.0.0.0         255.0.0.0       U
> > 0      0        0 eth0
> > 127.0.0.0       0.0.0.0         255.0.0.0       U
> > 0      0        0 lo
> >
> >
> >
> > --- Edmundo Carmona <eantoranz@gmail.com> wrote:
> >
> > > Remove the UDP/port from the rule, that will allow
> > > you to PING the
> > > box, and the inner box should respond.
> > >
> > > Anyway, let's go to the basics... what is the output
> > > of
> > >
> > > ifconfig
> > > route -n
> > >
> > > ??
> > >
> > > On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> > > > I have done absolutely what u have said.. I have
> > > > rechecked the source port and destination and are
> > > the
> > > > same.... The programme is a packet generator that
> > > > creates bulk data. We use it to test oure
> > > network....
> > > > I have applied your commands but with a little
> > > changes
> > > > iptables -nat -A PREROUTING -i eth1 -d
> > > 143.233.222.77
> > > > -p udp --destination-port 22453 -j DNAT
> > > > --to-destination 10.2.4.1:22453
> > > > My problem is that still i cant see any packages
> > > in
> > > > the eth0 interface.. What know what else should i
> > > do
> > > > now
> > > >
> > > > --- "John A. Sullivan III"
> > > > <jsullivan@opensourcedevel.com> wrote:
> > > >
> > > > > It sounds like you really need to learn the
> > > basics.
> > > > > I would suggest you
> > > > > go through the links I mentioned below.  What
> > > > > exactly do you want to do?
> > > > >
> > > > > It sounds like you want traffic coming in from
> > > > > 143.233.222.253 on tcp
> > > > > destination port 22453 (are you sure this is the
> > > > > destination port and
> > > > > not the source port?????) on the laptop
> > > interface
> > > > > eth1 with IP address
> > > > > 143.233.222.77 to be sent to 10.2.4.1 on the
> > > eth0
> > > > > interface.  I am
> > > > > assuming that 143.233.222.77 and 143.233.222.253
> > > are
> > > > > on the same
> > > > > network, i.e., the subnet mask is 255.255.255.0
> > > or
> > > > > less.  I also
> > > > > assuming that you have enabled forwarding as you
> > > > > said you did.
> > > > >
> > > > > Then you would do something like:
> > > > >
> > > > > iptables -F
> > > > > iptables -t nat -F
> > > > > iptables -P FORWARD DROP
> > > > > iptables -t nat -P ACCEPT
> > > > > iptables -t nat -A PREROUTING -i eth1 -d
> > > > > 143.233.222.77 --dport 22453 -j
> > > > > DNAT --to-destination 10.2.4.1:22453
> > > > > iptables -A FORWARD -m state --state
> > > > > ESTABLISHED,RELATED -j ACCEPT
> > > > > iptables -A FORWARD -s 143.233.222.253 -d
> > > 10.2.4.1
> > > > > -p 6 --dport 22453 -j
> > > > > ACCEPT
> > > > >
> > > > > I have a sneaking suspicion that 22453 is not
> > > the
> > > > > destination port.
> > > > > What service is 10.2.4.1 providing to
> > > > > 143.233.222.253?
> > > > >
> > > > > I'm afraid I'm running out of time today.  I
> > > > > probably cannot help much
> > > > > more.  I'm sure someone else can jump in.  Take
> > > care
> > > > > - John
> > > > >
> > > > > On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> > > > > > My complete rule set??? Hm... there is nothing
> > > > > like
> > > > > > that... I work to a solution for 4-5 hours and
> > > > > still
> > > > > > havent finded any iptable rule to work.. in my
> > > pc
> > > > > i
> > > > > > dont have any ip rules loaded at all nor a
> > > > > firewall
> > > > > > applied.. I just want to do only this to
> > > work.. Do
> > > > > u
> > > > > > have anything else in mind plz?
> > > > > >
> > > > > > --- "John A. Sullivan III"
> > > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > > >
> > > > > > > I made some assumptions about other rules
> > > you
> > > > > would
> > > > > > > have had in place.
> > > > > > > I believe someone else posted a much more
> > > > > thorough
> > > > > > > answer.  Did you
> > > > > > > create an ESTABLISHED,RELATED rule as that
> > > other
> > > > > > > post suggested?
> > > > > > >
> > > > > > > Would you mind posting your complete rule
> > > set
> > > > > (with
> > > > > > > any sensitive
> > > > > > > information edited, of course)? - John
> > > > > > >
> > > > > > > On Tue, 2005-09-27 at 08:30 -0700, Alaios
> > > wrote:
> > > > > > > > Thx for your quick reply..... i have just
> > > > > tested
> > > > > > > but
> > > > > > > > it didnt work... I think that i cant
> > > explain
> > > > > what
> > > > > > > i
> > > > > > > > need or i am doing sth wrong..
> > > > > > > > i have enabled the packets loging
> > > > > > > > so executing dmesg prints the following
> > > > > > > > IN=eth1 OUT= MAC=(the mac addresses)
> > > > > > > > As u can see the OUT is null which means
> > > thats
> > > > > > > perhaps
> > > > > > > > the problem... What do u have in mind?
> > > > > > > >
> > > > > > > > --- "John A. Sullivan III"
> > > > > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > > > > >
> > > > > > > > > On Tue, 2005-09-27 at 11:14 -0400, John
> > > A.
> > > > > > > Sullivan
> > > > > > > > > III wrote:
> > > > > > > > > > On Tue, 2005-09-27 at 07:57 -0700,
> > > Alaios
> > > > > > > wrote:
> > > > > > > > > > > Hi plz take a look at the following
> > > > > example
> > > > > > > > > > >
> > > > > > > > > > > The laptop has 2 ethernet interfaces
> > > > > > > > > > > To eth1 comes traffic from src
> > > > > > > 143.233.222.253
> > > > > > > > > > > The eth0 has ip address 10.2.4.2 and
> > > it
> > > > > is
> > > > > > > > > connected
> > > > > > > > > > > back to back with eth1 of other pc
> > > with
> > > > > ip
> > > > > > > > > address
> > > > > > > > > > > 10.2.4.1
> > > > > > > > > > > I want to forward the traffic with
> > > src
> > > > > > > > > 143.233.222.253
> > > > > > > > > > > to the 10.2.4.1 pc and if it works i
> > > > > will
> > > > > > > redo
> > > > > > > > > this
> > > > > > > > > > > for a second pc so as to l send the
> > > > > traffic
> > > > > > > to a
> > > > > > > > > third
> > > > > > > > > > > on.
> > > > > > > > > > > Can u help me plz?
> > > > > > > > > > >
> > > > > > > > > > > I have tried this one
> > > > > > > > > > > iptables -t nat -A PREROUTING -i
> > > eth1 -s
> > > > > > > > > > > 143.233.222.253 -j DNAT
> > > --to-destination
> > > > > > > > > 10.2.4.1
> > > > > > > > > > > i have also set the
> > > > > > > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > > > > > > but still i cant see any trafiic to
> > > eth0
> > > > > > > > > interface (ip
> > > > > > > > > > > 10.2.4.2)
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > I have also tested this one
> > > > > > > > > > > iptables -t nat -A PREROUTING -p tcp
> > > -d
> > > > > > > > > 143.233.222.77
> > > > > > > > > > > (laptop eth1 card) --dport 22453 (i
> > > have
> > > > > > > cheched
> > > > > > > > > dst
> > > > > > > > > > > port with tcpdump) 00 -j DNAT
> > > > > > > --to-destination
> > > > > > > > > > > 10.2.4.1
> > > > > > > > > > > this still doesnt work
> > > > > > > > > > > Every time i try to apply a new rule
> > > i
> > > > > use
> > > > > > > first
> > > > > > > > > > > the iptables -F
> > > > > > > > > > > iptables -t nat -F command
> > > > > > > > > > <snip>
> > > > > > > > > >
> > > > > > > > > > I'm a little confused about what you
> > > are
> > > > > > > doing.  I
> > > > > > > > > would normally refer
> > > > > > > > > > you to Oskar Andreasson's excellent
> > > > > tutorial
> > > > > > > at
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > > > > > > or the
> > > > > > > > > > training slides on the ISCS web site
> > > > > > > > > (http://iscs.sourceforge.net) but,
> > > > > > > > > > since it appears that you have an
> > > > > emergency,
> > > > > > > here
> > > > > > > > > goes:
> > > > > > > > > >
> > > > > > > > > > First, if the source is
> > > 143.233.222.253,
> > > > > you
> > > > > > > would
> > > > > > > > > not want to DNAT it.
> > > > > > > > > > DNAT changes the destination.  Thus,
> > > your
> > > > > > > second
> > > > > > > > > attempt is the correct
> > > > > > > > > > one.  You might want to lock the
> > > > > destination
> > > > > > > port
> > > > > > > > > - it's not likely to
> > > > > > > > > > be a problem but, if it ever is, it
> > > will
> > > > > be
> > > > > > > one of
> > > > > > > > > those really hard to
> > > > > > > > > > diagnose, sporadic problems:
> > > > > > > > > > -j DNAT --to-destination
> > > 10.2.4.1:22453
> > > > > > > > > >
> > > > > > > > > > Second, this only takes care of the
> > > > > > > addressing.
> > > > > > > > > You must still allow
> > > > > > > > > > the traffic in the FORWARD chain of
> > > the
> > > > > filter
> > > > > > > > > table, e.g.,
> > > > > > > > > >
> > > > > > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
> > > > > --dport
> > > > > > > 22453
> > > > > > > > > -j ACCEPT
> > > > > > > > > >
> > > > > > > > > > Hope this helps - John
> > > > > > > > >
> > > > > > > > > Oh, yes, you wanted to restrict the
> > > source
> > > > > > > address.
> > > > > > > > > Add that to your
> > > > > > > > > filter table rule:
> > > > > > > > > iptables -A FORWARD -s 143.233.222.253
> > > -d
> > > > > > > 10.2.4.1
> > > > > > > > > -p 6 --dport 22453 -j
> > > > > > > > > ACCEPT
> > > > > > > > > --
> > > > > > > > > John A. Sullivan III
> > > > > > > > > Open Source Development Corporation
> > > > > > > > > +1 207-985-7880
> > > > > > > > > jsullivan@opensourcedevel.com
> > > > > > > > >
> > > > > > > > > If you would like to participate in the
> > > > > > > development
> > > > > > > > > of an open source
> > > > > > > > > enterprise class network security
> > > management
> > > > > > > system,
> > > > > > > > > please visit
> > > > > > > > > http://iscs.sourceforge.net
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > >
> > > __________________________________________________
> > > > > > > > Do You Yahoo!?
> > > > > > > > Tired of spam?  Yahoo! Mail has the best
> > > spam
> > > > > > > protection around
> > > > > > > > http://mail.yahoo.com
> > > > > > > --
> > > > > > > John A. Sullivan III
> > > > > > > Open Source Development Corporation
> > > > > > > +1 207-985-7880
> > > > > > > jsullivan@opensourcedevel.com
> > > > > > >
> > > > > > > Financially sustainable open source
> > > development
> > > > > > > http://www.opensourcedevel.com
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > __________________________________________________
> > > > > > Do You Yahoo!?
> > > > > > Tired of spam?  Yahoo! Mail has the best spam
> > > > > protection around
> > > > > > http://mail.yahoo.com
> > > > > --
> > > > > John A. Sullivan III
> > > > > Open Source Development Corporation
> > > > > +1 207-985-7880
> > > > > jsullivan@opensourcedevel.com
> > > > >
> > > > > Financially sustainable open source development
> > > > > http://www.opensourcedevel.com
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > > __________________________________
> > > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > > http://mail.yahoo.com
> > > >
> > > >
> > >
> > >
> >
> >
> >
> >
> > __________________________________
> > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > http://mail.yahoo.com
> >
>

Re: Plz i need help.... or i ll be fired :(

[John A. Sullivan III]

What is the default gateway for the laptop? How does it get to
143.233.222.253 since that is on a different network? - John

On Tue, 2005-09-27 at 09:52 -0700, Alaios wrote:
> eth0      Link encap:Ethernet  HWaddr
> 00:02:3F:6D:70:3E  
>           inet addr:10.2.4.1  Bcast:10.255.255.255 
> Mask:255.0.0.0
>           inet6 addr: fe80::202:3fff:fe6d:703e/64
> Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500 
> Metric:1
>           RX packets:3 errors:0 dropped:0 overruns:0
> frame:0
>           TX packets:394 errors:0 dropped:0 overruns:0
> carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:218 (218.0 b)  TX bytes:24983 (24.3
> Kb)
>           Interrupt:11 Base address:0x6800 
> 
> eth1      Link encap:Ethernet  HWaddr
> 00:02:2D:3B:1D:96  
>           inet addr:143.233.222.77 
> Bcast:255.255.255.255  Mask:255.255.255.192
>           inet6 addr: fe80::202:2dff:fe3b:1d96/64
> Scope:Link
>           UP BROADCAST NOTRAILERS RUNNING MULTICAST 
> MTU:1500  Metric:1
>           RX packets:293209 errors:0 dropped:0
> overruns:0 frame:0
>           TX packets:74 errors:0 dropped:0 overruns:0
> carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:364527709 (347.6 Mb)  TX
> bytes:19400 (18.9 Kb)
>           Interrupt:3 Base address:0x100 
> 
> lo        Link encap:Local Loopback  
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:54 errors:0 dropped:0 overruns:0
> frame:0
>           TX packets:54 errors:0 dropped:0 overruns:0
> carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:3528 (3.4 Kb)  TX bytes:3528 (3.4
> Kb)
> 
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags
> Metric Ref    Use Iface
> 143.233.222.64  0.0.0.0         255.255.255.192 U    
> 0      0        0 eth1
> 10.0.0.0        0.0.0.0         255.0.0.0       U    
> 0      0        0 eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U    
> 0      0        0 lo
> 
> 
> 
> --- Edmundo Carmona <eantoranz@gmail.com> wrote:
> 
> > Remove the UDP/port from the rule, that will allow
> > you to PING the
> > box, and the inner box should respond.
> > 
> > Anyway, let's go to the basics... what is the output
> > of
> > 
> > ifconfig
> > route -n
> > 
> > ??
> > 
> > On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> > > I have done absolutely what u have said.. I have
> > > rechecked the source port and destination and are
> > the
> > > same.... The programme is a packet generator that
> > > creates bulk data. We use it to test oure
> > network....
> > > I have applied your commands but with a little
> > changes
> > > iptables -nat -A PREROUTING -i eth1 -d
> > 143.233.222.77
> > > -p udp --destination-port 22453 -j DNAT
> > > --to-destination 10.2.4.1:22453
> > > My problem is that still i cant see any packages
> > in
> > > the eth0 interface.. What know what else should i
> > do
> > > now
> > >
> > > --- "John A. Sullivan III"
> > > <jsullivan@opensourcedevel.com> wrote:
> > >
> > > > It sounds like you really need to learn the
> > basics.
> > > > I would suggest you
> > > > go through the links I mentioned below.  What
> > > > exactly do you want to do?
> > > >
> > > > It sounds like you want traffic coming in from
> > > > 143.233.222.253 on tcp
> > > > destination port 22453 (are you sure this is the
> > > > destination port and
> > > > not the source port?????) on the laptop
> > interface
> > > > eth1 with IP address
> > > > 143.233.222.77 to be sent to 10.2.4.1 on the
> > eth0
> > > > interface.  I am
> > > > assuming that 143.233.222.77 and 143.233.222.253
> > are
> > > > on the same
> > > > network, i.e., the subnet mask is 255.255.255.0
> > or
> > > > less.  I also
> > > > assuming that you have enabled forwarding as you
> > > > said you did.
> > > >
> > > > Then you would do something like:
> > > >
> > > > iptables -F
> > > > iptables -t nat -F
> > > > iptables -P FORWARD DROP
> > > > iptables -t nat -P ACCEPT
> > > > iptables -t nat -A PREROUTING -i eth1 -d
> > > > 143.233.222.77 --dport 22453 -j
> > > > DNAT --to-destination 10.2.4.1:22453
> > > > iptables -A FORWARD -m state --state
> > > > ESTABLISHED,RELATED -j ACCEPT
> > > > iptables -A FORWARD -s 143.233.222.253 -d
> > 10.2.4.1
> > > > -p 6 --dport 22453 -j
> > > > ACCEPT
> > > >
> > > > I have a sneaking suspicion that 22453 is not
> > the
> > > > destination port.
> > > > What service is 10.2.4.1 providing to
> > > > 143.233.222.253?
> > > >
> > > > I'm afraid I'm running out of time today.  I
> > > > probably cannot help much
> > > > more.  I'm sure someone else can jump in.  Take
> > care
> > > > - John
> > > >
> > > > On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> > > > > My complete rule set??? Hm... there is nothing
> > > > like
> > > > > that... I work to a solution for 4-5 hours and
> > > > still
> > > > > havent finded any iptable rule to work.. in my
> > pc
> > > > i
> > > > > dont have any ip rules loaded at all nor a
> > > > firewall
> > > > > applied.. I just want to do only this to
> > work.. Do
> > > > u
> > > > > have anything else in mind plz?
> > > > >
> > > > > --- "John A. Sullivan III"
> > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > >
> > > > > > I made some assumptions about other rules
> > you
> > > > would
> > > > > > have had in place.
> > > > > > I believe someone else posted a much more
> > > > thorough
> > > > > > answer.  Did you
> > > > > > create an ESTABLISHED,RELATED rule as that
> > other
> > > > > > post suggested?
> > > > > >
> > > > > > Would you mind posting your complete rule
> > set
> > > > (with
> > > > > > any sensitive
> > > > > > information edited, of course)? - John
> > > > > >
> > > > > > On Tue, 2005-09-27 at 08:30 -0700, Alaios
> > wrote:
> > > > > > > Thx for your quick reply..... i have just
> > > > tested
> > > > > > but
> > > > > > > it didnt work... I think that i cant
> > explain
> > > > what
> > > > > > i
> > > > > > > need or i am doing sth wrong..
> > > > > > > i have enabled the packets loging
> > > > > > > so executing dmesg prints the following
> > > > > > > IN=eth1 OUT= MAC=(the mac addresses)
> > > > > > > As u can see the OUT is null which means
> > thats
> > > > > > perhaps
> > > > > > > the problem... What do u have in mind?
> > > > > > >
> > > > > > > --- "John A. Sullivan III"
> > > > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > > > >
> > > > > > > > On Tue, 2005-09-27 at 11:14 -0400, John
> > A.
> > > > > > Sullivan
> > > > > > > > III wrote:
> > > > > > > > > On Tue, 2005-09-27 at 07:57 -0700,
> > Alaios
> > > > > > wrote:
> > > > > > > > > > Hi plz take a look at the following
> > > > example
> > > > > > > > > >
> > > > > > > > > > The laptop has 2 ethernet interfaces
> > > > > > > > > > To eth1 comes traffic from src
> > > > > > 143.233.222.253
> > > > > > > > > > The eth0 has ip address 10.2.4.2 and
> > it
> > > > is
> > > > > > > > connected
> > > > > > > > > > back to back with eth1 of other pc
> > with
> > > > ip
> > > > > > > > address
> > > > > > > > > > 10.2.4.1
> > > > > > > > > > I want to forward the traffic with
> > src
> > > > > > > > 143.233.222.253
> > > > > > > > > > to the 10.2.4.1 pc and if it works i
> > > > will
> > > > > > redo
> > > > > > > > this
> > > > > > > > > > for a second pc so as to l send the
> > > > traffic
> > > > > > to a
> > > > > > > > third
> > > > > > > > > > on.
> > > > > > > > > > Can u help me plz?
> > > > > > > > > >
> > > > > > > > > > I have tried this one
> > > > > > > > > > iptables -t nat -A PREROUTING -i
> > eth1 -s
> > > > > > > > > > 143.233.222.253 -j DNAT
> > --to-destination
> > > > > > > > 10.2.4.1
> > > > > > > > > > i have also set the
> > > > > > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > > > > > but still i cant see any trafiic to
> > eth0
> > > > > > > > interface (ip
> > > > > > > > > > 10.2.4.2)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > I have also tested this one
> > > > > > > > > > iptables -t nat -A PREROUTING -p tcp
> > -d
> > > > > > > > 143.233.222.77
> > > > > > > > > > (laptop eth1 card) --dport 22453 (i
> > have
> > > > > > cheched
> > > > > > > > dst
> > > > > > > > > > port with tcpdump) 00 -j DNAT
> > > > > > --to-destination
> > > > > > > > > > 10.2.4.1
> > > > > > > > > > this still doesnt work
> > > > > > > > > > Every time i try to apply a new rule
> > i
> > > > use
> > > > > > first
> > > > > > > > > > the iptables -F
> > > > > > > > > > iptables -t nat -F command
> > > > > > > > > <snip>
> > > > > > > > >
> > > > > > > > > I'm a little confused about what you
> > are
> > > > > > doing.  I
> > > > > > > > would normally refer
> > > > > > > > > you to Oskar Andreasson's excellent
> > > > tutorial
> > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > > > > > or the
> > > > > > > > > training slides on the ISCS web site
> > > > > > > > (http://iscs.sourceforge.net) but,
> > > > > > > > > since it appears that you have an
> > > > emergency,
> > > > > > here
> > > > > > > > goes:
> > > > > > > > >
> > > > > > > > > First, if the source is
> > 143.233.222.253,
> > > > you
> > > > > > would
> > > > > > > > not want to DNAT it.
> > > > > > > > > DNAT changes the destination.  Thus,
> > your
> > > > > > second
> > > > > > > > attempt is the correct
> > > > > > > > > one.  You might want to lock the
> > > > destination
> > > > > > port
> > > > > > > > - it's not likely to
> > > > > > > > > be a problem but, if it ever is, it
> > will
> > > > be
> > > > > > one of
> > > > > > > > those really hard to
> > > > > > > > > diagnose, sporadic problems:
> > > > > > > > > -j DNAT --to-destination
> > 10.2.4.1:22453
> > > > > > > > >
> > > > > > > > > Second, this only takes care of the
> > > > > > addressing.
> > > > > > > > You must still allow
> > > > > > > > > the traffic in the FORWARD chain of
> > the
> > > > filter
> > > > > > > > table, e.g.,
> > > > > > > > >
> > > > > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
> > > > --dport
> > > > > > 22453
> > > > > > > > -j ACCEPT
> > > > > > > > >
> > > > > > > > > Hope this helps - John
> > > > > > > >
> > > > > > > > Oh, yes, you wanted to restrict the
> > source
> > > > > > address.
> > > > > > > > Add that to your
> > > > > > > > filter table rule:
> > > > > > > > iptables -A FORWARD -s 143.233.222.253
> > -d
> > > > > > 10.2.4.1
> > > > > > > > -p 6 --dport 22453 -j
> > > > > > > > ACCEPT
> > > > > > > > --
> > > > > > > > John A. Sullivan III
> > > > > > > > Open Source Development Corporation
> > > > > > > > +1 207-985-7880
> > > > > > > > jsullivan@opensourcedevel.com
> > > > > > > >
> > > > > > > > If you would like to participate in the
> > > > > > development
> > > > > > > > of an open source
> > > > > > > > enterprise class network security
> > management
> > > > > > system,
> > > > > > > > please visit
> > > > > > > > http://iscs.sourceforge.net
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > >
> > __________________________________________________
> > > > > > > Do You Yahoo!?
> > > > > > > Tired of spam?  Yahoo! Mail has the best
> > spam
> > > > > > protection around
> > > > > > > http://mail.yahoo.com
> > > > > > --
> > > > > > John A. Sullivan III
> > > > > > Open Source Development Corporation
> > > > > > +1 207-985-7880
> > > > > > jsullivan@opensourcedevel.com
> > > > > >
> > > > > > Financially sustainable open source
> > development
> > > > > > http://www.opensourcedevel.com
> > > > > >
> > > > > >
> > > > >
> > > > >
> > __________________________________________________
> > > > > Do You Yahoo!?
> > > > > Tired of spam?  Yahoo! Mail has the best spam
> > > > protection around
> > > > > http://mail.yahoo.com
> > > > --
> > > > John A. Sullivan III
> > > > Open Source Development Corporation
> > > > +1 207-985-7880
> > > > jsullivan@opensourcedevel.com
> > > >
> > > > Financially sustainable open source development
> > > > http://www.opensourcedevel.com
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > http://mail.yahoo.com
> > >
> > >
> > 
> > 
> 
> 
> 
> 		
> __________________________________ 
> Yahoo! Mail - PC Magazine Editors' Choice 2005 
> http://mail.yahoo.com
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Plz i need help.... or i ll be fired :(

[Edmundo Carmona]

It sure is a different network! You see? As I said... something simple
was missing! (sorry to not have seen it before).

Well done, John!

On 9/27/05, John A. Sullivan III <jsullivan@opensourcedevel.com> wrote:
> What is the default gateway for the laptop? How does it get to
> 143.233.222.253 since that is on a different network? - John
>
> On Tue, 2005-09-27 at 09:52 -0700, Alaios wrote:
> > eth0      Link encap:Ethernet  HWaddr
> > 00:02:3F:6D:70:3E
> >           inet addr:10.2.4.1  Bcast:10.255.255.255
> > Mask:255.0.0.0
> >           inet6 addr: fe80::202:3fff:fe6d:703e/64
> > Scope:Link
> >           UP BROADCAST RUNNING MULTICAST  MTU:1500
> > Metric:1
> >           RX packets:3 errors:0 dropped:0 overruns:0
> > frame:0
> >           TX packets:394 errors:0 dropped:0 overruns:0
> > carrier:0
> >           collisions:0 txqueuelen:1000
> >           RX bytes:218 (218.0 b)  TX bytes:24983 (24.3
> > Kb)
> >           Interrupt:11 Base address:0x6800
> >
> > eth1      Link encap:Ethernet  HWaddr
> > 00:02:2D:3B:1D:96
> >           inet addr:143.233.222.77
> > Bcast:255.255.255.255  Mask:255.255.255.192
> >           inet6 addr: fe80::202:2dff:fe3b:1d96/64
> > Scope:Link
> >           UP BROADCAST NOTRAILERS RUNNING MULTICAST
> > MTU:1500  Metric:1
> >           RX packets:293209 errors:0 dropped:0
> > overruns:0 frame:0
> >           TX packets:74 errors:0 dropped:0 overruns:0
> > carrier:0
> >           collisions:0 txqueuelen:1000
> >           RX bytes:364527709 (347.6 Mb)  TX
> > bytes:19400 (18.9 Kb)
> >           Interrupt:3 Base address:0x100
> >
> > lo        Link encap:Local Loopback
> >           inet addr:127.0.0.1  Mask:255.0.0.0
> >           inet6 addr: ::1/128 Scope:Host
> >           UP LOOPBACK RUNNING  MTU:16436  Metric:1
> >           RX packets:54 errors:0 dropped:0 overruns:0
> > frame:0
> >           TX packets:54 errors:0 dropped:0 overruns:0
> > carrier:0
> >           collisions:0 txqueuelen:0
> >           RX bytes:3528 (3.4 Kb)  TX bytes:3528 (3.4
> > Kb)
> >
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags
> > Metric Ref    Use Iface
> > 143.233.222.64  0.0.0.0         255.255.255.192 U
> > 0      0        0 eth1
> > 10.0.0.0        0.0.0.0         255.0.0.0       U
> > 0      0        0 eth0
> > 127.0.0.0       0.0.0.0         255.0.0.0       U
> > 0      0        0 lo
> >
> >
> >
> > --- Edmundo Carmona <eantoranz@gmail.com> wrote:
> >
> > > Remove the UDP/port from the rule, that will allow
> > > you to PING the
> > > box, and the inner box should respond.
> > >
> > > Anyway, let's go to the basics... what is the output
> > > of
> > >
> > > ifconfig
> > > route -n
> > >
> > > ??
> > >
> > > On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> > > > I have done absolutely what u have said.. I have
> > > > rechecked the source port and destination and are
> > > the
> > > > same.... The programme is a packet generator that
> > > > creates bulk data. We use it to test oure
> > > network....
> > > > I have applied your commands but with a little
> > > changes
> > > > iptables -nat -A PREROUTING -i eth1 -d
> > > 143.233.222.77
> > > > -p udp --destination-port 22453 -j DNAT
> > > > --to-destination 10.2.4.1:22453
> > > > My problem is that still i cant see any packages
> > > in
> > > > the eth0 interface.. What know what else should i
> > > do
> > > > now
> > > >
> > > > --- "John A. Sullivan III"
> > > > <jsullivan@opensourcedevel.com> wrote:
> > > >
> > > > > It sounds like you really need to learn the
> > > basics.
> > > > > I would suggest you
> > > > > go through the links I mentioned below.  What
> > > > > exactly do you want to do?
> > > > >
> > > > > It sounds like you want traffic coming in from
> > > > > 143.233.222.253 on tcp
> > > > > destination port 22453 (are you sure this is the
> > > > > destination port and
> > > > > not the source port?????) on the laptop
> > > interface
> > > > > eth1 with IP address
> > > > > 143.233.222.77 to be sent to 10.2.4.1 on the
> > > eth0
> > > > > interface.  I am
> > > > > assuming that 143.233.222.77 and 143.233.222.253
> > > are
> > > > > on the same
> > > > > network, i.e., the subnet mask is 255.255.255.0
> > > or
> > > > > less.  I also
> > > > > assuming that you have enabled forwarding as you
> > > > > said you did.
> > > > >
> > > > > Then you would do something like:
> > > > >
> > > > > iptables -F
> > > > > iptables -t nat -F
> > > > > iptables -P FORWARD DROP
> > > > > iptables -t nat -P ACCEPT
> > > > > iptables -t nat -A PREROUTING -i eth1 -d
> > > > > 143.233.222.77 --dport 22453 -j
> > > > > DNAT --to-destination 10.2.4.1:22453
> > > > > iptables -A FORWARD -m state --state
> > > > > ESTABLISHED,RELATED -j ACCEPT
> > > > > iptables -A FORWARD -s 143.233.222.253 -d
> > > 10.2.4.1
> > > > > -p 6 --dport 22453 -j
> > > > > ACCEPT
> > > > >
> > > > > I have a sneaking suspicion that 22453 is not
> > > the
> > > > > destination port.
> > > > > What service is 10.2.4.1 providing to
> > > > > 143.233.222.253?
> > > > >
> > > > > I'm afraid I'm running out of time today.  I
> > > > > probably cannot help much
> > > > > more.  I'm sure someone else can jump in.  Take
> > > care
> > > > > - John
> > > > >
> > > > > On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> > > > > > My complete rule set??? Hm... there is nothing
> > > > > like
> > > > > > that... I work to a solution for 4-5 hours and
> > > > > still
> > > > > > havent finded any iptable rule to work.. in my
> > > pc
> > > > > i
> > > > > > dont have any ip rules loaded at all nor a
> > > > > firewall
> > > > > > applied.. I just want to do only this to
> > > work.. Do
> > > > > u
> > > > > > have anything else in mind plz?
> > > > > >
> > > > > > --- "John A. Sullivan III"
> > > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > > >
> > > > > > > I made some assumptions about other rules
> > > you
> > > > > would
> > > > > > > have had in place.
> > > > > > > I believe someone else posted a much more
> > > > > thorough
> > > > > > > answer.  Did you
> > > > > > > create an ESTABLISHED,RELATED rule as that
> > > other
> > > > > > > post suggested?
> > > > > > >
> > > > > > > Would you mind posting your complete rule
> > > set
> > > > > (with
> > > > > > > any sensitive
> > > > > > > information edited, of course)? - John
> > > > > > >
> > > > > > > On Tue, 2005-09-27 at 08:30 -0700, Alaios
> > > wrote:
> > > > > > > > Thx for your quick reply..... i have just
> > > > > tested
> > > > > > > but
> > > > > > > > it didnt work... I think that i cant
> > > explain
> > > > > what
> > > > > > > i
> > > > > > > > need or i am doing sth wrong..
> > > > > > > > i have enabled the packets loging
> > > > > > > > so executing dmesg prints the following
> > > > > > > > IN=eth1 OUT= MAC=(the mac addresses)
> > > > > > > > As u can see the OUT is null which means
> > > thats
> > > > > > > perhaps
> > > > > > > > the problem... What do u have in mind?
> > > > > > > >
> > > > > > > > --- "John A. Sullivan III"
> > > > > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > > > > >
> > > > > > > > > On Tue, 2005-09-27 at 11:14 -0400, John
> > > A.
> > > > > > > Sullivan
> > > > > > > > > III wrote:
> > > > > > > > > > On Tue, 2005-09-27 at 07:57 -0700,
> > > Alaios
> > > > > > > wrote:
> > > > > > > > > > > Hi plz take a look at the following
> > > > > example
> > > > > > > > > > >
> > > > > > > > > > > The laptop has 2 ethernet interfaces
> > > > > > > > > > > To eth1 comes traffic from src
> > > > > > > 143.233.222.253
> > > > > > > > > > > The eth0 has ip address 10.2.4.2 and
> > > it
> > > > > is
> > > > > > > > > connected
> > > > > > > > > > > back to back with eth1 of other pc
> > > with
> > > > > ip
> > > > > > > > > address
> > > > > > > > > > > 10.2.4.1
> > > > > > > > > > > I want to forward the traffic with
> > > src
> > > > > > > > > 143.233.222.253
> > > > > > > > > > > to the 10.2.4.1 pc and if it works i
> > > > > will
> > > > > > > redo
> > > > > > > > > this
> > > > > > > > > > > for a second pc so as to l send the
> > > > > traffic
> > > > > > > to a
> > > > > > > > > third
> > > > > > > > > > > on.
> > > > > > > > > > > Can u help me plz?
> > > > > > > > > > >
> > > > > > > > > > > I have tried this one
> > > > > > > > > > > iptables -t nat -A PREROUTING -i
> > > eth1 -s
> > > > > > > > > > > 143.233.222.253 -j DNAT
> > > --to-destination
> > > > > > > > > 10.2.4.1
> > > > > > > > > > > i have also set the
> > > > > > > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > > > > > > but still i cant see any trafiic to
> > > eth0
> > > > > > > > > interface (ip
> > > > > > > > > > > 10.2.4.2)
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > I have also tested this one
> > > > > > > > > > > iptables -t nat -A PREROUTING -p tcp
> > > -d
> > > > > > > > > 143.233.222.77
> > > > > > > > > > > (laptop eth1 card) --dport 22453 (i
> > > have
> > > > > > > cheched
> > > > > > > > > dst
> > > > > > > > > > > port with tcpdump) 00 -j DNAT
> > > > > > > --to-destination
> > > > > > > > > > > 10.2.4.1
> > > > > > > > > > > this still doesnt work
> > > > > > > > > > > Every time i try to apply a new rule
> > > i
> > > > > use
> > > > > > > first
> > > > > > > > > > > the iptables -F
> > > > > > > > > > > iptables -t nat -F command
> > > > > > > > > > <snip>
> > > > > > > > > >
> > > > > > > > > > I'm a little confused about what you
> > > are
> > > > > > > doing.  I
> > > > > > > > > would normally refer
> > > > > > > > > > you to Oskar Andreasson's excellent
> > > > > tutorial
> > > > > > > at
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > > > > > > or the
> > > > > > > > > > training slides on the ISCS web site
> > > > > > > > > (http://iscs.sourceforge.net) but,
> > > > > > > > > > since it appears that you have an
> > > > > emergency,
> > > > > > > here
> > > > > > > > > goes:
> > > > > > > > > >
> > > > > > > > > > First, if the source is
> > > 143.233.222.253,
> > > > > you
> > > > > > > would
> > > > > > > > > not want to DNAT it.
> > > > > > > > > > DNAT changes the destination.  Thus,
> > > your
> > > > > > > second
> > > > > > > > > attempt is the correct
> > > > > > > > > > one.  You might want to lock the
> > > > > destination
> > > > > > > port
> > > > > > > > > - it's not likely to
> > > > > > > > > > be a problem but, if it ever is, it
> > > will
> > > > > be
> > > > > > > one of
> > > > > > > > > those really hard to
> > > > > > > > > > diagnose, sporadic problems:
> > > > > > > > > > -j DNAT --to-destination
> > > 10.2.4.1:22453
> > > > > > > > > >
> > > > > > > > > > Second, this only takes care of the
> > > > > > > addressing.
> > > > > > > > > You must still allow
> > > > > > > > > > the traffic in the FORWARD chain of
> > > the
> > > > > filter
> > > > > > > > > table, e.g.,
> > > > > > > > > >
> > > > > > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
> > > > > --dport
> > > > > > > 22453
> > > > > > > > > -j ACCEPT
> > > > > > > > > >
> > > > > > > > > > Hope this helps - John
> > > > > > > > >
> > > > > > > > > Oh, yes, you wanted to restrict the
> > > source
> > > > > > > address.
> > > > > > > > > Add that to your
> > > > > > > > > filter table rule:
> > > > > > > > > iptables -A FORWARD -s 143.233.222.253
> > > -d
> > > > > > > 10.2.4.1
> > > > > > > > > -p 6 --dport 22453 -j
> > > > > > > > > ACCEPT
> > > > > > > > > --
> > > > > > > > > John A. Sullivan III
> > > > > > > > > Open Source Development Corporation
> > > > > > > > > +1 207-985-7880
> > > > > > > > > jsullivan@opensourcedevel.com
> > > > > > > > >
> > > > > > > > > If you would like to participate in the
> > > > > > > development
> > > > > > > > > of an open source
> > > > > > > > > enterprise class network security
> > > management
> > > > > > > system,
> > > > > > > > > please visit
> > > > > > > > > http://iscs.sourceforge.net
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > >
> > > __________________________________________________
> > > > > > > > Do You Yahoo!?
> > > > > > > > Tired of spam?  Yahoo! Mail has the best
> > > spam
> > > > > > > protection around
> > > > > > > > http://mail.yahoo.com
> > > > > > > --
> > > > > > > John A. Sullivan III
> > > > > > > Open Source Development Corporation
> > > > > > > +1 207-985-7880
> > > > > > > jsullivan@opensourcedevel.com
> > > > > > >
> > > > > > > Financially sustainable open source
> > > development
> > > > > > > http://www.opensourcedevel.com
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > __________________________________________________
> > > > > > Do You Yahoo!?
> > > > > > Tired of spam?  Yahoo! Mail has the best spam
> > > > > protection around
> > > > > > http://mail.yahoo.com
> > > > > --
> > > > > John A. Sullivan III
> > > > > Open Source Development Corporation
> > > > > +1 207-985-7880
> > > > > jsullivan@opensourcedevel.com
> > > > >
> > > > > Financially sustainable open source development
> > > > > http://www.opensourcedevel.com
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > > __________________________________
> > > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > > http://mail.yahoo.com
> > > >
> > > >
> > >
> > >
> >
> >
> >
> >
> > __________________________________
> > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > http://mail.yahoo.com
> >
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
>
> Financially sustainable open source development
> http://www.opensourcedevel.com
>
>

Re: Plz i need help.... or i ll be fired :(

[John A. Sullivan III]

It won't respond if eth1 doesn't know how to get to ahost.  It looks
like the subnet mask on eth1 is 255.255.255.192.  That means it know
about addresses .64 to .127.  Unless it has a default gateway which
knows how to get to .253, it will drop the packet because of a routing
issue and not a netfilter issue - John

On Tue, 2005-09-27 at 13:08 -0400, Edmundo Carmona wrote:
> Let's retry.
> 
> ahost: 143.233.222.253  | eth1:143.233.222.77 box1 eth0:10.2.4.1 |
> eth0:10.2.4.2 box2
> 
> Is that correct? You want the traffic from ahost to reach box2, right?
> 
> Please.... (I beg you :'() try this on box1 (don't change it... it's
> just a test):
> 
> iptables -t nat -F
> iptables -F
> 
> iptables -P FORWARD ACCEPT
> 
> iptables -t nat -A PREROUTING -s 143.233.222.253 -j DNAT
> --to-destination 10.2.4.2
> 
> echo 1 > /blah/blah
> 
> Then ping box1 from ahost. It should respond.... but it should have
> been box2 the one that responded (as a matter of fact).
> 
> Am I correct?
> 
> On 9/27/05, Edmundo Carmona <eantoranz@gmail.com> wrote:
> > Look at the IP of eth0. its 10.2.4.1, and you said it was 10.2.4.2 and
> > wanted to forward it to another host with ip 10.2.4.1 (according to
> > your very first mail).
> >
> > On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> > > eth0      Link encap:Ethernet  HWaddr
> > > 00:02:3F:6D:70:3E
> > >           inet addr:10.2.4.1  Bcast:10.255.255.255
> > > Mask:255.0.0.0
> > >           inet6 addr: fe80::202:3fff:fe6d:703e/64
> > > Scope:Link
> > >           UP BROADCAST RUNNING MULTICAST  MTU:1500
> > > Metric:1
> > >           RX packets:3 errors:0 dropped:0 overruns:0
> > > frame:0
> > >           TX packets:394 errors:0 dropped:0 overruns:0
> > > carrier:0
> > >           collisions:0 txqueuelen:1000
> > >           RX bytes:218 (218.0 b)  TX bytes:24983 (24.3
> > > Kb)
> > >           Interrupt:11 Base address:0x6800
> > >
> > > eth1      Link encap:Ethernet  HWaddr
> > > 00:02:2D:3B:1D:96
> > >           inet addr:143.233.222.77
> > > Bcast:255.255.255.255  Mask:255.255.255.192
> > >           inet6 addr: fe80::202:2dff:fe3b:1d96/64
> > > Scope:Link
> > >           UP BROADCAST NOTRAILERS RUNNING MULTICAST
> > > MTU:1500  Metric:1
> > >           RX packets:293209 errors:0 dropped:0
> > > overruns:0 frame:0
> > >           TX packets:74 errors:0 dropped:0 overruns:0
> > > carrier:0
> > >           collisions:0 txqueuelen:1000
> > >           RX bytes:364527709 (347.6 Mb)  TX
> > > bytes:19400 (18.9 Kb)
> > >           Interrupt:3 Base address:0x100
> > >
> > > lo        Link encap:Local Loopback
> > >           inet addr:127.0.0.1  Mask:255.0.0.0
> > >           inet6 addr: ::1/128 Scope:Host
> > >           UP LOOPBACK RUNNING  MTU:16436  Metric:1
> > >           RX packets:54 errors:0 dropped:0 overruns:0
> > > frame:0
> > >           TX packets:54 errors:0 dropped:0 overruns:0
> > > carrier:0
> > >           collisions:0 txqueuelen:0
> > >           RX bytes:3528 (3.4 Kb)  TX bytes:3528 (3.4
> > > Kb)
> > >
> > > Kernel IP routing table
> > > Destination     Gateway         Genmask         Flags
> > > Metric Ref    Use Iface
> > > 143.233.222.64  0.0.0.0         255.255.255.192 U
> > > 0      0        0 eth1
> > > 10.0.0.0        0.0.0.0         255.0.0.0       U
> > > 0      0        0 eth0
> > > 127.0.0.0       0.0.0.0         255.0.0.0       U
> > > 0      0        0 lo
> > >
> > >
> > >
> > > --- Edmundo Carmona <eantoranz@gmail.com> wrote:
> > >
> > > > Remove the UDP/port from the rule, that will allow
> > > > you to PING the
> > > > box, and the inner box should respond.
> > > >
> > > > Anyway, let's go to the basics... what is the output
> > > > of
> > > >
> > > > ifconfig
> > > > route -n
> > > >
> > > > ??
> > > >
> > > > On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> > > > > I have done absolutely what u have said.. I have
> > > > > rechecked the source port and destination and are
> > > > the
> > > > > same.... The programme is a packet generator that
> > > > > creates bulk data. We use it to test oure
> > > > network....
> > > > > I have applied your commands but with a little
> > > > changes
> > > > > iptables -nat -A PREROUTING -i eth1 -d
> > > > 143.233.222.77
> > > > > -p udp --destination-port 22453 -j DNAT
> > > > > --to-destination 10.2.4.1:22453
> > > > > My problem is that still i cant see any packages
> > > > in
> > > > > the eth0 interface.. What know what else should i
> > > > do
> > > > > now
> > > > >
> > > > > --- "John A. Sullivan III"
> > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > >
> > > > > > It sounds like you really need to learn the
> > > > basics.
> > > > > > I would suggest you
> > > > > > go through the links I mentioned below.  What
> > > > > > exactly do you want to do?
> > > > > >
> > > > > > It sounds like you want traffic coming in from
> > > > > > 143.233.222.253 on tcp
> > > > > > destination port 22453 (are you sure this is the
> > > > > > destination port and
> > > > > > not the source port?????) on the laptop
> > > > interface
> > > > > > eth1 with IP address
> > > > > > 143.233.222.77 to be sent to 10.2.4.1 on the
> > > > eth0
> > > > > > interface.  I am
> > > > > > assuming that 143.233.222.77 and 143.233.222.253
> > > > are
> > > > > > on the same
> > > > > > network, i.e., the subnet mask is 255.255.255.0
> > > > or
> > > > > > less.  I also
> > > > > > assuming that you have enabled forwarding as you
> > > > > > said you did.
> > > > > >
> > > > > > Then you would do something like:
> > > > > >
> > > > > > iptables -F
> > > > > > iptables -t nat -F
> > > > > > iptables -P FORWARD DROP
> > > > > > iptables -t nat -P ACCEPT
> > > > > > iptables -t nat -A PREROUTING -i eth1 -d
> > > > > > 143.233.222.77 --dport 22453 -j
> > > > > > DNAT --to-destination 10.2.4.1:22453
> > > > > > iptables -A FORWARD -m state --state
> > > > > > ESTABLISHED,RELATED -j ACCEPT
> > > > > > iptables -A FORWARD -s 143.233.222.253 -d
> > > > 10.2.4.1
> > > > > > -p 6 --dport 22453 -j
> > > > > > ACCEPT
> > > > > >
> > > > > > I have a sneaking suspicion that 22453 is not
> > > > the
> > > > > > destination port.
> > > > > > What service is 10.2.4.1 providing to
> > > > > > 143.233.222.253?
> > > > > >
> > > > > > I'm afraid I'm running out of time today.  I
> > > > > > probably cannot help much
> > > > > > more.  I'm sure someone else can jump in.  Take
> > > > care
> > > > > > - John
> > > > > >
> > > > > > On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> > > > > > > My complete rule set??? Hm... there is nothing
> > > > > > like
> > > > > > > that... I work to a solution for 4-5 hours and
> > > > > > still
> > > > > > > havent finded any iptable rule to work.. in my
> > > > pc
> > > > > > i
> > > > > > > dont have any ip rules loaded at all nor a
> > > > > > firewall
> > > > > > > applied.. I just want to do only this to
> > > > work.. Do
> > > > > > u
> > > > > > > have anything else in mind plz?
> > > > > > >
> > > > > > > --- "John A. Sullivan III"
> > > > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > > > >
> > > > > > > > I made some assumptions about other rules
> > > > you
> > > > > > would
> > > > > > > > have had in place.
> > > > > > > > I believe someone else posted a much more
> > > > > > thorough
> > > > > > > > answer.  Did you
> > > > > > > > create an ESTABLISHED,RELATED rule as that
> > > > other
> > > > > > > > post suggested?
> > > > > > > >
> > > > > > > > Would you mind posting your complete rule
> > > > set
> > > > > > (with
> > > > > > > > any sensitive
> > > > > > > > information edited, of course)? - John
> > > > > > > >
> > > > > > > > On Tue, 2005-09-27 at 08:30 -0700, Alaios
> > > > wrote:
> > > > > > > > > Thx for your quick reply..... i have just
> > > > > > tested
> > > > > > > > but
> > > > > > > > > it didnt work... I think that i cant
> > > > explain
> > > > > > what
> > > > > > > > i
> > > > > > > > > need or i am doing sth wrong..
> > > > > > > > > i have enabled the packets loging
> > > > > > > > > so executing dmesg prints the following
> > > > > > > > > IN=eth1 OUT= MAC=(the mac addresses)
> > > > > > > > > As u can see the OUT is null which means
> > > > thats
> > > > > > > > perhaps
> > > > > > > > > the problem... What do u have in mind?
> > > > > > > > >
> > > > > > > > > --- "John A. Sullivan III"
> > > > > > > > > <jsullivan@opensourcedevel.com> wrote:
> > > > > > > > >
> > > > > > > > > > On Tue, 2005-09-27 at 11:14 -0400, John
> > > > A.
> > > > > > > > Sullivan
> > > > > > > > > > III wrote:
> > > > > > > > > > > On Tue, 2005-09-27 at 07:57 -0700,
> > > > Alaios
> > > > > > > > wrote:
> > > > > > > > > > > > Hi plz take a look at the following
> > > > > > example
> > > > > > > > > > > >
> > > > > > > > > > > > The laptop has 2 ethernet interfaces
> > > > > > > > > > > > To eth1 comes traffic from src
> > > > > > > > 143.233.222.253
> > > > > > > > > > > > The eth0 has ip address 10.2.4.2 and
> > > > it
> > > > > > is
> > > > > > > > > > connected
> > > > > > > > > > > > back to back with eth1 of other pc
> > > > with
> > > > > > ip
> > > > > > > > > > address
> > > > > > > > > > > > 10.2.4.1
> > > > > > > > > > > > I want to forward the traffic with
> > > > src
> > > > > > > > > > 143.233.222.253
> > > > > > > > > > > > to the 10.2.4.1 pc and if it works i
> > > > > > will
> > > > > > > > redo
> > > > > > > > > > this
> > > > > > > > > > > > for a second pc so as to l send the
> > > > > > traffic
> > > > > > > > to a
> > > > > > > > > > third
> > > > > > > > > > > > on.
> > > > > > > > > > > > Can u help me plz?
> > > > > > > > > > > >
> > > > > > > > > > > > I have tried this one
> > > > > > > > > > > > iptables -t nat -A PREROUTING -i
> > > > eth1 -s
> > > > > > > > > > > > 143.233.222.253 -j DNAT
> > > > --to-destination
> > > > > > > > > > 10.2.4.1
> > > > > > > > > > > > i have also set the
> > > > > > > > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > > > > > > > but still i cant see any trafiic to
> > > > eth0
> > > > > > > > > > interface (ip
> > > > > > > > > > > > 10.2.4.2)
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > I have also tested this one
> > > > > > > > > > > > iptables -t nat -A PREROUTING -p tcp
> > > > -d
> > > > > > > > > > 143.233.222.77
> > > > > > > > > > > > (laptop eth1 card) --dport 22453 (i
> > > > have
> > > > > > > > cheched
> > > > > > > > > > dst
> > > > > > > > > > > > port with tcpdump) 00 -j DNAT
> > > > > > > > --to-destination
> > > > > > > > > > > > 10.2.4.1
> > > > > > > > > > > > this still doesnt work
> > > > > > > > > > > > Every time i try to apply a new rule
> > > > i
> > > > > > use
> > > > > > > > first
> > > > > > > > > > > > the iptables -F
> > > > > > > > > > > > iptables -t nat -F command
> > > > > > > > > > > <snip>
> > > > > > > > > > >
> > > > > > > > > > > I'm a little confused about what you
> > > > are
> > > > > > > > doing.  I
> > > > > > > > > > would normally refer
> > > > > > > > > > > you to Oskar Andreasson's excellent
> > > > > > tutorial
> > > > > > > > at
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > > > > > > > or the
> > > > > > > > > > > training slides on the ISCS web site
> > > > > > > > > > (http://iscs.sourceforge.net) but,
> > > > > > > > > > > since it appears that you have an
> > > > > > emergency,
> > > > > > > > here
> > > > > > > > > > goes:
> > > > > > > > > > >
> > > > > > > > > > > First, if the source is
> > > > 143.233.222.253,
> > > > > > you
> > > > > > > > would
> > > > > > > > > > not want to DNAT it.
> > > > > > > > > > > DNAT changes the destination.  Thus,
> > > > your
> > > > > > > > second
> > > > > > > > > > attempt is the correct
> > > > > > > > > > > one.  You might want to lock the
> > > > > > destination
> > > > > > > > port
> > > > > > > > > > - it's not likely to
> > > > > > > > > > > be a problem but, if it ever is, it
> > > > will
> > > > > > be
> > > > > > > > one of
> > > > > > > > > > those really hard to
> > > > > > > > > > > diagnose, sporadic problems:
> > > > > > > > > > > -j DNAT --to-destination
> > > > 10.2.4.1:22453
> > > > > > > > > > >
> > > > > > > > > > > Second, this only takes care of the
> > > > > > > > addressing.
> > > > > > > > > > You must still allow
> > > > > > > > > > > the traffic in the FORWARD chain of
> > > > the
> > > > > > filter
> > > > > > > > > > table, e.g.,
> > > > > > > > > > >
> > > > > > > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
> > > > > > --dport
> > > > > > > > 22453
> > > > > > > > > > -j ACCEPT
> > > > > > > > > > >
> > > > > > > > > > > Hope this helps - John
> > > > > > > > > >
> > > > > > > > > > Oh, yes, you wanted to restrict the
> > > > source
> > > > > > > > address.
> > > > > > > > > > Add that to your
> > > > > > > > > > filter table rule:
> > > > > > > > > > iptables -A FORWARD -s 143.233.222.253
> > > > -d
> > > > > > > > 10.2.4.1
> > > > > > > > > > -p 6 --dport 22453 -j
> > > > > > > > > > ACCEPT
> > > > > > > > > > --
> > > > > > > > > > John A. Sullivan III
> > > > > > > > > > Open Source Development Corporation
> > > > > > > > > > +1 207-985-7880
> > > > > > > > > > jsullivan@opensourcedevel.com
> > > > > > > > > >
> > > > > > > > > > If you would like to participate in the
> > > > > > > > development
> > > > > > > > > > of an open source
> > > > > > > > > > enterprise class network security
> > > > management
> > > > > > > > system,
> > > > > > > > > > please visit
> > > > > > > > > > http://iscs.sourceforge.net
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > >
> > > > __________________________________________________
> > > > > > > > > Do You Yahoo!?
> > > > > > > > > Tired of spam?  Yahoo! Mail has the best
> > > > spam
> > > > > > > > protection around
> > > > > > > > > http://mail.yahoo.com
> > > > > > > > --
> > > > > > > > John A. Sullivan III
> > > > > > > > Open Source Development Corporation
> > > > > > > > +1 207-985-7880
> > > > > > > > jsullivan@opensourcedevel.com
> > > > > > > >
> > > > > > > > Financially sustainable open source
> > > > development
> > > > > > > > http://www.opensourcedevel.com
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > __________________________________________________
> > > > > > > Do You Yahoo!?
> > > > > > > Tired of spam?  Yahoo! Mail has the best spam
> > > > > > protection around
> > > > > > > http://mail.yahoo.com
> > > > > > --
> > > > > > John A. Sullivan III
> > > > > > Open Source Development Corporation
> > > > > > +1 207-985-7880
> > > > > > jsullivan@opensourcedevel.com
> > > > > >
> > > > > > Financially sustainable open source development
> > > > > > http://www.opensourcedevel.com
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > __________________________________
> > > > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > > > http://mail.yahoo.com
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > http://mail.yahoo.com
> > >
> >
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Plz i need help.... or i ll be fired :(

[Alaios]

Its not on a different network.. eth1 is directly connected with this network

"John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:
What is the default gateway for the laptop? How does it get to
143.233.222.253 since that is on a different network? - John

On Tue, 2005-09-27 at 09:52 -0700, Alaios wrote:
> eth0 Link encap:Ethernet HWaddr
> 00:02:3F:6D:70:3E 
> inet addr:10.2.4.1 Bcast:10.255.255.255 
> Mask:255.0.0.0
> inet6 addr: fe80::202:3fff:fe6d:703e/64
> Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 
> Metric:1
> RX packets:3 errors:0 dropped:0 overruns:0
> frame:0
> TX packets:394 errors:0 dropped:0 overruns:0
> carrier:0
> collisions:0 txqueuelen:1000 
> RX bytes:218 (218.0 b) TX bytes:24983 (24.3
> Kb)
> Interrupt:11 Base address:0x6800 
> 
> eth1 Link encap:Ethernet HWaddr
> 00:02:2D:3B:1D:96 
> inet addr:143.233.222.77 
> Bcast:255.255.255.255 Mask:255.255.255.192
> inet6 addr: fe80::202:2dff:fe3b:1d96/64
> Scope:Link
> UP BROADCAST NOTRAILERS RUNNING MULTICAST 
> MTU:1500 Metric:1
> RX packets:293209 errors:0 dropped:0
> overruns:0 frame:0
> TX packets:74 errors:0 dropped:0 overruns:0
> carrier:0
> collisions:0 txqueuelen:1000 
> RX bytes:364527709 (347.6 Mb) TX
> bytes:19400 (18.9 Kb)
> Interrupt:3 Base address:0x100 
> 
> lo Link encap:Local Loopback 
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:54 errors:0 dropped:0 overruns:0
> frame:0
> TX packets:54 errors:0 dropped:0 overruns:0
> carrier:0
> collisions:0 txqueuelen:0 
> RX bytes:3528 (3.4 Kb) TX bytes:3528 (3.4
> Kb)
> 
> Kernel IP routing table
> Destination Gateway Genmask Flags
> Metric Ref Use Iface
> 143.233.222.64 0.0.0.0 255.255.255.192 U 
> 0 0 0 eth1
> 10.0.0.0 0.0.0.0 255.0.0.0 U 
> 0 0 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 
> 0 0 0 lo
> 
> 
> 
> --- Edmundo Carmona wrote:
> 
> > Remove the UDP/port from the rule, that will allow
> > you to PING the
> > box, and the inner box should respond.
> > 
> > Anyway, let's go to the basics... what is the output
> > of
> > 
> > ifconfig
> > route -n
> > 
> > ??
> > 
> > On 9/27/05, Alaios wrote:
> > > I have done absolutely what u have said.. I have
> > > rechecked the source port and destination and are
> > the
> > > same.... The programme is a packet generator that
> > > creates bulk data. We use it to test oure
> > network....
> > > I have applied your commands but with a little
> > changes
> > > iptables -nat -A PREROUTING -i eth1 -d
> > 143.233.222.77
> > > -p udp --destination-port 22453 -j DNAT
> > > --to-destination 10.2.4.1:22453
> > > My problem is that still i cant see any packages
> > in
> > > the eth0 interface.. What know what else should i
> > do
> > > now
> > >
> > > --- "John A. Sullivan III"
> > > wrote:
> > >
> > > > It sounds like you really need to learn the
> > basics.
> > > > I would suggest you
> > > > go through the links I mentioned below. What
> > > > exactly do you want to do?
> > > >
> > > > It sounds like you want traffic coming in from
> > > > 143.233.222.253 on tcp
> > > > destination port 22453 (are you sure this is the
> > > > destination port and
> > > > not the source port?????) on the laptop
> > interface
> > > > eth1 with IP address
> > > > 143.233.222.77 to be sent to 10.2.4.1 on the
> > eth0
> > > > interface. I am
> > > > assuming that 143.233.222.77 and 143.233.222.253
> > are
> > > > on the same
> > > > network, i.e., the subnet mask is 255.255.255.0
> > or
> > > > less. I also
> > > > assuming that you have enabled forwarding as you
> > > > said you did.
> > > >
> > > > Then you would do something like:
> > > >
> > > > iptables -F
> > > > iptables -t nat -F
> > > > iptables -P FORWARD DROP
> > > > iptables -t nat -P ACCEPT
> > > > iptables -t nat -A PREROUTING -i eth1 -d
> > > > 143.233.222.77 --dport 22453 -j
> > > > DNAT --to-destination 10.2.4.1:22453
> > > > iptables -A FORWARD -m state --state
> > > > ESTABLISHED,RELATED -j ACCEPT
> > > > iptables -A FORWARD -s 143.233.222.253 -d
> > 10.2.4.1
> > > > -p 6 --dport 22453 -j
> > > > ACCEPT
> > > >
> > > > I have a sneaking suspicion that 22453 is not
> > the
> > > > destination port.
> > > > What service is 10.2.4.1 providing to
> > > > 143.233.222.253?
> > > >
> > > > I'm afraid I'm running out of time today. I
> > > > probably cannot help much
> > > > more. I'm sure someone else can jump in. Take
> > care
> > > > - John
> > > >
> > > > On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> > > > > My complete rule set??? Hm... there is nothing
> > > > like
> > > > > that... I work to a solution for 4-5 hours and
> > > > still
> > > > > havent finded any iptable rule to work.. in my
> > pc
> > > > i
> > > > > dont have any ip rules loaded at all nor a
> > > > firewall
> > > > > applied.. I just want to do only this to
> > work.. Do
> > > > u
> > > > > have anything else in mind plz?
> > > > >
> > > > > --- "John A. Sullivan III"
> > > > > wrote:
> > > > >
> > > > > > I made some assumptions about other rules
> > you
> > > > would
> > > > > > have had in place.
> > > > > > I believe someone else posted a much more
> > > > thorough
> > > > > > answer. Did you
> > > > > > create an ESTABLISHED,RELATED rule as that
> > other
> > > > > > post suggested?
> > > > > >
> > > > > > Would you mind posting your complete rule
> > set
> > > > (with
> > > > > > any sensitive
> > > > > > information edited, of course)? - John
> > > > > >
> > > > > > On Tue, 2005-09-27 at 08:30 -0700, Alaios
> > wrote:
> > > > > > > Thx for your quick reply..... i have just
> > > > tested
> > > > > > but
> > > > > > > it didnt work... I think that i cant
> > explain
> > > > what
> > > > > > i
> > > > > > > need or i am doing sth wrong..
> > > > > > > i have enabled the packets loging
> > > > > > > so executing dmesg prints the following
> > > > > > > IN=eth1 OUT= MAC=(the mac addresses)
> > > > > > > As u can see the OUT is null which means
> > thats
> > > > > > perhaps
> > > > > > > the problem... What do u have in mind?
> > > > > > >
> > > > > > > --- "John A. Sullivan III"
> > > > > > > wrote:
> > > > > > >
> > > > > > > > On Tue, 2005-09-27 at 11:14 -0400, John
> > A.
> > > > > > Sullivan
> > > > > > > > III wrote:
> > > > > > > > > On Tue, 2005-09-27 at 07:57 -0700,
> > Alaios
> > > > > > wrote:
> > > > > > > > > > Hi plz take a look at the following
> > > > example
> > > > > > > > > >
> > > > > > > > > > The laptop has 2 ethernet interfaces
> > > > > > > > > > To eth1 comes traffic from src
> > > > > > 143.233.222.253
> > > > > > > > > > The eth0 has ip address 10.2.4.2 and
> > it
> > > > is
> > > > > > > > connected
> > > > > > > > > > back to back with eth1 of other pc
> > with
> > > > ip
> > > > > > > > address
> > > > > > > > > > 10.2.4.1
> > > > > > > > > > I want to forward the traffic with
> > src
> > > > > > > > 143.233.222.253
> > > > > > > > > > to the 10.2.4.1 pc and if it works i
> > > > will
> > > > > > redo
> > > > > > > > this
> > > > > > > > > > for a second pc so as to l send the
> > > > traffic
> > > > > > to a
> > > > > > > > third
> > > > > > > > > > on.
> > > > > > > > > > Can u help me plz?
> > > > > > > > > >
> > > > > > > > > > I have tried this one
> > > > > > > > > > iptables -t nat -A PREROUTING -i
> > eth1 -s
> > > > > > > > > > 143.233.222.253 -j DNAT
> > --to-destination
> > > > > > > > 10.2.4.1
> > > > > > > > > > i have also set the
> > > > > > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > > > > > but still i cant see any trafiic to
> > eth0
> > > > > > > > interface (ip
> > > > > > > > > > 10.2.4.2)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > I have also tested this one
> > > > > > > > > > iptables -t nat -A PREROUTING -p tcp
> > -d
> > > > > > > > 143.233.222.77
> > > > > > > > > > (laptop eth1 card) --dport 22453 (i
> > have
> > > > > > cheched
> > > > > > > > dst
> > > > > > > > > > port with tcpdump) 00 -j DNAT
> > > > > > --to-destination
> > > > > > > > > > 10.2.4.1
> > > > > > > > > > this still doesnt work
> > > > > > > > > > Every time i try to apply a new rule
> > i
> > > > use
> > > > > > first
> > > > > > > > > > the iptables -F
> > > > > > > > > > iptables -t nat -F command
> > > > > > > > > 
> > > > > > > > >
> > > > > > > > > I'm a little confused about what you
> > are
> > > > > > doing. I
> > > > > > > > would normally refer
> > > > > > > > > you to Oskar Andreasson's excellent
> > > > tutorial
> > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > > > > > or the
> > > > > > > > > training slides on the ISCS web site
> > > > > > > > (http://iscs.sourceforge.net) but,
> > > > > > > > > since it appears that you have an
> > > > emergency,
> > > > > > here
> > > > > > > > goes:
> > > > > > > > >
> > > > > > > > > First, if the source is
> > 143.233.222.253,
> > > > you
> > > > > > would
> > > > > > > > not want to DNAT it.
> > > > > > > > > DNAT changes the destination. Thus,
> > your
> > > > > > second
> > > > > > > > attempt is the correct
> > > > > > > > > one. You might want to lock the
> > > > destination
> > > > > > port
> > > > > > > > - it's not likely to
> > > > > > > > > be a problem but, if it ever is, it
> > will
> > > > be
> > > > > > one of
> > > > > > > > those really hard to
> > > > > > > > > diagnose, sporadic problems:
> > > > > > > > > -j DNAT --to-destination
> > 10.2.4.1:22453
> > > > > > > > >
> > > > > > > > > Second, this only takes care of the
> > > > > > addressing.
> > > > > > > > You must still allow
> > > > > > > > > the traffic in the FORWARD chain of
> > the
> > > > filter
> > > > > > > > table, e.g.,
> > > > > > > > >
> > > > > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
> > > > --dport
> > > > > > 22453
> > > > > > > > -j ACCEPT
> > > > > > > > >
> > > > > > > > > Hope this helps - John
> > > > > > > >
> > > > > > > > Oh, yes, you wanted to restrict the
> > source
> > > > > > address.
> > > > > > > > Add that to your
> > > > > > > > filter table rule:
> > > > > > > > iptables -A FORWARD -s 143.233.222.253
> > -d
> > > > > > 10.2.4.1
> > > > > > > > -p 6 --dport 22453 -j
> > > > > > > > ACCEPT
> > > > > > > > --
> > > > > > > > John A. Sullivan III
> > > > > > > > Open Source Development Corporation
> > > > > > > > +1 207-985-7880
> > > > > > > > jsullivan@opensourcedevel.com
> > > > > > > >
> > > > > > > > If you would like to participate in the
> > > > > > development
> > > > > > > > of an open source
> > > > > > > > enterprise class network security
> > management
> > > > > > system,
> > > > > > > > please visit
> > > > > > > > http://iscs.sourceforge.net
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > >
> > __________________________________________________
> > > > > > > Do You Yahoo!?
> > > > > > > Tired of spam? Yahoo! Mail has the best
> > spam
> > > > > > protection around
> > > > > > > http://mail.yahoo.com
> > > > > > --
> > > > > > John A. Sullivan III
> > > > > > Open Source Development Corporation
> > > > > > +1 207-985-7880
> > > > > > jsullivan@opensourcedevel.com
> > > > > >
> > > > > > Financially sustainable open source
> > development
> > > > > > http://www.opensourcedevel.com
> > > > > >
> > > > > >
> > > > >
> > > > >
> > __________________________________________________
> > > > > Do You Yahoo!?
> > > > > Tired of spam? Yahoo! Mail has the best spam
> > > > protection around
> > > > > http://mail.yahoo.com
> > > > --
> > > > John A. Sullivan III
> > > > Open Source Development Corporation
> > > > +1 207-985-7880
> > > > jsullivan@opensourcedevel.com
> > > >
> > > > Financially sustainable open source development
> > > > http://www.opensourcedevel.com
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > http://mail.yahoo.com
> > >
> > >
> > 
> > 
> 
> 
> 
> 
> __________________________________ 
> Yahoo! Mail - PC Magazine Editors' Choice 2005 
> http://mail.yahoo.com
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Plz i need help.... or i ll be fired :(

[Edmundo Carmona]

Well... you either have them in teh same subnet.... or you put a
router between them... it really depends on your
resources/environment.

The problem right now is that the two boxes don't get to talk to each
other (cause they are in different subnets.

For example... change the IP of the one with ip 253 to 78 (not 278, but 078).

Then the two boxes will be able to "talk" and you will be able to test
the firewall.

On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> what should i do then?
>
> Edmundo Carmona <eantoranz@gmail.com> wrote:
> It sure is a different network! You see? As I said... something simple
> was missing! (sorry to not have seen it before).
>
> Well done, John!
>
> On 9/27/05, John A. Sullivan III wrote:
> > What is the default gateway for the laptop? How does it get to
> > 143.233.222.253 since that is on a different network? - John
> >
> > On Tue, 2005-09-27 at 09:52 -0700, Alaios wrote:
> > > eth0 Link encap:Ethernet HWaddr
> > > 00:02:3F:6D:70:3E
> > > inet addr:10.2.4.1 Bcast:10.255.255.255
> > > Mask:255.0.0.0
> > > inet6 addr: fe80::202:3fff:fe6d:703e/64
> > > Scope:Link
> > > UP BROADCAST RUNNING MULTICAST MTU:1500
> > > Metric:1
> > > RX packets:3 errors:0 dropped:0 overruns:0
> > > frame:0
> > > TX packets:394 errors:0 dropped:0 overruns:0
> > > carrier:0
> > > collisions:0 txqueuelen:1000
> > > RX bytes:218 (218.0 b) TX bytes:24983 (24.3
> > > Kb)
> > > Interrupt:11 Base address:0x6800
> > >
> > > eth1 Link encap:Ethernet HWaddr
> > > 00:02:2D:3B:1D:96
> > > inet addr:143.233.222.77
> > > Bcast:255.255.255.255 Mask:255.255.255.192
> > > inet6 addr: fe80::202:2dff:fe3b:1d96/64
> > > Scope:Link
> > > UP BROADCAST NOTRAILERS RUNNING MULTICAST
> > > MTU:1500 Metric:1
> > > RX packets:293209 errors:0 dropped:0
> > > overruns:0 frame:0
> > > TX packets:74 errors:0 dropped:0 overruns:0
> > > carrier:0
> > > collisions:0 txqueuelen:1000
> > > RX bytes:364527709 (347.6 Mb) TX
> > > bytes:19400 (18.9 Kb)
> > > Interrupt:3 Base address:0x100
> > >
> > > lo Link encap:Local Loopback
> > > inet addr:127.0.0.1 Mask:255.0.0.0
> > > inet6 addr: ::1/128 Scope:Host
> > > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > > RX packets:54 errors:0 dropped:0 overruns:0
> > > frame:0
> > > TX packets:54 errors:0 dropped:0 overruns:0
> > > carrier:0
> > > collisions:0 txqueuelen:0
> > > RX bytes:3528 (3.4 Kb) TX bytes:3528 (3.4
> > > Kb)
> > >
> > > Kernel IP routing table
> > > Destination Gateway Genmask Flags
> > > Metric Ref Use Iface
> > > 143.233.222.64 0.0.0.0 255.255.255.192 U
> > > 0 0 0 eth1
> > > 10.0.0.0 0.0.0.0 255.0.0.0 U
> > > 0 0 0 eth0
> > > 127.0.0.0 0.0.0.0 255.0.0.0 U
> > > 0 0 0 lo
> > >
> > >
> > >
> > > --- Edmundo Carmona wrote:
> > >
> > > > Remove the UDP/port from the rule, that will allow
> > > > you to PING the
> > > > box, and the inner box should respond.
> > > >
> > > > Anyway, let's go to the basics... what is the output
> > > > of
> > > >
> > > > ifconfig
> > > > route -n
> > > >
> > > > ??
> > > >
> > > > On 9/27/05, Alaios wrote:
> > > > > I have done absolutely what u have said.. I have
> > > > > rechecked the source port and destination and are
> > > > the
> > > > > same.... The programme is a packet generator that
> > > > > creates bulk data. We use it to test oure
> > > > network....
> > > > > I have applied your commands but with a little
> > > > changes
> > > > > iptables -nat -A PREROUTING -i eth1 -d
> > > > 143.233.222.77
> > > > > -p udp --destination-port 22453 -j DNAT
> > > > > --to-destination 10.2.4.1:22453
> > > > > My problem is that still i cant see any packages
> > > > in
> > > > > the eth0 interface.. What know what else should i
> > > > do
> > > > > now
> > > > >
> > > > > --- "John A. Sullivan III"
> > > > > wrote:
> > > > >
> > > > > > It sounds like you really need to learn the
> > > > basics.
> > > > > > I would suggest you
> > > > > > go through the links I mentioned below. What
> > > > > > exactly do you want to do?
> > > > > >
> > > > > > It sounds like you want traffic coming in from
> > > > > > 143.233.222.253 on tcp
> > > > > > destination port 22453 (are you sure this is the
> > > > > > destination port and
> > > > > > not the source port?????) on the laptop
> > > > interface
> > > > > > eth1 with IP address
> > > > > > 143.233.222.77 to be sent to 10.2.4.1 on the
> > > > eth0
> > > > > > interface. I am
> > > > > > assuming that 143.233.222.77 and 143.233.222.253
> > > > are
> > > > > > on the same
> > > > > > network, i.e., the subnet mask is 255.255.255.0
> > > > or
> > > > > > less. I also
> > > > > > assuming that you have enabled forwarding as you
> > > > > > said you did.
> > > > > >
> > > > > > Then you would do something like:
> > > > > >
> > > > > > iptables -F
> > > > > > iptables -t nat -F
> > > > > > iptables -P FORWARD DROP
> > > > > > iptables -t nat -P ACCEPT
> > > > > > iptables -t nat -A PREROUTING -i eth1 -d
> > > > > > 143.233.222.77 --dport 22453 -j
> > > > > > DNAT --to-destination 10.2.4.1:22453
> > > > > > iptables -A FORWARD -m state --state
> > > > > > ESTABLISHED,RELATED -j ACCEPT
> > > > > > iptables -A FORWARD -s 143.233.222.253 -d
> > > > 10.2.4.1
> > > > > > -p 6 --dport 22453 -j
> > > > > > ACCEPT
> > > > > >
> > > > > > I have a sneaking suspicion that 22453 is not
> > > > the
> > > > > > destination port.
> > > > > > What service is 10.2.4.1 providing to
> > > > > > 143.233.222.253?
> > > > > >
> > > > > > I'm afraid I'm running out of time today. I
> > > > > > probably cannot help much
> > > > > > more. I'm sure someone else can jump in. Take
> > > > care
> > > > > > - John
> > > > > >
> > > > > > On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> > > > > > > My complete rule set??? Hm... there is nothing
> > > > > > like
> > > > > > > that... I work to a solution for 4-5 hours and
> > > > > > still
> > > > > > > havent finded any iptable rule to work.. in my
> > > > pc
> > > > > > i
> > > > > > > dont have any ip rules loaded at all nor a
> > > > > > firewall
> > > > > > > applied.. I just want to do only this to
> > > > work.. Do
> > > > > > u
> > > > > > > have anything else in mind plz?
> > > > > > >
> > > > > > > --- "John A. Sullivan III"
> > > > > > > wrote:
> > > > > > >
> > > > > > > > I made some assumptions about other rules
> > > > you
> > > > > > would
> > > > > > > > have had in place.
> > > > > > > > I believe someone else posted a much more
> > > > > > thorough
> > > > > > > > answer. Did you
> > > > > > > > create an ESTABLISHED,RELATED rule as that
> > > > other
> > > > > > > > post suggested?
> > > > > > > >
> > > > > > > > Would you mind posting your complete rule
> > > > set
> > > > > > (with
> > > > > > > > any sensitive
> > > > > > > > information edited, of course)? - John
> > > > > > > >
> > > > > > > > On Tue, 2005-09-27 at 08:30 -0700, Alaios
> > > > wrote:
> > > > > > > > > Thx for your quick reply..... i have just
> > > > > > tested
> > > > > > > > but
> > > > > > > > > it didnt work... I think that i cant
> > > > explain
> > > > > > what
> > > > > > > > i
> > > > > > > > > need or i am doing sth wrong..
> > > > > > > > > i have enabled the packets loging
> > > > > > > > > so executing dmesg prints the following
> > > > > > > > > IN=eth1 OUT= MAC=(the mac addresses)
> > > > > > > > > As u can see the OUT is null which means
> > > > thats
> > > > > > > > perhaps
> > > > > > > > > the problem... What do u have in mind?
> > > > > > > > >
> > > > > > > > > --- "John A. Sullivan III"
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > On Tue, 2005-09-27 at 11:14 -0400, John
> > > > A.
> > > > > > > > Sullivan
> > > > > > > > > > III wrote:
> > > > > > > > > > > On Tue, 2005-09-27 at 07:57 -0700,
> > > > Alaios
> > > > > > > > wrote:
> > > > > > > > > > > > Hi plz take a look at the following
> > > > > > example
> > > > > > > > > > > >
> > > > > > > > > > > > The laptop has 2 ethernet interfaces
> > > > > > > > > > > > To eth1 comes traffic from src
> > > > > > > > 143.233.222.253
> > > > > > > > > > > > The eth0 has ip address 10.2.4.2 and
> > > > it
> > > > > > is
> > > > > > > > > > connected
> > > > > > > > > > > > back to back with eth1 of other pc
> > > > with
> > > > > > ip
> > > > > > > > > > address
> > > > > > > > > > > > 10.2.4.1
> > > > > > > > > > > > I want to forward the traffic with
> > > > src
> > > > > > > > > > 143.233.222.253
> > > > > > > > > > > > to the 10.2.4.1 pc and if it works i
> > > > > > will
> > > > > > > > redo
> > > > > > > > > > this
> > > > > > > > > > > > for a second pc so as to l send the
> > > > > > traffic
> > > > > > > > to a
> > > > > > > > > > third
> > > > > > > > > > > > on.
> > > > > > > > > > > > Can u help me plz?
> > > > > > > > > > > >
> > > > > > > > > > > > I have tried this one
> > > > > > > > > > > > iptables -t nat -A PREROUTING -i
> > > > eth1 -s
> > > > > > > > > > > > 143.233.222.253 -j DNAT
> > > > --to-destination
> > > > > > > > > > 10.2.4.1
> > > > > > > > > > > > i have also set the
> > > > > > > > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > > > > > > > but still i cant see any trafiic to
> > > > eth0
> > > > > > > > > > interface (ip
> > > > > > > > > > > > 10.2.4.2)
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > I have also tested this one
> > > > > > > > > > > > iptables -t nat -A PREROUTING -p tcp
> > > > -d
> > > > > > > > > > 143.233.222.77
> > > > > > > > > > > > (laptop eth1 card) --dport 22453 (i
> > > > have
> > > > > > > > cheched
> > > > > > > > > > dst
> > > > > > > > > > > > port with tcpdump) 00 -j DNAT
> > > > > > > > --to-destination
> > > > > > > > > > > > 10.2.4.1
> > > > > > > > > > > > this still doesnt work
> > > > > > > > > > > > Every time i try to apply a new rule
> > > > i
> > > > > > use
> > > > > > > > first
> > > > > > > > > > > > the iptables -F
> > > > > > > > > > > > iptables -t nat -F command
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > I'm a little confused about what you
> > > > are
> > > > > > > > doing. I
> > > > > > > > > > would normally refer
> > > > > > > > > > > you to Oskar Andreasson's excellent
> > > > > > tutorial
> > > > > > > > at
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > > > > > > > or the
> > > > > > > > > > > training slides on the ISCS web site
> > > > > > > > > > (http://iscs.sourceforge.net) but,
> > > > > > > > > > > since it appears that you have an
> > > > > > emergency,
> > > > > > > > here
> > > > > > > > > > goes:
> > > > > > > > > > >
> > > > > > > > > > > First, if the source is
> > > > 143.233.222.253,
> > > > > > you
> > > > > > > > would
> > > > > > > > > > not want to DNAT it.
> > > > > > > > > > > DNAT changes the destination. Thus,
> > > > your
> > > > > > > > second
> > > > > > > > > > attempt is the correct
> > > > > > > > > > > one. You might want to lock the
> > > > > > destination
> > > > > > > > port
> > > > > > > > > > - it's not likely to
> > > > > > > > > > > be a problem but, if it ever is, it
> > > > will
> > > > > > be
> > > > > > > > one of
> > > > > > > > > > those really hard to
> > > > > > > > > > > diagnose, sporadic problems:
> > > > > > > > > > > -j DNAT --to-destination
> > > > 10.2.4.1:22453
> > > > > > > > > > >
> > > > > > > > > > > Second, this only takes care of the
> > > > > > > > addressing.
> > > > > > > > > > You must still allow
> > > > > > > > > > > the traffic in the FORWARD chain of
> > > > the
> > > > > > filter
> > > > > > > > > > table, e.g.,
> > > > > > > > > > >
> > > > > > > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
> > > > > > --dport
> > > > > > > > 22453
> > > > > > > > > > -j ACCEPT
> > > > > > > > > > >
> > > > > > > > > > > Hope this helps - John
> > > > > > > > > >
> > > > > > > > > > Oh, yes, you wanted to restrict the
> > > > source
> > > > > > > > address.
> > > > > > > > > > Add that to your
> > > > > > > > > > filter table rule:
> > > > > > > > > > iptables -A FORWARD -s 143.233.222.253
> > > > -d
> > > > > > > > 10.2.4.1
> > > > > > > > > > -p 6 --dport 22453 -j
> > > > > > > > > > ACCEPT
> > > > > > > > > > --
> > > > > > > > > > John A. Sullivan III
> > > > > > > > > > Open Source Development Corporation
> > > > > > > > > > +1 207-985-7880
> > > > > > > > > > jsullivan@opensourcedevel.com
> > > > > > > > > >
> > > > > > > > > > If you would like to participate in the
> > > > > > > > development
> > > > > > > > > > of an open source
> > > > > > > > > > enterprise class network security
> > > > management
> > > > > > > > system,
> > > > > > > > > > please visit
> > > > > > > > > > http://iscs.sourceforge.net
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > >
> > > > __________________________________________________
> > > > > > > > > Do You Yahoo!?
> > > > > > > > > Tired of spam? Yahoo! Mail has the best
> > > > spam
> > > > > > > > protection around
> > > > > > > > > http://mail.yahoo.com
> > > > > > > > --
> > > > > > > > John A. Sullivan III
> > > > > > > > Open Source Development Corporation
> > > > > > > > +1 207-985-7880
> > > > > > > > jsullivan@opensourcedevel.com
> > > > > > > >
> > > > > > > > Financially sustainable open source
> > > > development
> > > > > > > > http://www.opensourcedevel.com
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > __________________________________________________
> > > > > > > Do You Yahoo!?
> > > > > > > Tired of spam? Yahoo! Mail has the best spam
> > > > > > protection around
> > > > > > > http://mail.yahoo.com
> > > > > > --
> > > > > > John A. Sullivan III
> > > > > > Open Source Development Corporation
> > > > > > +1 207-985-7880
> > > > > > jsullivan@opensourcedevel.com
> > > > > >
> > > > > > Financially sustainable open source development
> > > > > > http://www.opensourcedevel.com
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > __________________________________
> > > > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > > > http://mail.yahoo.com
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > http://mail.yahoo.com
> > >
> > --
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> >
> > Financially sustainable open source development
> > http://www.opensourcedevel.com
> >
> >
>
>
>
>  ________________________________
> Yahoo! for Good
>  Click here to donate to the Hurricane Katrina relief effort.
>
>

Re: Plz i need help.... or i ll be fired :(

[John A. Sullivan III]

It doesn't matter if it's plugged into the same physical network.  It is
a different logical network.  I do not know why it is masked that way.
What is the mask on .253? If it is otherwise safe to do so, you can
change them both to 255.255.255.0.  Then they will be on the same
logical as well as physical network - John

On Tue, 2005-09-27 at 13:24 -0700, Alaios wrote:
> Its not on a different network.. eth1 is directly connected with this
> network
> 
> "John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:
>         What is the default gateway for the laptop? How does it get to
>         143.233.222.253 since that is on a different network? - John
>         
>         On Tue, 2005-09-27 at 09:52 -0700, Alaios wrote:
>         > eth0 Link encap:Ethernet HWaddr
>         > 00:02:3F:6D:70:3E 
>         > inet addr:10.2.4.1 Bcast:10.255.255.255 
>         > Mask:255.0.0.0
>         > inet6 addr: fe80::202:3fff:fe6d:703e/64
>         > Scope:Link
>         > UP BROADCAST RUNNING MULTICAST MTU:1500 
>         > Metric:1
>         > RX packets:3 errors:0 dropped:0 overruns:0
>         > frame:0
>         > TX packets:394 errors:0 dropped:0 overruns:0
>         > carrier:0
>         > collisions:0 txqueuelen:1000 
>         > RX bytes:218 (218.0 b) TX bytes:24983 (24.3
>         > Kb)
>         > Interrupt:11 Base address:0x6800 
>         > 
>         > eth1 Link encap:Ethernet HWaddr
>         > 00:02:2D:3B:1D:96 
>         > inet addr:143.233.222.77 
>         > Bcast:255.255.255.255 Mask:255.255.255.192
>         > inet6 addr: fe80::202:2dff:fe3b:1d96/64
>         > Scope:Link
>         > UP BROADCAST NOTRAILERS RUNNING MULTICAST 
>         > MTU:1500 Metric:1
>         > RX packets:293209 errors:0 dropped:0
>         > overruns:0 frame:0
>         > TX packets:74 errors:0 dropped:0 overruns:0
>         > carrier:0
>         > collisions:0 txqueuelen:1000 
>         > RX bytes:364527709 (347.6 Mb) TX
>         > bytes:19400 (18.9 Kb)
>         > Interrupt:3 Base address:0x100 
>         > 
>         > lo Link encap:Local Loopback 
>         > inet addr:127.0.0.1 Mask:255.0.0.0
>         > inet6 addr: ::1/128 Scope:Host
>         > UP LOOPBACK RUNNING MTU:16436 Metric:1
>         > RX packets:54 errors:0 dropped:0 overruns:0
>         > frame:0
>         > TX packets:54 errors:0 dropped:0 overruns:0
>         > carrier:0
>         > collisions:0 txqueuelen:0 
>         > RX bytes:3528 (3.4 Kb) TX bytes:3528 (3.4
>         > Kb)
>         > 
>         > Kernel IP routing table
>         > Destination Gateway Genmask Flags
>         > Metric Ref Use Iface
>         > 143.233.222.64 0.0.0.0 255.255.255.192 U 
>         > 0 0 0 eth1
>         > 10.0.0.0 0.0.0.0 255.0.0.0 U 
>         > 0 0 0 eth0
>         > 127.0.0.0 0.0.0.0 255.0.0.0 U 
>         > 0 0 0 lo
>         > 
>         > 
>         > 
>         > --- Edmundo Carmona wrote:
>         > 
>         > > Remove the UDP/port from the rule, that will allow
>         > > you to PING the
>         > > box, and the inner box should respond.
>         > > 
>         > > Anyway, let's go to the basics... what is the output
>         > > of
>         > > 
>         > > ifconfig
>         > > route -n
>         > > 
>         > > ??
>         > > 
>         > > On 9/27/05, Alaios wrote:
>         > > > I have done absolutely what u have said.. I have
>         > > > rechecked the source port and destination and are
>         > > the
>         > > > same.... The programme is a packet generator that
>         > > > creates bulk data. We use it to test oure
>         > > network....
>         > > > I have applied your commands but with a little
>         > > changes
>         > > > iptables -nat -A PREROUTING -i eth1 -d
>         > > 143.233.222.77
>         > > > -p udp --destination-port 22453 -j DNAT
>         > > > --to-destination 10.2.4.1:22453
>         > > > My problem is that still i cant see any packages
>         > > in
>         > > > the eth0 interface.. What know what else should i
>         > > do
>         > > > now
>         > > >
>         > > > --- "John A. Sullivan III"
>         > > > wrote:
>         > > >
>         > > > > It sounds like you really need to learn the
>         > > basics.
>         > > > > I would suggest you
>         > > > > go through the links I mentioned below. What
>         > > > > exactly do you want to do?
>         > > > >
>         > > > > It sounds like you want traffic coming in from
>         > > > > 143.233.222.253 on tcp
>         > > > > ; destination port 22453 (are you sure this is the
>         > > > > destination port and
>         > > > > not the source port?????) on the laptop
>         > > interface
>         > > > > eth1 with IP address
>         > > > > 143.233.222.77 to be sent to 10.2.4.1 on the
>         > > eth0
>         > > > > interface. I am
>         > > > > assuming that 143.233.222.77 and 143.233.222.253
>         > > are
>         > > > > on the same
>         > > > > network, i.e., the subnet mask is 255.255.255.0
>         > > or
>         > > > > less. I also
>         > > > > assuming that you have enabled forwarding as you
>         > > > > said you did.
>         > > > >
>         > > > > Then you would do something like:
>         > > > >
>         > > > > iptables -F
>         > > > > iptables -t nat -F
>         > > > > iptables -P FORWARD DROP
>         > > > > iptables -t nat -P ACCEPT
>         > > > > iptables -t nat -A PREROUTING -i eth1 -d
>         > > > > 143.233.222.77 --dport 22453 -j
>         > > > > DNAT --to-destination 10.2.4.1:22453
>         > > > > iptables -A FORWARD -m state --state
>         > > > > ESTABLISHED,RELATED -j ACCEPT
>         > > > > iptables -A FORWARD -s 143.233.222.253 -d
>         > > 10.2.4.1
>         > > > > -p 6 --dport 22453 -j
>         > > > > ACCEPT
>         > > > >
>         > > > > I have a sneaking suspicion that 22453 is not
>         > > the
>         > > > > destination port.
>         > > > > What service is 10.2.4.1 providing to
>         > > > > 143.233.222.253?
>         > > > >
>         > > > > I'm afraid I'm running out of time today. I
>         > > > > probably cannot help much
>         > > > > more. I'm sure someone else can jump in. Take
>         > > care
>         > > > > - John
>         > > > >
>         > > > > On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
>         > > > > > My complete rule set??? Hm... there is nothing
>         > > > > like
>         > > > > > that... I work to a solution for 4-5 hours and
>         > > > > still
>         > > > > > havent finded any iptable rule to work.. in my
>         > > pc
>         > > > > i
>         > > > > > dont have any ip rules loaded at all nor a
>         > > > > firewall
>         > > > > > applied.. I just want to do only this to
>         > > work.. Do
>         > > > > u
>         > > > > > have anything else in mind plz?
>         > > > > >
>         > > > > > --- "John A. Sullivan III"
>         > > > > > wrote:
>         > > > > >
>         > > > > > > I made some assumptions about other rules
>         > > you
>         > > > > would
>         > > > > > > have had in place.
>         > > > > > > I believe someone else posted a much more
>         > > > > thorough
>         > > > > > > answer. Did you
>         > > > > > > create an ESTABLISHED,RELATED rule as that
>         > > other
>         > > > > > > post suggested?
>         > > > > > >
>         > > > > > > Would you mind posting your complete rule
>         > > set
>         > > > > (with
>         > > > > > > any sensitive
>         > > > > > > information edited, of course)? - John
>         > > > > > >
>         > > > > > > On Tue, 2005-09-27 at 08:30 -0700, Alaios
>         > > wrote:
>         > > > > > > > Thx for your quick reply..... i have just
>         > > > > tested
>         > > > > > > but
>         > > > > > > > it didnt work... I think that i cant
>         > > explain
>         > > > > what
>         > &g t; > > > > i
>         > > > > > > > need or i am doing sth wrong..
>         > > > > > > > i have enabled the packets loging
>         > > > > > > > so executing dmesg prints the following
>         > > > > > > > IN=eth1 OUT= MAC=(the mac addresses)
>         > > > > > > > As u can see the OUT is null which means
>         > > thats
>         > > > > > > perhaps
>         > > > > > > > the problem... What do u have in mind?
>         > > > > > > >
>         > > > > > > > --- "John A. Sullivan III"
>         > > > > > > > wrote:
>         > > > > > > >
>         > > > > > > > > On Tue, 2005-09-27 at 11:14 -0400, John
>         > > A.
>         > > > > > > Sullivan
>         > > > > > > > > III wrote:
>         > > > > > > > > > On Tue, 2005-09-27 at 07:57 -0700,
>         > > Alaios
>         > > > > > > wrote:
>         > > > > > > > > > > Hi plz take a look at the following
>         > > > > example
>         > > > > > > > > > >
>         > > > > > > > > > > The laptop has 2 ethernet interfaces
>         > > > > > > > > > > To eth1 comes traffic from src
>         > > > > > > 143.233.222.253
>         > > > > > > > > > > The eth0 has ip address 10.2.4.2 and
>         > > it
>         > > > > is
>         > > > > > > > > connected
>         > > > > > > > > > > back to back with eth1 of other pc
>         > > with
>         > > > > ip
>         > > > > > > > > address
>         > > > > > > > > > > 10.2.4.1
>         > > > > > > > > > > I want to forward the t raffic with
>         > > src
>         > > > > > > > > 143.233.222.253
>         > > > > > > > > > > to the 10.2.4.1 pc and if it works i
>         > > > > will
>         > > > > > > redo
>         > > > > > > > > this
>         > > > > > > > > > > for a second pc so as to l send the
>         > > > > traffic
>         > > > > > > to a
>         > > > > > > > > third
>         > > > > > > > > > > on.
>         > > > > > > > > > > Can u help me plz?
>         > > > > > > > > > >
>         > > > > > > > > > > I have tried this one
>         > > > > > > > > > > iptables -t nat -A PREROUTING -i
>         > > eth1 -s
>         > > > > > > > > > > 143.233.222.253 -j DNAT
>         > > --to-destination
>         > > > > > ; > > > 10.2.4.1
>         > > > > > > > > > > i have also set the
>         > > > > > > > > > > /proc/sys/net/ipv4/ip_forward to 1
>         > > > > > > > > > > but still i cant see any trafiic to
>         > > eth0
>         > > > > > > > > interface (ip
>         > > > > > > > > > > 10.2.4.2)
>         > > > > > > > > > >
>         > > > > > > > > > >
>         > > > > > > > > > > I have also tested this one
>         > > > > > > > > > > iptables -t nat -A PREROUTING -p tcp
>         > > -d
>         > > > > > > > > 143.233.222.77
>         > > > > > > > > > > (laptop eth1 card) --dport 22453 (i
>         > > have
>         > > > > > > cheched
>         > > > > > > > > dst
>         > > > > > > > ; > > > port with tcpdump) 00 -j DNAT
>         > > > > > > --to-destination
>         > > > > > > > > > > 10.2.4.1
>         > > > > > > > > > > this still doesnt work
>         > > > > > > > > > > Every time i try to apply a new rule
>         > > i
>         > > > > use
>         > > > > > > first
>         > > > > > > > > > > the iptables -F
>         > > > > > > > > > > iptables -t nat -F command
>         > > > > > > > > > 
>         > > > > > > > > >
>         > > > > > > > > > I'm a little confused about what you
>         > > are
>         > > > > > > doing. I
>         > > > > > > > > would normally refer
>         > > > > > > > > > you to Oskar Andreasson's excellent
>         > > > > tutorial
>         > > & gt; > > > at
>         > > > > > > > > >
>         > > > > > > > >
>         > > > > > > >
>         > > > > > >
>         > > > > >
>         > > > >
>         > > >
>         > >
>         >
>         http://iptables-tutorial.frozentux.net/iptables-tutorial.html
>         > > > > > > > > or the
>         > > > > > > > > > training slides on the ISCS web site
>         > > > > > > > > (http://iscs.sourceforge.net) but,
>         > > > > > > > > > since it appears that you have an
>         > > > > emergency,
>         > > > > > > here
>         > > > > > > > > goes:
>         > > > > > > > > >
>         > > > > > > > > > First, if the source is
>         > > 143.233.222.253,
>         > > > > you
>         > > > > > > would
>         > > > > > &g t; > > not want to DNAT it.
>         > > > > > > > > > DNAT changes the destination. Thus,
>         > > your
>         > > > > > > second
>         > > > > > > > > attempt is the correct
>         > > > > > > > > > one. You might want to lock the
>         > > > > destination
>         > > > > > > port
>         > > > > > > > > - it's not likely to
>         > > > > > > > > > be a problem but, if it ever is, it
>         > > will
>         > > > > be
>         > > > > > > one of
>         > > > > > > > > those really hard to
>         > > > > > > > > > diagnose, sporadic problems:
>         > > > > > > > > > -j DNAT --to-destination
>         > > 10.2.4.1:22453
>         > > > > > > > > >
>         > > > > > > > > > Second, this only takes care of the
>         > > > > > > addressing.
>         > > > > > > > > You must still allow
>         > > > > > > > > > the traffic in the FORWARD chain of
>         > > the
>         > > > > filter
>         > > > > > > > > table, e.g.,
>         > > > > > > > > >
>         > > > > > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
>         > > > > --dport
>         > > > > > > 22453
>         > > > > > > > > -j ACCEPT
>         > > > > > > > > >
>         > > > > > > > > > Hope this helps - John
>         > > > > > > > >
>         > > > > > > > > Oh, yes, you wanted to restrict the
>         > > source
>         > > > > > > address.
>         > > > > > > > > Add that to your
>         > > > > > > > > filter table rule:
>         > > > > > > > > iptables -A FORWARD -s 143.233.222.253
>         > > -d
>         > > > > > > 10.2.4.1
>         > > > > > > > > -p 6 --dport 22453 -j
>         > > > > > > > > ACCEPT
>         > > > > > > > > --
>         > > > > > > > > John A. Sullivan III
>         > > > > > > > > Open Source Development Corporation
>         > > > > > > > > +1 207-985-7880
>         > > > > > > > > jsullivan@opensourcedevel.com
>         > > > > > > > >
>         > > > > > > > > If you would like to participate in the
>         > > > > > > development
>         > > > > > > > > of an open source
>         > > > > > > > > enterprise class network security
>         > > management
>         > > > > > > system,
>         > > > > > > > > please visit
>         > > > > > > > > http://iscs.sourceforge.net
>         > > > > > > > >
>         > > > > > > > >
>         > > > > > > >
>         > > > > > > >
>         > > > >
>         > > __________________________________________________
>         > > > > > > > Do You Yahoo!?
>         > > > > > > > Tired of spam? Yahoo! Mail has the best
>         > > spam
>         > > > > > > protection around
>         > > > > > > > http://mail.yahoo.com
>         > > > > > > --
>         > > > > > > John A. Sullivan III
>         > > > > > > Open Source Development Corporation
>         > > > > > > +1 207-985-7880
>         > > > > > > jsullivan@opensourcedevel.com
>         > > > > > >
>         > > > > > > Financially sustainable open source
>         > > development
>         &g t; > > > > > http://www.opensourcedevel.com
>         > > > > > >
>         > > > > > >
>         > > > > >
>         > > > > >
>         > > __________________________________________________
>         > > > > > Do You Yahoo!?
>         > > > > > Tired of spam? Yahoo! Mail has the best spam
>         > > > > protection around
>         > > > > > http://mail.yahoo.com
>         > > > > --
>         > > > > John A. Sullivan III
>         > > > > Open Source Development Corporation
>         > > > > +1 207-985-7880
>         > > > > jsullivan@opensourcedevel.com
>         > > > >
>         > > > > Financially sustainable open source development
>         > > > > http://www.opensourcedevel.com
>         > > > >
>         > > > >
>         > > >
>         > > >
>         > > >
>         > > >
>         > > > __________________________________
>         &g t; > > Yahoo! Mail - PC Magazine Editors' Choice 2005
>         > > > http://mail.yahoo.com
>         > > >
>         > > >
>         > > 
>         > > 
>         > 
>         > 
>         > 
>         > 
>         > __________________________________ 
>         > Yahoo! Mail - PC Magazine Editors' Choice 2005 
>         > http://mail.yahoo.com
>         > 
>         -- 
>         John A. Sullivan III
>         Open Source Development Corporation
>         +1 207-985-7880
>         jsullivan@opensourcedevel.com
>         
>         Financially sustainable open source development
>         http://www.opensourcedevel.com
>         
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Plz i need help.... or i ll be fired :(

[John A. Sullivan III]

Of course, it should go without saying that he will need to change to
iptables rules to reflect the new address - John

On Tue, 2005-09-27 at 16:46 -0400, Edmundo Carmona wrote:
> Well... you either have them in teh same subnet.... or you put a
> router between them... it really depends on your
> resources/environment.
> 
> The problem right now is that the two boxes don't get to talk to each
> other (cause they are in different subnets.
> 
> For example... change the IP of the one with ip 253 to 78 (not 278, but 078).
> 
> Then the two boxes will be able to "talk" and you will be able to test
> the firewall.
> 
> On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> > what should i do then?
> >
> > Edmundo Carmona <eantoranz@gmail.com> wrote:
> > It sure is a different network! You see? As I said... something simple
> > was missing! (sorry to not have seen it before).
> >
> > Well done, John!
> >
> > On 9/27/05, John A. Sullivan III wrote:
> > > What is the default gateway for the laptop? How does it get to
> > > 143.233.222.253 since that is on a different network? - John
> > >
> > > On Tue, 2005-09-27 at 09:52 -0700, Alaios wrote:
> > > > eth0 Link encap:Ethernet HWaddr
> > > > 00:02:3F:6D:70:3E
> > > > inet addr:10.2.4.1 Bcast:10.255.255.255
> > > > Mask:255.0.0.0
> > > > inet6 addr: fe80::202:3fff:fe6d:703e/64
> > > > Scope:Link
> > > > UP BROADCAST RUNNING MULTICAST MTU:1500
> > > > Metric:1
> > > > RX packets:3 errors:0 dropped:0 overruns:0
> > > > frame:0
> > > > TX packets:394 errors:0 dropped:0 overruns:0
> > > > carrier:0
> > > > collisions:0 txqueuelen:1000
> > > > RX bytes:218 (218.0 b) TX bytes:24983 (24.3
> > > > Kb)
> > > > Interrupt:11 Base address:0x6800
> > > >
> > > > eth1 Link encap:Ethernet HWaddr
> > > > 00:02:2D:3B:1D:96
> > > > inet addr:143.233.222.77
> > > > Bcast:255.255.255.255 Mask:255.255.255.192
> > > > inet6 addr: fe80::202:2dff:fe3b:1d96/64
> > > > Scope:Link
> > > > UP BROADCAST NOTRAILERS RUNNING MULTICAST
> > > > MTU:1500 Metric:1
> > > > RX packets:293209 errors:0 dropped:0
> > > > overruns:0 frame:0
> > > > TX packets:74 errors:0 dropped:0 overruns:0
> > > > carrier:0
> > > > collisions:0 txqueuelen:1000
> > > > RX bytes:364527709 (347.6 Mb) TX
> > > > bytes:19400 (18.9 Kb)
> > > > Interrupt:3 Base address:0x100
> > > >
> > > > lo Link encap:Local Loopback
> > > > inet addr:127.0.0.1 Mask:255.0.0.0
> > > > inet6 addr: ::1/128 Scope:Host
> > > > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > > > RX packets:54 errors:0 dropped:0 overruns:0
> > > > frame:0
> > > > TX packets:54 errors:0 dropped:0 overruns:0
> > > > carrier:0
> > > > collisions:0 txqueuelen:0
> > > > RX bytes:3528 (3.4 Kb) TX bytes:3528 (3.4
> > > > Kb)
> > > >
> > > > Kernel IP routing table
> > > > Destination Gateway Genmask Flags
> > > > Metric Ref Use Iface
> > > > 143.233.222.64 0.0.0.0 255.255.255.192 U
> > > > 0 0 0 eth1
> > > > 10.0.0.0 0.0.0.0 255.0.0.0 U
> > > > 0 0 0 eth0
> > > > 127.0.0.0 0.0.0.0 255.0.0.0 U
> > > > 0 0 0 lo
> > > >
> > > >
> > > >
> > > > --- Edmundo Carmona wrote:
> > > >
> > > > > Remove the UDP/port from the rule, that will allow
> > > > > you to PING the
> > > > > box, and the inner box should respond.
> > > > >
> > > > > Anyway, let's go to the basics... what is the output
> > > > > of
> > > > >
> > > > > ifconfig
> > > > > route -n
> > > > >
> > > > > ??
> > > > >
> > > > > On 9/27/05, Alaios wrote:
> > > > > > I have done absolutely what u have said.. I have
> > > > > > rechecked the source port and destination and are
> > > > > the
> > > > > > same.... The programme is a packet generator that
> > > > > > creates bulk data. We use it to test oure
> > > > > network....
> > > > > > I have applied your commands but with a little
> > > > > changes
> > > > > > iptables -nat -A PREROUTING -i eth1 -d
> > > > > 143.233.222.77
> > > > > > -p udp --destination-port 22453 -j DNAT
> > > > > > --to-destination 10.2.4.1:22453
> > > > > > My problem is that still i cant see any packages
> > > > > in
> > > > > > the eth0 interface.. What know what else should i
> > > > > do
> > > > > > now
> > > > > >
> > > > > > --- "John A. Sullivan III"
> > > > > > wrote:
> > > > > >
> > > > > > > It sounds like you really need to learn the
> > > > > basics.
> > > > > > > I would suggest you
> > > > > > > go through the links I mentioned below. What
> > > > > > > exactly do you want to do?
> > > > > > >
> > > > > > > It sounds like you want traffic coming in from
> > > > > > > 143.233.222.253 on tcp
> > > > > > > destination port 22453 (are you sure this is the
> > > > > > > destination port and
> > > > > > > not the source port?????) on the laptop
> > > > > interface
> > > > > > > eth1 with IP address
> > > > > > > 143.233.222.77 to be sent to 10.2.4.1 on the
> > > > > eth0
> > > > > > > interface. I am
> > > > > > > assuming that 143.233.222.77 and 143.233.222.253
> > > > > are
> > > > > > > on the same
> > > > > > > network, i.e., the subnet mask is 255.255.255.0
> > > > > or
> > > > > > > less. I also
> > > > > > > assuming that you have enabled forwarding as you
> > > > > > > said you did.
> > > > > > >
> > > > > > > Then you would do something like:
> > > > > > >
> > > > > > > iptables -F
> > > > > > > iptables -t nat -F
> > > > > > > iptables -P FORWARD DROP
> > > > > > > iptables -t nat -P ACCEPT
> > > > > > > iptables -t nat -A PREROUTING -i eth1 -d
> > > > > > > 143.233.222.77 --dport 22453 -j
> > > > > > > DNAT --to-destination 10.2.4.1:22453
> > > > > > > iptables -A FORWARD -m state --state
> > > > > > > ESTABLISHED,RELATED -j ACCEPT
> > > > > > > iptables -A FORWARD -s 143.233.222.253 -d
> > > > > 10.2.4.1
> > > > > > > -p 6 --dport 22453 -j
> > > > > > > ACCEPT
> > > > > > >
> > > > > > > I have a sneaking suspicion that 22453 is not
> > > > > the
> > > > > > > destination port.
> > > > > > > What service is 10.2.4.1 providing to
> > > > > > > 143.233.222.253?
> > > > > > >
> > > > > > > I'm afraid I'm running out of time today. I
> > > > > > > probably cannot help much
> > > > > > > more. I'm sure someone else can jump in. Take
> > > > > care
> > > > > > > - John
> > > > > > >
> > > > > > > On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> > > > > > > > My complete rule set??? Hm... there is nothing
> > > > > > > like
> > > > > > > > that... I work to a solution for 4-5 hours and
> > > > > > > still
> > > > > > > > havent finded any iptable rule to work.. in my
> > > > > pc
> > > > > > > i
> > > > > > > > dont have any ip rules loaded at all nor a
> > > > > > > firewall
> > > > > > > > applied.. I just want to do only this to
> > > > > work.. Do
> > > > > > > u
> > > > > > > > have anything else in mind plz?
> > > > > > > >
> > > > > > > > --- "John A. Sullivan III"
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > I made some assumptions about other rules
> > > > > you
> > > > > > > would
> > > > > > > > > have had in place.
> > > > > > > > > I believe someone else posted a much more
> > > > > > > thorough
> > > > > > > > > answer. Did you
> > > > > > > > > create an ESTABLISHED,RELATED rule as that
> > > > > other
> > > > > > > > > post suggested?
> > > > > > > > >
> > > > > > > > > Would you mind posting your complete rule
> > > > > set
> > > > > > > (with
> > > > > > > > > any sensitive
> > > > > > > > > information edited, of course)? - John
> > > > > > > > >
> > > > > > > > > On Tue, 2005-09-27 at 08:30 -0700, Alaios
> > > > > wrote:
> > > > > > > > > > Thx for your quick reply..... i have just
> > > > > > > tested
> > > > > > > > > but
> > > > > > > > > > it didnt work... I think that i cant
> > > > > explain
> > > > > > > what
> > > > > > > > > i
> > > > > > > > > > need or i am doing sth wrong..
> > > > > > > > > > i have enabled the packets loging
> > > > > > > > > > so executing dmesg prints the following
> > > > > > > > > > IN=eth1 OUT= MAC=(the mac addresses)
> > > > > > > > > > As u can see the OUT is null which means
> > > > > thats
> > > > > > > > > perhaps
> > > > > > > > > > the problem... What do u have in mind?
> > > > > > > > > >
> > > > > > > > > > --- "John A. Sullivan III"
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > On Tue, 2005-09-27 at 11:14 -0400, John
> > > > > A.
> > > > > > > > > Sullivan
> > > > > > > > > > > III wrote:
> > > > > > > > > > > > On Tue, 2005-09-27 at 07:57 -0700,
> > > > > Alaios
> > > > > > > > > wrote:
> > > > > > > > > > > > > Hi plz take a look at the following
> > > > > > > example
> > > > > > > > > > > > >
> > > > > > > > > > > > > The laptop has 2 ethernet interfaces
> > > > > > > > > > > > > To eth1 comes traffic from src
> > > > > > > > > 143.233.222.253
> > > > > > > > > > > > > The eth0 has ip address 10.2.4.2 and
> > > > > it
> > > > > > > is
> > > > > > > > > > > connected
> > > > > > > > > > > > > back to back with eth1 of other pc
> > > > > with
> > > > > > > ip
> > > > > > > > > > > address
> > > > > > > > > > > > > 10.2.4.1
> > > > > > > > > > > > > I want to forward the traffic with
> > > > > src
> > > > > > > > > > > 143.233.222.253
> > > > > > > > > > > > > to the 10.2.4.1 pc and if it works i
> > > > > > > will
> > > > > > > > > redo
> > > > > > > > > > > this
> > > > > > > > > > > > > for a second pc so as to l send the
> > > > > > > traffic
> > > > > > > > > to a
> > > > > > > > > > > third
> > > > > > > > > > > > > on.
> > > > > > > > > > > > > Can u help me plz?
> > > > > > > > > > > > >
> > > > > > > > > > > > > I have tried this one
> > > > > > > > > > > > > iptables -t nat -A PREROUTING -i
> > > > > eth1 -s
> > > > > > > > > > > > > 143.233.222.253 -j DNAT
> > > > > --to-destination
> > > > > > > > > > > 10.2.4.1
> > > > > > > > > > > > > i have also set the
> > > > > > > > > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > > > > > > > > but still i cant see any trafiic to
> > > > > eth0
> > > > > > > > > > > interface (ip
> > > > > > > > > > > > > 10.2.4.2)
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > I have also tested this one
> > > > > > > > > > > > > iptables -t nat -A PREROUTING -p tcp
> > > > > -d
> > > > > > > > > > > 143.233.222.77
> > > > > > > > > > > > > (laptop eth1 card) --dport 22453 (i
> > > > > have
> > > > > > > > > cheched
> > > > > > > > > > > dst
> > > > > > > > > > > > > port with tcpdump) 00 -j DNAT
> > > > > > > > > --to-destination
> > > > > > > > > > > > > 10.2.4.1
> > > > > > > > > > > > > this still doesnt work
> > > > > > > > > > > > > Every time i try to apply a new rule
> > > > > i
> > > > > > > use
> > > > > > > > > first
> > > > > > > > > > > > > the iptables -F
> > > > > > > > > > > > > iptables -t nat -F command
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > I'm a little confused about what you
> > > > > are
> > > > > > > > > doing. I
> > > > > > > > > > > would normally refer
> > > > > > > > > > > > you to Oskar Andreasson's excellent
> > > > > > > tutorial
> > > > > > > > > at
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > > > > > > > > or the
> > > > > > > > > > > > training slides on the ISCS web site
> > > > > > > > > > > (http://iscs.sourceforge.net) but,
> > > > > > > > > > > > since it appears that you have an
> > > > > > > emergency,
> > > > > > > > > here
> > > > > > > > > > > goes:
> > > > > > > > > > > >
> > > > > > > > > > > > First, if the source is
> > > > > 143.233.222.253,
> > > > > > > you
> > > > > > > > > would
> > > > > > > > > > > not want to DNAT it.
> > > > > > > > > > > > DNAT changes the destination. Thus,
> > > > > your
> > > > > > > > > second
> > > > > > > > > > > attempt is the correct
> > > > > > > > > > > > one. You might want to lock the
> > > > > > > destination
> > > > > > > > > port
> > > > > > > > > > > - it's not likely to
> > > > > > > > > > > > be a problem but, if it ever is, it
> > > > > will
> > > > > > > be
> > > > > > > > > one of
> > > > > > > > > > > those really hard to
> > > > > > > > > > > > diagnose, sporadic problems:
> > > > > > > > > > > > -j DNAT --to-destination
> > > > > 10.2.4.1:22453
> > > > > > > > > > > >
> > > > > > > > > > > > Second, this only takes care of the
> > > > > > > > > addressing.
> > > > > > > > > > > You must still allow
> > > > > > > > > > > > the traffic in the FORWARD chain of
> > > > > the
> > > > > > > filter
> > > > > > > > > > > table, e.g.,
> > > > > > > > > > > >
> > > > > > > > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
> > > > > > > --dport
> > > > > > > > > 22453
> > > > > > > > > > > -j ACCEPT
> > > > > > > > > > > >
> > > > > > > > > > > > Hope this helps - John
> > > > > > > > > > >
> > > > > > > > > > > Oh, yes, you wanted to restrict the
> > > > > source
> > > > > > > > > address.
> > > > > > > > > > > Add that to your
> > > > > > > > > > > filter table rule:
> > > > > > > > > > > iptables -A FORWARD -s 143.233.222.253
> > > > > -d
> > > > > > > > > 10.2.4.1
> > > > > > > > > > > -p 6 --dport 22453 -j
> > > > > > > > > > > ACCEPT
> > > > > > > > > > > --
> > > > > > > > > > > John A. Sullivan III
> > > > > > > > > > > Open Source Development Corporation
> > > > > > > > > > > +1 207-985-7880
> > > > > > > > > > > jsullivan@opensourcedevel.com
> > > > > > > > > > >
> > > > > > > > > > > If you would like to participate in the
> > > > > > > > > development
> > > > > > > > > > > of an open source
> > > > > > > > > > > enterprise class network security
> > > > > management
> > > > > > > > > system,
> > > > > > > > > > > please visit
> > > > > > > > > > > http://iscs.sourceforge.net
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > >
> > > > > __________________________________________________
> > > > > > > > > > Do You Yahoo!?
> > > > > > > > > > Tired of spam? Yahoo! Mail has the best
> > > > > spam
> > > > > > > > > protection around
> > > > > > > > > > http://mail.yahoo.com
> > > > > > > > > --
> > > > > > > > > John A. Sullivan III
> > > > > > > > > Open Source Development Corporation
> > > > > > > > > +1 207-985-7880
> > > > > > > > > jsullivan@opensourcedevel.com
> > > > > > > > >
> > > > > > > > > Financially sustainable open source
> > > > > development
> > > > > > > > > http://www.opensourcedevel.com
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > __________________________________________________
> > > > > > > > Do You Yahoo!?
> > > > > > > > Tired of spam? Yahoo! Mail has the best spam
> > > > > > > protection around
> > > > > > > > http://mail.yahoo.com
> > > > > > > --
> > > > > > > John A. Sullivan III
> > > > > > > Open Source Development Corporation
> > > > > > > +1 207-985-7880
> > > > > > > jsullivan@opensourcedevel.com
> > > > > > >
> > > > > > > Financially sustainable open source development
> > > > > > > http://www.opensourcedevel.com
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > __________________________________
> > > > > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > > > > http://mail.yahoo.com
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > > __________________________________
> > > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > > http://mail.yahoo.com
> > > >
> > > --
> > > John A. Sullivan III
> > > Open Source Development Corporation
> > > +1 207-985-7880
> > > jsullivan@opensourcedevel.com
> > >
> > > Financially sustainable open source development
> > > http://www.opensourcedevel.com
> > >
> > >
> >
> >
> >
> >  ________________________________
> > Yahoo! for Good
> >  Click here to donate to the Hurricane Katrina relief effort.
> >
> >
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

RE: Plz i need help.... or i ll be fired :(

[Derick Anderson]

Comments inline, consider not top-posting, it makes reading so much
easier...

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Alaios
> Sent: Tuesday, September 27, 2005 4:24 PM
> To: John A. Sullivan III
> Cc: netfilter@lists.netfilter.org
> Subject: Re: Plz i need help.... or i ll be fired :(
> 
> Its not on a different network.. eth1 is directly connected 
> with this network

But it is on a different network.

> 
> "John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:
> What is the default gateway for the laptop? How does it get to
> 143.233.222.253 since that is on a different network? - John
> 
> On Tue, 2005-09-27 at 09:52 -0700, Alaios wrote:

Notice that our target host is 143.233.222.253.

[eth0 snipped]
 
> > eth1 Link encap:Ethernet HWaddr
> > 00:02:2D:3B:1D:96
> > inet addr:143.233.222.77
> > Bcast:255.255.255.255 Mask:255.255.255.192

[non-essential stuff snipped]

Your internet address is 143.233.222.77 and your network mask is
255.255.255.192. That 192 means you only have 64 IPs in your network. If
you don't believe me then google CIDR masks for yourself like I did a
couple years back. Now supposing that your network address is
143.233.222.76 (and it is probably 143.233.222.64), you run out of IPs
at 143.233.222.139, which is your network's default broadcast address.
This is quite far away from 143.233.222.253 so your packet never gets to
the intended host.

[lo snipped]

> > Kernel IP routing table
> > Destination Gateway Genmask Flags
> > Metric Ref Use Iface
> > 143.233.222.64 0.0.0.0 255.255.255.192 U 0 0 0 eth1 
> 10.0.0.0 0.0.0.0 
> > 255.0.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo

[A ton of stuff snipped]

Notice your first routing entry there, which has the same netmask ending
in 192. When a packet comes to your router, the router looks through all
the entries for a matching subnet. It sees 143.233.222.253 is the
destination IP, and looks at 143.233.222.64/255.255.255.192. Since (as I
suspected earlier), your subnet starts with .64, your IP range ends at
.127, not .255. Your router says, "Well we can't use that route", so it
checks the next one, which also does not match, and finally the last
entry, which also does not match. Having no default gateway, it discards
the packet and moves on.

iptables is not the issue - it is a routing problem. Either put the host
between .65 and .126 (.64 is your network address and .127 is supposed
to be broadcast), or change your routing table/network setup so you've
got a 255.255.255.0 network instead of a 255.255.255.192.

Derick Anderson

RE: Plz i need help.... or i ll be fired :(

[Nick Taylor]

<-------removed on topic discussion to rant off topic------>

> Your internet address is 143.233.222.77 and your network mask is
> 255.255.255.192. That 192 means you only have 64 IPs in your network. If
> you don't believe me then google CIDR masks for yourself like I did a
> couple years back. Now supposing that your network address is
> 143.233.222.76 (and it is probably 143.233.222.64), you run out of IPs
> at 143.233.222.139, which is your network's default broadcast address.
> This is quite far away from 143.233.222.253 so your packet never gets to
> the intended host.
>

So many people can't understand binary, and it's statements like the one
above that make this so confusing for people.  There's no such thing as a
"network address" that doesn't fall on a subnet boundry.  The math is so
simple, please try to understand, it will make the world a better place:

143.233.222.77 NETMASK 255.255.255.192

In binary the netmask reads:
11111111.11111111.11111111.11000000

This means that there are 64 addresses in the network, but it's much more
specific.  Try to understand *which* 64 addresses, and *why*.

What exactly is a netmask then, you may ask?

Computer X wants to talk to computer Y

X must know whether Y is on the same network as X.  If they are on the
same network, X must use local delivery.  Otherwise, X must route the
message to Y.  X knows its own address and its own netmask, and Y's
address, and that's all it needs.

X checks to see if it's network address is the same as Y's network
address.  If the network addresses are the same, then they must be on the
same network.

Any bit which is set in the netmask must match in X and Y's address.

So, the network address in the example above, given the ip address and
netmask HAS TO BE:143.233.222.64.  No other "network address" is
meaningful.  Setting the "network address" to .76 would mean in binary:
01001100, but the netmask ends:
11000000, which means the network address has to be one of the following:

00000000 =   0,
01000000 =  64,
10000000 = 128, or
11000000 = 192.

These are the ONLY four network addresses that make sense
with this netmask.  You'll notice that if we extend the netmask one more
bit to the right, 11100000 = 224, the possibilities are now:


00000000 =   0,
00100000 =  32,
01000000 =  64,
01100000 =  96,
10000000 = 128,
10100000 = 160,
11000000 = 192,
11100000 = 224

Re: Plz i need help.... or i ll be fired :(

[Edmundo Carmona]

Which takes us to the very next point.

How do people dare facing the "challenge" of a Firewall.... if
networking concepts are not so clear? :-)

RE: Plz i need help.... or i ll be fired :(

[Seferovic Edvin]

Egoistic... hm.. setting up 2 network cards is not too hard... sure I can be
a network security consultant :D

Regards,

Edvin Seferovic 

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Edmundo Carmona
Sent: Mittwoch, 28. September 2005 01:33
To: netfilter@lists.netfilter.org
Subject: Re: Plz i need help.... or i ll be fired :(

Which takes us to the very next point.

How do people dare facing the "challenge" of a Firewall.... if
networking concepts are not so clear? :-)

RE: Plz i need help.... or i ll be fired :(

[Derick Anderson]

 

> -----Original Message-----
> From: Nick Taylor [mailto:nickt@lightlink.com] 
> Sent: Tuesday, September 27, 2005 6:30 PM
> To: Derick Anderson
> Cc: Alaios; netfilter@lists.netfilter.org
> Subject: RE: Plz i need help.... or i ll be fired :(
> 
> <-------removed on topic discussion to rant off topic------>
> 
> > Your internet address is 143.233.222.77 and your network mask is 
> > 255.255.255.192. That 192 means you only have 64 IPs in 
> your network. 
> > If you don't believe me then google CIDR masks for yourself 
> like I did 
> > a couple years back. Now supposing that your network address is
> > 143.233.222.76 (and it is probably 143.233.222.64), you run 
> out of IPs 
> > at 143.233.222.139, which is your network's default 
> broadcast address.
> > This is quite far away from 143.233.222.253 so your packet 
> never gets 
> > to the intended host.
> >
> 
> So many people can't understand binary, and it's statements 
> like the one above that make this so confusing for people.  
> There's no such thing as a "network address" that doesn't 
> fall on a subnet boundry.  The math is so simple, please try 
> to understand, it will make the world a better place:

Apologies for not being more precise in my post. I was 99% sure of what
you just said but figured an in-depth discussion of CIDR masks was
overkill - having said that you've provided a more complete and
understandable explanation than I probably would have.