Problem reexplained.....

Problem reexplained.....

[Alaios]

Let me reexplain the problem plz
From src 143.233.222.253 starts some traffic that goes
to the 143.233.222.77 this is the eth1 of the laptop
The laptop has also one more interface the 10.2.4.1
that is connected back to back (cross cable) with the
interface of an other pc with ip address 10.2.4.2
IO want the traffic that reaches 143.233.222.77 reach
the 10.2.4.2
This is the first step.. when i succesfully implement
this then the next step is to forward this traffic
from the pc to a second pc... ( i ll use the same
methodology if step one works)
So now we can only focus to the first step
Plz take in mind that i dont have any firewall enables
/proc/sys/net/ipv4/ip_forward is set to 1. I have no
other iptables rules applied... I will only apply what
u ll write to do..
Before applying any iptables rules firstly i do
iptables -F 
iptables -F -t nat
(if more flush commands are necessary plz say it so)
So i need your help to implement this simple task

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Problem reexplained.....

[Edmundo Carmona]

Well.. first easiest (probably insecure) attempt:

iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -d 143.233.222.77 -j DNAT
--to-destination 10.2.4.2

echo 1 > /proc/blah/blah

That should stablish comunication between internet and the 10.2.4.2
box (started from the internet).

On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> Let me reexplain the problem plz
> >From src 143.233.222.253 starts some traffic that goes
> to the 143.233.222.77 this is the eth1 of the laptop
> The laptop has also one more interface the 10.2.4.1
> that is connected back to back (cross cable) with the
> interface of an other pc with ip address 10.2.4.2
> IO want the traffic that reaches 143.233.222.77 reach
> the 10.2.4.2
> This is the first step.. when i succesfully implement
> this then the next step is to forward this traffic
> from the pc to a second pc... ( i ll use the same
> methodology if step one works)
> So now we can only focus to the first step
> Plz take in mind that i dont have any firewall enables
> /proc/sys/net/ipv4/ip_forward is set to 1. I have no
> other iptables rules applied... I will only apply what
> u ll write to do..
> Before applying any iptables rules firstly i do
> iptables -F
> iptables -F -t nat
> (if more flush commands are necessary plz say it so)
> So i need your help to implement this simple task
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>

Re: Problem reexplained.....

[Alaios]

I have restarted my pc just for being sure.. i have
run your commands but the tcpdump -i eth0 -vv -n give
nothing :( 
it doesnt work :(
I think its time to start debugging. plz suggest me
how to  use efficiently logging so as to find out what
the is the problem

--- Edmundo Carmona <eantoranz@gmail.com> wrote:

> Well.. first easiest (probably insecure) attempt:
> 
> iptables -P FORWARD ACCEPT
> iptables -t nat -A PREROUTING -d 143.233.222.77 -j
> DNAT
> --to-destination 10.2.4.2
> 
> echo 1 > /proc/blah/blah
> 
> That should stablish comunication between internet
> and the 10.2.4.2
> box (started from the internet).
> 
> On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> > Let me reexplain the problem plz
> > >From src 143.233.222.253 starts some traffic that
> goes
> > to the 143.233.222.77 this is the eth1 of the
> laptop
> > The laptop has also one more interface the
> 10.2.4.1
> > that is connected back to back (cross cable) with
> the
> > interface of an other pc with ip address 10.2.4.2
> > IO want the traffic that reaches 143.233.222.77
> reach
> > the 10.2.4.2
> > This is the first step.. when i succesfully
> implement
> > this then the next step is to forward this traffic
> > from the pc to a second pc... ( i ll use the same
> > methodology if step one works)
> > So now we can only focus to the first step
> > Plz take in mind that i dont have any firewall
> enables
> > /proc/sys/net/ipv4/ip_forward is set to 1. I have
> no
> > other iptables rules applied... I will only apply
> what
> > u ll write to do..
> > Before applying any iptables rules firstly i do
> > iptables -F
> > iptables -F -t nat
> > (if more flush commands are necessary plz say it
> so)
> > So i need your help to implement this simple task
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
> >
> 
> 



		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

Re: Problem reexplained.....

[Edmundo Carmona]

I would say it's a simple thing you are missing to consider. Maybe the
IPs you are using are not right... or the interfaces are not correct.

double check.

then start to build rules one by one, and testing them... it normally
shouldn't fail.

In case you are not sure if it's the kernel, get a Live-CD distribution and try.

On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> I have restarted my pc just for being sure.. i have
> run your commands but the tcpdump -i eth0 -vv -n give
> nothing :(
> it doesnt work :(
> I think its time to start debugging. plz suggest me
> how to  use efficiently logging so as to find out what
> the is the problem
>
> --- Edmundo Carmona <eantoranz@gmail.com> wrote:
>
> > Well.. first easiest (probably insecure) attempt:
> >
> > iptables -P FORWARD ACCEPT
> > iptables -t nat -A PREROUTING -d 143.233.222.77 -j
> > DNAT
> > --to-destination 10.2.4.2
> >
> > echo 1 > /proc/blah/blah
> >
> > That should stablish comunication between internet
> > and the 10.2.4.2
> > box (started from the internet).
> >
> > On 9/27/05, Alaios <alaios@yahoo.com> wrote:
> > > Let me reexplain the problem plz
> > > >From src 143.233.222.253 starts some traffic that
> > goes
> > > to the 143.233.222.77 this is the eth1 of the
> > laptop
> > > The laptop has also one more interface the
> > 10.2.4.1
> > > that is connected back to back (cross cable) with
> > the
> > > interface of an other pc with ip address 10.2.4.2
> > > IO want the traffic that reaches 143.233.222.77
> > reach
> > > the 10.2.4.2
> > > This is the first step.. when i succesfully
> > implement
> > > this then the next step is to forward this traffic
> > > from the pc to a second pc... ( i ll use the same
> > > methodology if step one works)
> > > So now we can only focus to the first step
> > > Plz take in mind that i dont have any firewall
> > enables
> > > /proc/sys/net/ipv4/ip_forward is set to 1. I have
> > no
> > > other iptables rules applied... I will only apply
> > what
> > > u ll write to do..
> > > Before applying any iptables rules firstly i do
> > > iptables -F
> > > iptables -F -t nat
> > > (if more flush commands are necessary plz say it
> > so)
> > > So i need your help to implement this simple task
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam
> > protection around
> > > http://mail.yahoo.com
> > >
> > >
> >
> >
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
>

Re: Problem reexplained.....

[AragonX]

<quote who="Alaios">
> I have restarted my pc just for being sure.. i have
> run your commands but the tcpdump -i eth0 -vv -n give
> nothing :(
> it doesnt work :(
> I think its time to start debugging. plz suggest me
> how to  use efficiently logging so as to find out what
> the is the problem

I'm very new to iptables so I can't be of much help in that way.  The
first thing I was thinking you should check is if you can communicate with
any machines at all.  How are you connected to these machines?  Through a
hub or directly.  If directly, are you using the correct crossover cable?

I'm guessing both machines are running Linux.  Some have built in
firewalls that like to take over at random intervals if not turned off.

I would make sure your hardware is connected correctly then make sure your
iptables is clear(iptables -L & iptables -t nat -n -L).  Then ping a
machine on both interfaces.

Once you are sure that you can connect to machines on both interfaces,
then start working on your rules.

I'm sorry if this is to basic and you have tried all these things.  :)

Re: Problem reexplained.....

[Jörg Harmuth]

Alaios wrote:
> Let me reexplain the problem plz
>>From src 143.233.222.253 starts some traffic that goes
> to the 143.233.222.77 this is the eth1 of the laptop
> The laptop has also one more interface the 10.2.4.1
> that is connected back to back (cross cable) with the
> interface of an other pc with ip address 10.2.4.2
> IO want the traffic that reaches 143.233.222.77 reach
> the 10.2.4.2
> This is the first step.. when i succesfully implement
> this then the next step is to forward this traffic
> from the pc to a second pc... ( i ll use the same
> methodology if step one works)
> So now we can only focus to the first step
> Plz take in mind that i dont have any firewall enables
> /proc/sys/net/ipv4/ip_forward is set to 1. I have no
> other iptables rules applied... I will only apply what
> u ll write to do..
> Before applying any iptables rules firstly i do
> iptables -F 
> iptables -F -t nat


First do as AragonX recommended. There is no sense in continuing if the 
basics aren't ok. Additionally check if the default gateway of 10.2.4.2 
is set to 10.2.4.1. Then try Edmundo's approach and add

iptables -t nat -A POSTROUTING -o eth1 -j SNAT \
          --to 143.233.222.77

Question: Is 143.233.222.77 a dial-up interface ?

If it doesn't work tcpdump on 143.233.222.77, then on 10.2.4.1,..., 
briefly: find the point, where it breaks. You may post the dumps. Some 
surrounding information could help too: ifconfig, route -n, 
iptables-save, hmm - I think that should do.

Good luck,

Joerg

Re: Problem reexplained.....

[Jörg Harmuth]

Jörg Harmuth wrote:
> Alaios wrote:
>> Let me reexplain the problem plz
>>> From src 143.233.222.253 starts some traffic that goes
>> to the 143.233.222.77 this is the eth1 of the laptop
>> The laptop has also one more interface the 10.2.4.1
>> that is connected back to back (cross cable) with the
>> interface of an other pc with ip address 10.2.4.2
>> IO want the traffic that reaches 143.233.222.77 reach
>> the 10.2.4.2
>> This is the first step.. when i succesfully implement
>> this then the next step is to forward this traffic
>> from the pc to a second pc... ( i ll use the same
>> methodology if step one works)
>> So now we can only focus to the first step
>> Plz take in mind that i dont have any firewall enables
>> /proc/sys/net/ipv4/ip_forward is set to 1. I have no
>> other iptables rules applied... I will only apply what
>> u ll write to do..
>> Before applying any iptables rules firstly i do
>> iptables -F iptables -F -t nat
> 
> 
> First do as AragonX recommended. There is no sense in continuing if the 
> basics aren't ok. Additionally check if the default gateway of 10.2.4.2 
> is set to 10.2.4.1. Then try Edmundo's approach and add
> 
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT \
>          --to 143.233.222.77
> 
> Question: Is 143.233.222.77 a dial-up interface ?
> 
> If it doesn't work tcpdump on 143.233.222.77, then on 10.2.4.1,..., 
> briefly: find the point, where it breaks. You may post the dumps. Some 
> surrounding information could help too: ifconfig, route -n, 
> iptables-save, hmm - I think that should do.
> 
> Good luck,
> 
> Joerg


Humm, I should have read the whole thread before posting, especially the 
previous one :( My fault.

Yes, indeed. In the first place this is a routing problem. Read Nicks 
charming explanation of subnet masks and you will see, that it can't 
work. Do as others recommended: put a box between or change 253 to 
something lower than 127 or change your network from 64/26 to 192/26 or 
add a default gateway (you could try route add default eth1 - maybe it 
works) - whatever you are able to do. But first fix your routing.

Good luck,

Joerg