IPTables Query

IPTables Query

[harish.k]

Hello List,

This is my first mail to the Netfilter List. I am a newbie to
IPTables, so please be gentle :-)

I have a Red Hat Linux 7.3 box running iptables-1.2.5-3.
I am using iptables primarily for Source NAT.
The machine has two IP Addresses

eth0      : 172.25.8.130
eth0:0    : 172.25.8.125

I am terribly confused with the OUTPUT chain. I have read from 
the documentation that the OUTPUT chain is used for locally 
generated packets. The machine always uses the IP Add of eth0
for any locally generated packets. How do I configure the OUTPUT
chain such that the machine uses the IP Add 172.25.8.125 when it
requests for specific ports or protocols.
For eg, I want the machine to use the Source IP as 172.25.8.125
whenever it runs a DNS query. How do I go about this?

TIA
Rgds
-- 
---------------------------------------------------------------
Harish K                             <harish.k@lntinfotech.com>
Systems Engineer                            Tel - 91-22-6948065
Don't drink and drive. You might hit a bump and spill your beer
---------------------------------------------------------------

RE: IPTables Query

[Stewart Thompson]

Hi:

	This isn't really practical. Most routers will drop packets
from private ranges. So your request won't make it to it's destination
Anyway. Netfilter will make sure the request gets back to the right
Machine. Why do you need this?


Stu..........


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of
harish.k@lntinfotech.com
Sent: October 22, 2002 11:37 PM
To: netfilter@lists.netfilter.org
Subject: IPTables Query

Hello List,

This is my first mail to the Netfilter List. I am a newbie to
IPTables, so please be gentle :-)

I have a Red Hat Linux 7.3 box running iptables-1.2.5-3.
I am using iptables primarily for Source NAT.
The machine has two IP Addresses

eth0      : 172.25.8.130
eth0:0    : 172.25.8.125

I am terribly confused with the OUTPUT chain. I have read from
the documentation that the OUTPUT chain is used for locally
generated packets. The machine always uses the IP Add of eth0
for any locally generated packets. How do I configure the OUTPUT
chain such that the machine uses the IP Add 172.25.8.125 when it
requests for specific ports or protocols.
For eg, I want the machine to use the Source IP as 172.25.8.125
whenever it runs a DNS query. How do I go about this?

TIA
Rgds
--
---------------------------------------------------------------
Harish K                             <harish.k@lntinfotech.com>
Systems Engineer                            Tel - 91-22-6948065
Don't drink and drive. You might hit a bump and spill your beer
---------------------------------------------------------------

RE: IPTables Query

[harish.k]

Hi Stewart,

I have a Checkpoint firewall sitting in front of me. It's IP Add is 
172.25.8.1. This machine does the NAT and filter functions.
It is in turn connected to a router thru another interface and to the 
Internet.
The IP Add 172.25.8.125 *has* permission to pass thru, but the IP
172.25.8.130 does not. So locally generated packets destined for
DNS servers need to have the source IP of 172.25.8.125.

Rgds
-- 
---------------------------------------------------------------
Harish K                             <harish.k@lntinfotech.com>
Systems Engineer                            Tel - 91-22-6948065
Don't drink and drive. You might hit a bump and spill your beer
---------------------------------------------------------------




Stewart Thompson <stewart.thompson@shaw.ca>
10/23/2002 01:30 PM
Please respond to stewart.thompson
 
        To:     harish.k@lntinfotech.com, netfilter@lists.netfilter.org
        cc: 
        Subject:        RE: IPTables Query


Hi:

                 This isn't really practical. Most routers will drop 
packets
from private ranges. So your request won't make it to it's destination
Anyway. Netfilter will make sure the request gets back to the right
Machine. Why do you need this?


Stu..........

Re: IPTables Query

[Antony Stone]

On Wednesday 23 October 2002 7:37 am, harish.k@lntinfotech.com wrote:

> Hello List,
>
> I have a Red Hat Linux 7.3 box running iptables-1.2.5-3.
> I am using iptables primarily for Source NAT.
> The machine has two IP Addresses
>
> eth0      : 172.25.8.130
> eth0:0    : 172.25.8.125
>
> I am terribly confused with the OUTPUT chain. I have read from
> the documentation that the OUTPUT chain is used for locally
> generated packets.

That is correct.   iptables is very different from ipchains (if you have used 
that before ?) in terms of which chains are traversed by packets into, out 
of, or through the machine.

> The machine always uses the IP Add of eth0
> for any locally generated packets. How do I configure the OUTPUT
> chain such that the machine uses the IP Add 172.25.8.125 when it
> requests for specific ports or protocols.

Remember that all packets leaving your machine, whether they originated from 
the local machine (ie they came through the OUTPUT chain) or came from 
another machine and got routed through the netfilter box (ie they came 
through the FORWARD) chain, will pass through the POSTROUTING chain just 
before they exit the interface.

Therefore you can put a SNAT rule into your POSTROUTING chain to change the 
source address of packets for specific protocols.

Antony.

-- 

G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o? 
w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5? 
!X- !R K--?

RE: IPTables Query

[Stewart Thompson]

HI Harish:

	Perhaps I should have asked for more facts. I assumed,
perhaps incorrectly, that you wanted to forward the DNS request
across the Internet It is my understanding that your IP fell within
the private Class B IP range of  172.16.0.0  -  172.31.255.255.
It is also my understanding that routers on the Internet drop IP's
that fall into established private IP ranges. If I am wrong on this
point, someone please correct me.

Stu..........


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of
harish.k@lntinfotech.com
Sent: October 23, 2002 1:08 AM
To: stewart.thompson@shaw.ca
Cc: netfilter@lists.netfilter.org
Subject: RE: IPTables Query

Hi Stewart,

I have a Checkpoint firewall sitting in front of me. It's IP Add is
172.25.8.1. This machine does the NAT and filter functions.
It is in turn connected to a router thru another interface and to the
Internet.
The IP Add 172.25.8.125 *has* permission to pass thru, but the IP
172.25.8.130 does not. So locally generated packets destined for
DNS servers need to have the source IP of 172.25.8.125.

Rgds
--
---------------------------------------------------------------
Harish K                             <harish.k@lntinfotech.com>
Systems Engineer                            Tel - 91-22-6948065
Don't drink and drive. You might hit a bump and spill your beer
---------------------------------------------------------------




Stewart Thompson <stewart.thompson@shaw.ca>
10/23/2002 01:30 PM
Please respond to stewart.thompson

        To:     harish.k@lntinfotech.com, netfilter@lists.netfilter.org
        cc:
        Subject:        RE: IPTables Query


Hi:

                 This isn't really practical. Most routers will drop
packets
from private ranges. So your request won't make it to it's destination
Anyway. Netfilter will make sure the request gets back to the right
Machine. Why do you need this?


Stu..........

Re: IPTables Query

[Antony Stone]

On Wednesday 23 October 2002 7:26 pm, Stewart Thompson wrote:

> HI Harish:
>
> 	Perhaps I should have asked for more facts. I assumed,
> perhaps incorrectly, that you wanted to forward the DNS request
> across the Internet It is my understanding that your IP fell within
> the private Class B IP range of  172.16.0.0  -  172.31.255.255.
> It is also my understanding that routers on the Internet drop IP's
> that fall into established private IP ranges. If I am wrong on this
> point, someone please correct me.

You are correct in your assumption.   Routers have for a long time dropped 
packets with private destination addresses (if for no other reason than 
there's nowhere to send them), and it is very common nowadays for routers 
also to drop packets with private source addresses, so they don't even reach 
their (perfectly legally addressed) destination.

However, since Harish says he has a CheckPoint FW-1 between his Linux box and 
the Internet, doing NAT for him, it will allow originally 172.16.x.y 
addressed packets to get out and the replies to come back again.   Hence the 
desire to send DNS requests from a specific private IP address seems 
reasonable in this case.

I hope that my earlier response, suggesting the use of the POSTROUTING chain, 
is helpful in achieving this.

Antony.

-- 

Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

RE: IPTables Query

[harish.k]

Hi Stewart,

I'm sorry if I've not been clear. The Checkpoint Firewall NATs all 
requests from the
172.16-31 range to a valid 203.199.x.x IP Add and sends them out to the 
internet.

Rgds
Harish





Stewart Thompson <stewart.thompson@shaw.ca>
Sent by: netfilter-admin@lists.netfilter.org
10/23/2002 11:56 PM
Please respond to stewart.thompson
 
        To:     harish.k@lntinfotech.com
        cc:     netfilter@lists.netfilter.org
        Subject:        RE: IPTables Query


HI Harish:

                 Perhaps I should have asked for more facts. I assumed,
perhaps incorrectly, that you wanted to forward the DNS request
across the Internet It is my understanding that your IP fell within
the private Class B IP range of  172.16.0.0  -  172.31.255.255.
It is also my understanding that routers on the Internet drop IP's
that fall into established private IP ranges. If I am wrong on this
point, someone please correct me.

Stu..........


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of
harish.k@lntinfotech.com
Sent: October 23, 2002 1:08 AM
To: stewart.thompson@shaw.ca
Cc: netfilter@lists.netfilter.org
Subject: RE: IPTables Query

Hi Stewart,

I have a Checkpoint firewall sitting in front of me. It's IP Add is
172.25.8.1. This machine does the NAT and filter functions.
It is in turn connected to a router thru another interface and to the
Internet.
The IP Add 172.25.8.125 *has* permission to pass thru, but the IP
172.25.8.130 does not. So locally generated packets destined for
DNS servers need to have the source IP of 172.25.8.125.

Rgds
--
---------------------------------------------------------------
Harish K                             <harish.k@lntinfotech.com>
Systems Engineer                            Tel - 91-22-6948065
Don't drink and drive. You might hit a bump and spill your beer
---------------------------------------------------------------




Stewart Thompson <stewart.thompson@shaw.ca>
10/23/2002 01:30 PM
Please respond to stewart.thompson

        To:     harish.k@lntinfotech.com, netfilter@lists.netfilter.org
        cc:
        Subject:        RE: IPTables Query


Hi:

                 This isn't really practical. Most routers will drop
packets
from private ranges. So your request won't make it to it's destination
Anyway. Netfilter will make sure the request gets back to the right
Machine. Why do you need this?


Stu..........

iptables query

[Hitesh Ballani]

hello,

i had another question ... i need a method to do one of the following 2 
choices -

1. I receive a packet of an interface and apply source nat but i also need 
to change the destination address!

or

2. I receive the packet and send it over a tunnel interface (based on the 
destination address) but i also need to change the destination address ( 
the ROUTE patch allows me direct the packet to the tunnel interface based 
on the dest address but how do i change this address before it is sent to 
the tunnel interface) ....also if i have multiple tunnel interfaces as 
options for one destination address - can i achieve a round robin kind of 
usage between them?

Thanks,
Hitesh

iptables query

[shardul Adhikari]

Hi list, 
I am relatively new to iptables 

i am trying this 

iptables -A PREROUTING -t nat -i eth0 -d 202.75.112.3 --dport 8080 -j
REDIRECT --to-port 3128 .
Now the problem is it does not get redirected , 
if i remove the -d part , it works just fine 
but i do not want to redirect for any destination , but only if
request comes for a particular destination .
Is there any thing wrong that i am doing , or do i have to use some
different chain or ruleset ,

please help

Re: iptables query

[Toby]

shardul Adhikari wrote:
> iptables -A PREROUTING -t nat -i eth0 -d 202.75.112.3 --dport 8080 -j
> REDIRECT --to-port 3128

I don't see "-p tcp" in that rule.  You can use --dport or --sport only
if you specify "-p tcp" or "-p udp".

For this reason, that rule will give you an error if you try and run it.
Before you correct your mistake, you should look for the error message
and see where it is displayed, so that you can more easily discover
future mistakes and problems.


Toby

-- 
Love(n): The delusion that one woman differs from another.
						H.L. Mencken

Re: iptables query

[shardul Adhikari]

On Fri, 25 Mar 2005 09:54:47 +0100, Toby <tobia.conforto@linux.it> wrote:
> shardul Adhikari wrote:
> > iptables -A PREROUTING -t nat -i eth0 -d 202.75.112.3 --dport 8080 -j
> > REDIRECT --to-port 3128
> 
> I don't see "-p tcp" in that rule.  You can use --dport or --sport only
> if you specify "-p tcp" or "-p udp".
> 
> For this reason, that rule will give you an error if you try and run it.
> Before you correct your mistake, you should look for the error message
> and see where it is displayed, so that you can more easily discover
> future mistakes and problems.
> 
> Toby
> 
> --
> Love(n): The delusion that one woman differs from another.
>                                                 H.L. Mencken
> 
> 
- p tcp  is there , i forgot to mention it , sorry for that 
the rule is getting accepted , as it is showing in iptables -L -t nat

Re: iptables query

[shardul Adhikari]

On Fri, 25 Mar 2005 14:58:18 +0530, shardul Adhikari
<free2squid@gmail.com> wrote:
> On Fri, 25 Mar 2005 09:54:47 +0100, Toby <tobia.conforto@linux.it> wrote:
> > shardul Adhikari wrote:
> > > iptables -A PREROUTING -t nat -i eth0 -d 202.75.112.3 --dport 8080 -j
> > > REDIRECT --to-port 3128
> >
> > I don't see "-p tcp" in that rule.  You can use --dport or --sport only
> > if you specify "-p tcp" or "-p udp".
> >
> > For this reason, that rule will give you an error if you try and run it.
> > Before you correct your mistake, you should look for the error message
> > and see where it is displayed, so that you can more easily discover
> > future mistakes and problems.
> >
> > Toby
> >
> > --
> > Love(n): The delusion that one woman differs from another.
> >                                                 H.L. Mencken
> >
> >
> - p tcp  is there , i forgot to mention it , sorry for that
> the rule is getting accepted , as it is showing in iptables -L -t nat
> 

Basically what i am trying to do is redirect any request going to
202.75.112.3 on port 8080 to port 3128 on the same machine .
Will that be possible , or do i have to set up a separate iptables
server for that purpose.
My iptables squid and dansguardian are running on same machine.