Hello: I have this setup: Internet -- Linux Server -- Switch -- Internal Machine The Linux server is running Redhat Linux 7.3 and is running iptables for firewall. Let say, for example, that the linux server is running on IP address 11.22.33.44 and the internal machine is running on IP address 192.168.1.234 I want to set up the Linux server so that a connection to my IP address of 11.22.33.55 actually connects to 192.168.1.234 and vice-versa. In other words, the outside world should see my internal machine as 11.22.33.55. How would I set this up? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc. (972) 612-6056, http://www.JAMMConsulting.com Custom Internet Development Websites, Ecommerce, Java, databases
lør, 2002-06-01 kl. 07:17 skrev Neil Aggarwal:> I want to set up the Linux server so that a connection > to my IP address of 11.22.33.55 actually connects to > 192.168.1.234 and vice-versa.> In other words, the outside world should see my internal > machine as 11.22.33.55.In as much as this is a perfectly normal use of Netfilter (iptables), I reckon that you''re asking in the wrong group. Try netfilter@lists.samba.org. Best, Tony -- Tony Earnshaw e-post: tonni@billy.demon.nl www: http://www.billy.demon.nl gpg public key: http://www.billy.demon.nl/tonni.armor Telefoon: (+31) (0)172 530428 Mobiel: (+31) (0)6 51153356 GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 3BE7B981
> In as much as this is a perfectly normal use of Netfilter (iptables), I > reckon that you''re asking in the wrong group.Copy-paste can never hurt :) iptables -t nat -A PREROUTING -p tcp -d $EX_IP --dport 8080 -j DNAT --to 192.168.1.253:80 All traffic entering the external ip of my firewall on port 8080 is forwarded to my internal web-server. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net
lør, 2002-06-01 kl. 09:37 skrev Stef Coene:> > In as much as this is a perfectly normal use of Netfilter (iptables), I > > reckon that you''re asking in the wrong group. > Copy-paste can never hurt :)> iptables -t nat -A PREROUTING -p tcp -d $EX_IP --dport 8080 -j DNAT --to > 192.168.1.253:80> All traffic entering the external ip of my firewall on port 8080 is forwarded > to my internal web-server.Yerrrs, but now there''s the FORWARDing rule, then there''s the POSTROUTING and SNAT rule back etc. etc. that you haven''t included. He won''t make it work without them. Then there''s the /proc/sys/net/ipv4/ip_forward that you haven''t included, etc. etc. The bloke is obviously in the wrong group, he''ll be having more problems and these should not be addressed on this list, which is for something completely different. God knows, iproute2 problems ar complicated enough as they are. Best, Tony -- Tony Earnshaw e-post: tonni@billy.demon.nl www: http://www.billy.demon.nl gpg public key: http://www.billy.demon.nl/tonni.armor Telefoon: (+31) (0)172 530428 Mobiel: (+31) (0)6 51153356 GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 3BE7B981
I know the other list is for netfilter stuff but heck, if I can help I''ll give it a try... Here is a more general script that should work: ************************************************************** #!/bin/sh EX_IP="11.22.33.55" IN_IP="192.168.1.253" IPTABLES="/sbin/iptables" # # Be sure to modprobe the modules you need here - an exercise # for the reader. # echo "Zeroing all iptables, deleting all user defined chains" $IPTABLES -F $IPTABLES -X $IPTABLES -t nat -F $IPTABLES -t nat -X $IPTABLES -t mangle -F $IPTABLES -t mangle -X echo "Setting up default policies to ACCEPT" $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT echo "setting up masquerading rules" IPTABLES -t nat -A PREROUTING -d $EX_IP -j DNAT --to $IN_IP IPTABLES -t nat -A POSTROUTING -s $IN_IP -j SNAT --to $EX_IP echo "Turning on IP forwarding" echo "1" > /proc/sys/net/ipv4/ip_forward exit **************************************************************** Note that this rule set provides absolutely no security. Any packet, any protocol, any port of any protocol (for protocols like TCP and UDP that have ports) that comes in bound for EX_IP will be NAT-ed and redirected to IN_IP. And any new conversation initiated by IN_IP will be masqueraded to look to the outside world like it came from EX_IP. Also note, I copied and pasted this from sections of my own firewall script. I have not tested the above script anyplace, so take that for what it''s worth. - Greg -----Original Message----- From: Stef Coene [mailto:stef.coene@docum.org] Sent: Saturday, June 01, 2002 2:38 AM To: Tony Earnshaw; Neil Aggarwal Cc: Linux Advanced Routing & Traffic Control List Subject: Re: [LARTC] How to> In as much as this is a perfectly normal use of Netfilter (iptables), I > reckon that you''re asking in the wrong group.Copy-paste can never hurt :) iptables -t nat -A PREROUTING -p tcp -d $EX_IP --dport 8080 -j DNAT --to 192.168.1.253:80 All traffic entering the external ip of my firewall on port 8080 is forwarded to my internal web-server. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
lør, 2002-06-01 kl. 16:55 skrev Greg Scott:> I know the other list is for netfilter stuff but heck, if I can help > I''ll give it a try...Sigh. I don''t see any FORWARD rule here. You know, like between the interfaces. And what''s ''-t mangle'' got to do with anything? *Let the fellow go to a list that will look after him properly* Best, Tony -- Tony Earnshaw e-post: tonni@billy.demon.nl www: http://www.billy.demon.nl gpg public key: http://www.billy.demon.nl/tonni.armor Telefoon: (+31) (0)172 530428 Mobiel: (+31) (0)6 51153356 GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 3BE7B981
Take a look here: http://netfilter.samba.org/documentation/ for pointers to lots and lots of detailed explanations. The answers you want are in there - but you''ll need to do some studying.> I don''t see any FORWARD rule here. You know, like between the > interfaces. And what''s ''-t mangle'' got to do with anything?That''s right. You don''t need any for your application. Remember that netfilter rules are generally for **filtering** packets, not for forwarding packets. Take a look at the line towards the bottom of the script I sent that turns on IP forwarding. That line turns your Linux system into a router. It tells the kernel to forward packets from one ethernet interface to the other and out to the network on the other end. The -t mangle stuff is just being thorough. Netfilter has several tables and the mangle table is one of them. It''s good practice to flush and zero all tables when you set these scripts up. Take it out if you want. - Greg -----Original Message----- From: Tony Earnshaw [mailto:tonni@billy.demon.nl] Sent: Saturday, June 01, 2002 10:05 AM To: Greg Scott Cc: Stef Coene; Neil Aggarwal; Linux Advanced Routing & Traffic Control List Subject: RE: [LARTC] How to lør, 2002-06-01 kl. 16:55 skrev Greg Scott:> I know the other list is for netfilter stuff but heck, if I can help > I''ll give it a try...Sigh. I don''t see any FORWARD rule here. You know, like between the interfaces. And what''s ''-t mangle'' got to do with anything? *Let the fellow go to a list that will look after him properly* Best, Tony -- Tony Earnshaw e-post: tonni@billy.demon.nl www: http://www.billy.demon.nl gpg public key: http://www.billy.demon.nl/tonni.armor Telefoon: (+31) (0)172 530428 Mobiel: (+31) (0)6 51153356 GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 3BE7B981