I have a few IP addresses attached to an interface without problems. I also have some chrooted environments attached to these IP addresses. Is there a way to make connections (telnet) from these environments look like they are coming from the aliased IP''s rather than the main IP address? Thanks for any help Kevin.
--On Thursday, December 26, 2002 8:57 PM -0600 "Kevin Mortimore/res/Okstate" <mortimo@okstate.edu> wrote:> I have a few IP addresses attached to an interface without problems. I > also have some chrooted environments attached to these IP addresses. Is > there a way to make connections (telnet) from these environments look > like they are coming from the aliased IP''s rather than the main IP > address? Thanks for any helpThere is nothing in Shorewall that can do this since NetFilter (and hence Shorewall) has no knowledge of chrooted environments. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Thanks tom. But is there a way then to make my router with multiple IP''s show one of the aliased IP''s instead of the main one when I connect from inside my network using telnet for example? Thanks again for your help Kevin.
--On Thursday, December 26, 2002 10:53:11 PM -0600 "Kevin Mortimore/res/Okstate" <mortimo@okstate.edu> wrote:> Thanks tom. But is there a way then to make my router with multiple IP''s > show one of the aliased IP''s instead of the main one when I connect from > inside my network using telnet for example? >I believe that for outbound connections, the source IP will always be the primary IP of the outgoing interface. For it to be otherwise, the application would have to have knowledge of the host''s routing table since the local IP for a connection is dependent on the interface used to route the outgoing connection. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
--On Thursday, December 26, 2002 10:53 PM -0600 "Kevin Mortimore/res/Okstate" <mortimo@okstate.edu> wrote:> Thanks tom. But is there a way then to make my router with multiple IP''s > show one of the aliased IP''s instead of the main one when I connect from > inside my network using telnet for example? >I reread your post and there is something you can try. If you want all telnet connections to the net from 192.168.1.0/24 to appear to come from 192.0.2.224 then you can try the rule: ACCEPT loc net tcp 23 - all:192.0.2.224 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net `
--On Thursday, December 26, 2002 09:34:01 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > ACCEPT loc net tcp 23 - all:192.0.2.224 >Had a chance to try this rule this morning and it generates an error. You have two alternatives: a) Add an SNAT entry in /etc/shorewall/masq -- that won''t allow you to use a different external IP for just an application though. b) Create /etc/shorewall/init if you don''t already have that file and in it place: run_iptables -t nat -A POSTROUTING -s <local subnet using CIDR notation> -p tcp --dport 23 -j SNAT --to-source <external ip> Example: run_iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -p tcp --dport 23 -j SNAT --to-source 192.0.2.224 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
<FONT face="Default Sans Serif, Verdana, Arial, Helvetica, sans-serif" size=2><DIV>That worked tom..Thank you very much for your help.</DIV><DIV> </DIV><DIV>Kevin.<BR></DIV><FONT color=#990099>-----shorewall-users-admin@shorewall.net wrote: -----<BR><BR></FONT>To: "Kevin Mortimore/res/Okstate" <mortimo@okstate.edu>, shorewall-users@shorewall.net<BR>From: Tom Eastep <teastep@shorewall.net><BR>Sent by: shorewall-users-admin@shorewall.net<BR>Date: 12/27/2002 08:59AM<BR>Subject: Re: [Shorewall-users] IP Alias problems<BR><BR><BR><BR>--On Thursday, December 26, 2002 09:34:01 PM -0800 Tom Eastep <BR><teastep@shorewall.net> wrote:<BR><BR>><BR>> ACCEPT loc net tcp 23 - all:192.0.2.224<BR>><BR><BR>Had a chance to try this rule this morning and it generates an error. You <BR>have two alternatives:<BR><BR>a) Add an SNAT entry in /etc/shorewall/masq -- that won't allow you to use <BR>a different external IP for just an application though.<BR>b) Create /etc/shorewall/init if you don't already have that file and in it <BR>place:<BR><BR>run_iptables -t nat -A POSTROUTING -s <local subnet using CIDR notation><BR> -p tcp --dport 23 -j SNAT --to-source <external ip><BR><BR>Example:<BR><BR>run_iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -p tcp --dport 23 -j <BR>SNAT --to-source 192.0.2.224<BR><BR>-Tom<BR>--<BR>Tom Eastep \ Shorewall - iptables made easy<BR>Shoreline, \ <a href="http://shorewall.sf.net" target=blank>http://shorewall.sf.net</a><BR>Washington USA \ teastep@shorewall.net<BR><BR>_______________________________________________<BR>Shorewall-users mailing list<BR>Shorewall-users@shorewall.net<BR><a href="http://www.shorewall.net/mailman/listinfo/shorewall-users" target=blank>http://www.shorewall.net/mailman/listinfo/shorewall-users</a><BR></FONT>