/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Andreas Triller wrote:
> Hello to all the networking-gurus out there!
>
> Sorry if this is a double posting, but my first try was before I subscribed,
> so I think it didn't get to anybody.. Also sorry for the length, but I can't
> cut it much shorter.
>
> I had a problem with a slightly "non-standard" configuration of the Linux
> Routing, Masquerading and Portforwarding capabilities. It took me 3 days to
> get it working (and several postings in this mailing list helped me).
> BUT: I still don't fully understand WHY it works!
>
> I have the following:
> - An SDSL Router which gives me 6 "official" IP-adresses.
> - A Linux-PC as Firewall with several NICs, 3 of them used. One of the NICs
> is directly connected to the SDSL-device. This is eth1 in the Linux-box, and
> it has one IP-Alias eth1:0 using another of the 6 adresses:
> IP_INET=X.Y.Z.242 (eth1)
> IP_INET2=X.Y.Z.244 (eth1:0)
> IP_ROUTER=X.Y.Z.241 (DSL-Device)
>
> defaultroute : IP_ROUTER (via eth1)
>
> Two Company-LANs are connected (via the other 2 NICs) and IP-Masqueraded:
> LAN1=192.168.1.0/24
> LAN2=192.168.0.0/24
>
> ipchains -A forward -s $LAN1 -p tcp -j MASQ
> ipchains -A forward -s $LAN2 -p tcp -j MASQ
> (The Gate runs a caching only nameserver, so no UDP outside is allowed.)
>
>
> In each company there is one server to be connected via port-forwarding.
> (One www, one mailserver)
> First, the Input is allowed in:
>
> ipchains -A input -d $IP_INET 80 -p tcp -i $eth1 -j ACCEPT
> ipchains -A input -d $IP_INET2 25 -p tcp -i $eth1 -j ACCEPT
>
> Here is the first thing I didn't know before: ipchains seems to know only
> the physical device eth1! If I substitute it with $eth1:0 in the second rule,
> no packets get through.
people often think that eth1:0 is different than eth1. in 2.0 kernels,
there used to be a distinction (real interface versus aliases interface).
since the 2.2 kernels, there is no such distinction (eth1 is the interface,
eth1:0 is just a name for one of the address on that interface). there is
no such thing as an alias anymore, just interfaces with multiple addresses.
whenever you have this sort of problem, stop using -i and start using -s
or -d to differentiate packets.
> The Forwarding itself:
>
> ipmasqadm portfw -a -P tcp -L $IP_INET 80 -R www.1stcompany.de 80
> ipmasqadm portfw -a -P tcp -L $IP_INET2 25 -R mail.othercompany.de 25
>
>
> Now the Problem is how to get the packets from LAN2 out through the right
> alias. On this I found a posting which suggested marking the packets with an
> ipchains-rule on input and to use an "ip rule add fwmark xx nat ..." to get
> the adress changed. This did not work for me. I tried the simpler rule:
>
> ip rule add from $LAN2 nat $IP_INET2
>
> and it works! I did not have to add any additional routing tables with
> source-based routing or such things.
yes, but note that this nats all packets from $LAN2, not just the
ones required for the service you are port forwarding. this probably
isn't a probelm, though. just pointing it out.
> BUT: I can access machines on LAN1 from machines on LAN2 and vice versa. Why
> does this rule not modify these packets' source adresses? Only packets to
> the internet get modified (and accidentally, this is what I want.) It seems
> that this ip-nat-thing only works in conjunction with Masquerading.
> Could anyone clear things up a little?
you're almost right. usually, when you want to set up some nat, you need
a rule and a route. masquerading provides the route so you only needed
a rule command. if you hadn't been masquerading, you would also have needed
a route command. see the ip command reference for details.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
