Ok so after attempting this, it doesn't sound so easy anymore. Yes you
can nat the 192.168.x.x address to a public address but it won't fix
netmeeting or anything that previously didn't work with natting the
192.168 address. It will, however, fix what the orginal author of this
thread wanted, which was simply to access the machine (hopefully
whatever he's needing to access only uses tcp/ip).
After being stupid for a little while it finally hit me that natting
some other public ip address in to a private address was no different
from natting the public ip of the external interface. The client
machine still thinks it is 192.168 and netmeeting sends that out to the
other side. So the only way to do it was to actually give the windows
machine it's own public ip, and route everything in.
I'm discussing this in the hopes that someone knows a better way. The
network looks like this:
Internet-----208.164.xxx.xxx/32 | 192.168.1.254------192.168.1.0/24
eth1 eth0
If from my client machine, 192.168.1.2, I want to use msn messenger's
video, the only way I can think of is to change it's ip from 192.168.1.2
to some public ip (here, I have a /29 209.205.xxx.xxx). But when this
is done, now the box has not route to the internet, since it doesn't
know how to access 192.168.1.254. So I have to use up another public ip
and aliases eth0 with it. But now I'm completely separated from my
192.168.1.0/24 network (which I do not want!!!).
Before coming to this solution, I did attempt assigning 2 ip addresses
to the nic on the windows machine, listing the public first and the
private second. However, if I then set the default gateway to
192.168.1.254, the windows uses 192.168.1.2 as the source ip for any
packets originating on the xp box.
So I ask, can anyone think of a better way to do this? Is it true that
msn messenger is encoding the source ip somewhere in it's packet and
that's why it can't be successfully natted? Does yahoo messenger do the
same? (Apparently yahoo's video works from behind firewalls more
easily).
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Glover George
> Sent: Monday, March 18, 2002 1:12 PM
> To: 'Antony Stone'; [EMAIL PROTECTED]
> Subject: RE: Yikes. . . shouldn't this be easy--NAT in and
> out to private IP
>
>
> I plan on doing this soon as well, and I was wondering a
> couple things. As I've seen stated on here a few times, it
> looks as though using the h.323 protocol support in 1.2.6
> with 2.4.18 isn't going to allow me to successfully nat
> things such as netmeeting, msn messenger videoconferencing
> (is that the same thing as netmeeting), and remote desktop
> stuff. Now I've just been using vnc for the latter. I
> happen to own another /29 of public addresses and was
> thinking that the best way to do this is that when I want to
> access the net with these applications, quickly log into the
> firewall and run a script that does this dnatting/snatting to
> the private ip machine for one of the /29 addresses
> (basically translating it on the nat box).
>
> But what caught my attention was this. Once I do this, for
> the moment I am allowing this traffic:
>
> 1. If things coming in to the external interface are hitting
> the preroute chain, how do I filter on them? As I understand it, the
> preroute chain is before the INPUT chain? Can someone explain if I
> have a rule such as
> Iptables -t nat -A PREROUTING -I eth1 -d 209.205.xxx.xxx -j
> DNAT 192.168.0.1
>
> Where do I place the lines of code to filter these things.
> Am I filtering in the INPUT chain on the 209. addresses or what?
>
> 2. Can anyone give me some tips on some vulnerable ports
> that I would need to block on a windows xp machine but still
> allow for netmeeting, icq, irc, etc. to work? (specifically,
> like file sharing and all that needs to be blocked). Thanks.
>
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]] On Behalf Of Antony Stone
> > Sent: Monday, March 18, 2002 12:08 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Yikes. . . shouldn't this be easy--NAT in and
> > out to private IP
> >
> >
> > On Monday 18 March 2002 5:22 pm, Brian Capouch wrote:
> >
> > > I want to NAT a private IP addr, 192.168.1.2 (as if that
> > mattered) out
> > > to the world and then back in again, so that I can remotely
> > bring up
> > > an X window for a demo I have to do "outside" later in the week.
> >
> > iptables -A PREROUTING -t nat -d 111.222.333.444 -j DNAT --to
> > 192.168.1.2 iptables -A POSTROUTING -t nat -s 192.168.1.2 -j
> > SNAT --to 111.222.333.444
> >
> > The first rule changes packets coming in from the Internet
> which were
> > addressed to 111.222.333.444 and sends them to 192.168.1.2
> >
> > The second rule changes packets which come from 192.168.1.2
> > and makes them
> > look like they came from 111.222.333.444
> >
> > Don't forget the appropriate FORWARD rules to let the packets
> > through as well:
> >
> > iptables -A FORWARD -s 192.168.1.2 -j ACCEPT
> > iptables -A FORWARD -d 192.168.1.2 -j ACCEPT
> >
> > Remember that your NATing box needs to have 111.222.333.444
> > added to its
> > external interface if this address is in the same network
> > range as the NAT
> > machine's real external address.
> >
> > If it's in a different network range, then you just need to
> > have packets for
> > 111.222.333.444 routed from the previous router, to use the
> > NAT box as the
> > next hop.
> >
> > These rules will allow all packets, any protocol (TCP, UDP,
> > ICMP, ESP...) to
> > get through the Firewall, to & from ANY external address - so
> > be careful
> > about security on the "target" machine, otherwise you might
> > find it's a
> > target for more than you expected :-)
> >
> > Hope this helps,
> >
> >
> > Antony.
> >
>
>
