Alright so I added the ip address to the interface (I edited the cfg
files and restarted the network service) so that my ifconfig output for
eth0 looks like this:
eth0 Link encap:Ethernet HWaddr 00:02:B3:93:BE:EA
inet addr:207.54.98.13 Bcast:207.54.98.15
Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:264 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:16060 (15.6 Kb) TX bytes:906 (906.0 b)
Interrupt:5 Base address:0x8000
eth0:1 Link encap:Ethernet HWaddr 00:02:B3:93:BE:EA
inet addr:207.54.98.12 Bcast:207.54.98.15
Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:5 Base address:0x8000
which seems right - however I still get no action. Is there something
really obvious I'm missing? I can ping to and from the internet to the
firewall, and to and from the LAN to the firewall, so what am I missing?
Just for more info - this is kernel 2.4.9-31 with iptables 1.2.5. I
compiled 1.2.5 over whatever was there by default in Red Hat 7.2 (which
I think was 1.2.4). I'm not getting any error messages when I run the
script, so I'm at a loss!
Again any help is appreciated.
Max Inglis
Subject: simple NAT problem
Date: Thu, 4 Apr 2002 10:13:52 -0700
From: "Max Inglis" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Hi all - this is my first post, however I read through the archives to
see if something like this had been covered. I am a network tech with
lots of Cisco and MS experience, but I am just branching into Linux
stuff for some purposes.=20
I installed Red Hat 7.2 and upgraded the iptables in it to 1.2.5 without
trouble (I compiled, I didn't use the RPM). I am converting an ISP
connection that hosts an ASP server through a crappy little NetScreen
(meant for 5 users) which doesn't support a bunch of the features I
would like to put in. I had built a config file for iptables using
examples, documentation and a book I bought. Didn't seem to be working,
so I pared down the script to just do a single Nat translation to one of
the servers behind the firewall which will be receiving and initiating
connections.=20
DMZ is the network with the computers that will be behind this firewall,
LAN is connected to my machine only for admin purposes, INET is
connected to internet. This is what my script looks like pared down to
just try to do a single NAT:
##########
#activate kernel forwarding
echo 1>/proc/sys/net/ipv4/ip_forward
#FLUSH AND SET POLICIES
#remove existing rules
/sbin/iptables --flush
/sbin/iptables -t nat --flush
/sbin/iptables -t mangle --flush
#set default chain policies
/sbin/iptables --policy INPUT ACCEPT
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables --policy FORWARD ACCEPT
#SET CONSTANTS
=20
LOOPBACK_INTERFACE=3D"lo" #loopback interface
INET_INTERFACE=3D"eth0" #internet-connected interface
LAN_INTERFACE=3D"eth2" #LAN-connected interface
DMZ_INTERFACE=3D"eth1" #DMZ-network connected =
interface
LAN_ADDRESSES=3D"192.168.41.0/24" #LAN Network
DMZ_ADDRESSES=3D"192.168.50.0/24" #DMZ Network
INET_ADDRESSES=3D"207.54.98.8/29" #INET Network
PRIVPORTS=3D"0:1023" #well-known, priviledged port
range
UNPRIVPORTS=3D"1024:65535" #unpriviledged ports
HUB_EX=3D"207.54.98.12" #hub address external address
HUB_INT=3D"192.168.50.10" #hub internal address
#enable loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#forward external address to internal address
/sbin/iptables -t nat -A PREROUTING -i $INET_INTERFACE -d $HUB_EX -j
DNAT --to $HUB_INT
/sbin/iptables -t nat -A POSTROUTING -o $INET_INTERFACE -s $HUB_INT -j
SNAT --to $HUB_EX
#allow all connections from LAN interface
/sbin/iptables -A INPUT -i $LAN_INTERFACE -j ACCEPT
/sbin/iptables -A OUTPUT -o $LAN_INTERFACE -j ACCEPT
###########
I also have a script to load the modules
###########
#! /bin/bash
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_state
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
#! /bin/bash
###########
And some of those are for modules not being used by this script - but
they were required for my previous script.
This obviously isn't working since I am posting to this list. Am I
missing something? I had rules to allow the traffic to the nat'ed
address, but changed the default policy to accept to simplify while I
troubleshoot. I would have thought this was all I needed - but
apparently not - is there something (non-iptables) that I need to do to
make a Nat translation like this work? My intent for testing is to
connect to this machine on port 5555, but it is currently not
working.=20
Any help anyone can provide is appreciated.=20
Thanks!
Max Inglis=20
--__--__--
Message: 8
From: Antony Stone <[EMAIL PROTECTED]>
Organization: Software Solutions
To: [EMAIL PROTECTED]
Subject: Re: simple NAT problem
Date: Thu, 4 Apr 2002 18:24:21 +0100
On Thursday 04 April 2002 6:13 pm, Max Inglis wrote:
> #forward external address to internal address
> /sbin/iptables -t nat -A PREROUTING -i $INET_INTERFACE -d $HUB_EX -j
> DNAT --to $HUB_INT
> /sbin/iptables -t nat -A POSTROUTING -o $INET_INTERFACE -s $HUB_INT -j
> SNAT --to $HUB_EX
> This obviously isn't working since I am posting to this list. Am I
> missing something? Is there something (non-iptables) that I need to do
to
> make a Nat translation like this work?
Yes - I think you are missing the proxy arp on the external interface
for
your $HUB_EX address.
Basically you have an external port on your firewall, which has its own
IP
address (and will respond to arp requests for that IP). Your rules are
telling the Firewall to translate a different external address to an
internal
one (which is perfectly reasonable), however unless the physical
interface
actually gets that secodn external IP address attached to it, it is
never
going to receive the packets you want to translate.
I still use the old way of doing this, which is:
ifconfig eth0 192.168.1.1
ifconfig eth0:1 192.168.1.4
where 192.168.1.1 is my "real" address for that interface, and
192.168.1.4 is
the second one I want it to respond to. No doubt other people on this
will
tell you the newer way of doing this, which uses the ip command.
Anyway, I think if you use one of those to get the $HUB_EX address
attached
to your external interface, it'll start doing what you want :-)
