Re: [plug] Re:nat/routing

fooler Wed, 11 Jun 2003 03:02:38 -0700

sandy,

    i saw lots of wrong configuration at your configuration file... ill just
comment on the most important thing.. please see below...


----- Original Message -----
From: "Sandy T. Santos" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, June 09, 2003 2:13 PM
Subject: [plug] Re:nat/routing


> >> fooler said:
> >> >ok at your gw1 box, add static route 203.177.3.0/netmask with gateway
> 192.168.57.2 and attach it to device eth0...
> >> i already did that.but when i turn-on nat, packets destined to
> >> 203.177.3.0/netmask(via static routing) gets masqueraded/snat to ExtIP
> of
> >> gw1. it's forwarding the packets towards the external interface of gw1.
> i've changed the iptables rules so that packets destined to
> > 203.177.3.0/netmask doesn't get masqueraded/snat to no effect. would you
> like me to show the iptables and static routing rules?
> >yes please do.. show to us the iptables rules and routing table both for
> your gw1 and gw2 boxes... thanks..
>
> iptables on gw1:
>
> $IPTABLES -P INPUT DROP
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -F -t nat
>
> $IPTABLES -F -t mangle
>
> if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
>    $IPTABLES -F drop-and-log-it
> fi
> #
> # Delete all User-specified chains
> $IPTABLES -X
> #
> # Reset all IPTABLES counters
> $IPTABLES -Z
>
> echo "  Creating a DROP chain.."
> $IPTABLES -N drop-and-log-it
> $IPTABLES -A drop-and-log-it -j LOG --log-level info
> $IPTABLES -A drop-and-log-it -j REJECT
>
> echo -e "\n   - Loading INPUT rulesets"
>
> $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
> $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
> $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
> $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
>  ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
>
> #output rules
>
> $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
> $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
> $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
> $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
>
>
> ###my rules
>
> ##mark packets destined to mail server
> $IPTABLES -A PREROUTING -i eth0 -t mangle -p tcp -d 203.177.3.1/32  -j
> MARK --set-mark 2
> $IPTABLES -A PREROUTING -i eth0 -t mangle -p tcp -d 203.177.3.2/32  -j
> MARK --set-mark 2
> ##squid redirect
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080

let your transparent proxy setup do the hijacking at eth1 than eth0...

iptables -t nat -A PREROUTING -eth1 -p tcp --dport 80 -j REDIRECT --to-port
8080

>
> ##routing table rules
> echo 202 logonet >> /etc/iproute2/rt_tables
> ip rule add fwmark 2 table logonet
> ip route add default via 192.168.57.2 dev eth0 table logonet
>
> echo "     - FWD: Allow all connections OUT and only existing/related IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED \
>  -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j drop-and-log-it
>
> echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.57.0/24 -d !
> 203.177.3.2 -j SNAT --to 203.177.4.1

your source nat ip address at gw1 box should be 203.131.4.1 and not
203.177.4.1...

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.57.0/24 -j SNAT --to
203.131.4.1

>
> ##flush route cache
> ip route flush cache
>
> main routing table on gw1:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 203.131.4.0 0.0.0.0         255.255.255.0 U     0      0        0 eth1
> 192.168.57.0    0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         203.131.4.1 0.0.0.0         UG    0      0        0 eth1

your default gateway must not be 203.131.4.1 (ip address of eth1).. it must
be other ip address within 203.131.4.0/24 segment..


>
> logonet routing table on gw1(ip route list table logonet):
> default via 192.168.57.2 dev eth0
>
> i use a linux 2.2 kernel on gw2:
> #load modules before masq
> ipchains -A FORWARD -i eth1 -s 192.168.57.0/24 -j MASQ
>
> main routing table on gw2:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 203.131.3.0 0.0.0.0         255.255.255.0 U     0      0        0 eth1
> 192.168.57.0    0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         203.131.3.1 0.0.0.0         UG    0      0        0 eth1

>have a typo error on the main routing table of gw2. should be 203.177.3.0
>instead of 203.131.x.x.

same also here... your default gateway must be 203.177.3.1 (ip address of
eth1)... it must be other ip address within 203.177.3.0/24 segment...


ill give you a basic configuration that will solve your problem..

at your gw1 box:

#enable ip forwarding to act as a router
echo 1 > /proc/sys/net/ipv4/ip_forward

#transparent proxy setup which hijacks http packets at eth1 interface
iptables -t nat -A PREROUTING -eth1 -p tcp --dport 80 -j REDIRECT --to-port
8080


#using source nat instead of masquerading at eth1 interface
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.57.0/24 -j SNAT --to
203.131.4.1

#static route for 203.177.3.0/24 network segment
route add -net 203.177.3.0/24 netmask 255.255.255.0 gw 192.168.57.2 dev eth0

fix your exact default gateway and your routing table must look like this:

Destination     Gateway         Genmask         Iface
203.177.3.0     192.168.57.2    255.255.255.0   eth0
203.131.4.0     0.0.0.0         255.255.255.0   eth1
192.168.57.0    0.0.0.0         255.255.255.0   eth0
127.0.0.0       0.0.0.0         255.0.0.0       lo
0.0.0.0         203.131.4.x     0.0.0.0         eth1

where 203.131.4.x is the correct gateway

at your 203.131.4.x router, add a static route for 203.177.3.0/24 network
segment and point to 203.131.4.1 as its gateway

at your gw2 box:

#enable ip forwarding to act as a router
echo 1 > /proc/sys/net/ipv4/ip_forward

#masquerading
ipchains -A FORWARD -i eth1 -s 192.168.57.0/24 -j MASQ

#static route for 203.131.4.0/24 network segment
route add -net 203.131.4.0/24 netmask 255.255.255.0 gw 192.168.57.1 dev eth0

fix your exact default gateway and your routing table must look like this:

Destination     Gateway         Genmask         Iface
203.177.3.0     0.0.0.0         255.255.255.0   eth1
203.131.4.0     192.168.57.1    255.255.255.0   eth0
192.168.57.0    0.0.0.0         255.255.255.0   eth0
127.0.0.0       0.0.0.0         255.0.0.0       lo
0.0.0.0         203.177.3.x     0.0.0.0         eth1

where 203.177.3.x is the correct gateway

at your 203.177.3.x router, add a static route for 203.131.4.0/24 network
segment and point to 203.177.3.1 as its gateway

fooler.

--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie

Re: [plug] Re:nat/routing

Reply via email to