Static NAT (Summary), was Re: lug-bg: Problemi pri linux 2.4 i NAT sus iptables
Opitna postanowka: machine_192.168.0.2 eth1_linuxnatbox_eth0 --- machine_192.168.1.2 adresite na eth0 i eth1 sa syotwetno 192.168.1.1 i 192.168.0.1 linuxnatbox ima eth0:0 s ip 192.168.1.3 kato nachalo: echo 1 /proc/sys/net/ipv4/ip_forward (otne mi 15 minuti lutane ;-) ) a posle: iptables -t nat -A POSTROUTING -s 192.168.0.2 -o eth0 -j SNAT --to 192.168.1.3 iptables -t nat -A PREROUTING -d 192.168.1.3 -i eth0 -j DNAT --to 192.168.0.2 ami towa e .. mashinata 192.168.0.2 ima ip 192.168.1.3 ... ottam natatyk firewall rule-owete, koito shte q pazqt sa nechiq druga griva. hope this helps. bOmbe. P.S. kolko gluposti izpisah zaradi edno elementarno reshenie ... === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
Re: lug-bg: Problemi pri linux 2.4 i NAT sus iptables
On Wednesday 19 December 2001 16:37, you wrote: P.S. Boyane, tova dostaty4no li e za stana CCNP :PPP ? :) almost, wij: http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_ exams/640-503.html#examtop http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_ exams/640-504.html#examtop http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_ exams/640-505.html#examtop http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_ exams/640-506.html#examtop towa (wsichkoto zaedno) sa temite koito se zasqgat obshto w chetirite izpita koito sa neobhodimi za da stane chowek CCNP. taka care, Boyan az naistina se posheguvah... , ne mi e po silicite, ste passuvam ... :) vse pak merci za info-to, no ne e losho da pro4ete 4ovek za kakvo stava na vypros de. -- Greets, fr33zb1 === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
lug-bg: Problemi pri linux 2.4 i NAT sus iptables
Zdrawejte Izchetoh iptables i NAT Howto. Iskam da podkaram adres translaciata obache ne wurwi kakto triabwa - raboti kato masquerading (iniciatiwa za konekcia samo w ednata posoka) Imam RH 7.2 kernel 2.4.16 wcicko za NAT e kompilirano wutre. 2 ethernet-a - eth0 172.16.31.100 i eth1 192.168.0.3 Iskam PC-to 192.168.0.10 da izliza kato 172.16.31.110 i suotwetno wseki kojto potursi (ot eth0) 172.16.31.110 da wizda PC-to 192.168.0.10 Okazwa se che sega raboti kato masquerading - PC-to izliza nawun no nikoj nemoze da inicira connection kum nego otwun (t.e. kum 172.16.31.110) Towa e komandata : iptables -t nat -I POSTROUTING -s 192.168.0.10 -o eth0 -j SNAT --to-source 172.16.31.110 Niakakwi idei - kude burkam ? Kakwo ne sum prochel ili razbral kakto triabwa ? Izobshto kak prawite NAT-a za sluchaj kato moia ? Blagodaria wi predwaritelno __ Nikolay Kabaivanov, [EMAIL PROTECTED] University of Rousse, Bulgaria === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
Re: lug-bg: Problemi pri linux 2.4 i NAT sus iptables
On Tuesday 18 December 2001 12:15, you wrote: Zdrawejte Izchetoh iptables i NAT Howto. Iskam da podkaram adres translaciata obache ne wurwi kakto triabwa - raboti kato masquerading (iniciatiwa za konekcia samo w ednata posoka) mnogo pravilno si raboti. Tova e samo masquarading: t.e. TCP/UDP/ICMP i t.n. datagramata trygva ot maskiranata machina, minava prez Masq Server-a, kojto i smenq ip/port s istinski i q prashta navyn ... sled kato pulu4i otgovora ve4e znae na koq maskirana machina da go predade ( smenqjki pak ip/port) , stoto datagramata nali e minala ve4e prez nego. A v tvoq slu4aj, kogato connectiona se iniciira/zapo4va otvyn i trqbva da se prenaso4i traffica kym nqkoq maskirana machina togava Maskirastiqt Server trqbva da mozhe da pravi PortForwarding na TCP/UDP/ICMP datagrami za WWW, FTP, SMTP i t.n. protokoli kym dadeniq maskiran host. Otvun oba4e se tyrsi Masq servera, a ne maskiranata machina (tq e nevidima) i tozi Masq server pranaso4va zaqvkite kym neq - internal IP :port. Kapish ? :) Taka mozhe da imash primerno maskiran web/ftp server kojto sedi zad Maskirasht Server, kojto osven tova go igrae i firewall i proxy za nqkoj services. ( i www.netcraft.com v slu4aq sa bezsilni da opredelqt webserver/OS... obiknovenno otkrivat OS-a na Firewall-a, a webservera si ba4ka zad nego na syvsem druga OS ;) 4etesh kak se pravi tova s iptables i 2.4 v IP-Masqueradee HOWTO trqbva da pishe, ako ne v IPTABLES HOWTO. A mozhe da pravish i PortForwarding i kym NE-maskirani mashini. Az ne sym go pravil oba4e. Imam RH 7.2 kernel 2.4.16 wcicko za NAT e kompilirano wutre. 2 ethernet-a - eth0 172.16.31.100 i eth1 192.168.0.3 Iskam PC-to 192.168.0.10 da izliza kato 172.16.31.110 i suotwetno wseki kojto potursi (ot eth0) 172.16.31.110 da wizda PC-to 192.168.0.10 Okazwa se che sega raboti kato masquerading - PC-to izliza nawun no nikoj nemoze da inicira connection kum nego otwun (t.e. kum 172.16.31.110) Towa e komandata : iptables -t nat -I POSTROUTING -s 192.168.0.10 -o eth0 -j SNAT --to-source 172.16.31.110 Niakakwi idei - kude burkam ? Kakwo ne sum prochel ili razbral kakto triabwa ? Izobshto kak prawite NAT-a za sluchaj kato moia ? -- Greets, fr33zb1 === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
Re: lug-bg: Problemi pri linux 2.4 i NAT sus iptables
Zdrawej Taka e praw si za static nat stawa duma ili Source NAT (SNAT). Interfaceto sum go wdignal otdawna - inache wuobshte ne poteglia NAT-a Problema e kak da potegli trafika i wuw 2-rata posoka t.e. ot router-a 172.16.31.110 kum wutreshnata mashina ? Triabwa li tam da polzwam DNAT ? t.e. da napisha obratnoto prawilo ili samo SNAT-a e dostatuchen ? Vesselin Kotarov wrote: uhmz ... zashto li prez cqloto wreme si mislq, che stawa duma za static NAT, t.e. ne nqkakyw forwarding a prosto static (syshto izwesten kato dwuposochen ili source) NAT. edinstwenoto, koeto mi idwa naum w momenta, e che na interface-a, kojto e s IP 172.16.31.100 trqbwa da mu se digne edin alias 172.16.31.110. hope this helps. bOmbe. - Original Message - From: Teodor Georgiev [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 4:50 PM Subject: Re: lug-bg: Problemi pri linux 2.4 i NAT sus iptables - Original Message - From: George Danchev [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 2:19 PM Subject: Re: lug-bg: Problemi pri linux 2.4 i NAT sus iptables A v tvoq slu4aj, kogato connectiona se iniciira/zapo4va otvyn i trqbva da se prenaso4i traffica kym nqkoq maskirana machina togava Maskirastiqt Server trqbva da mozhe da pravi PortForwarding na TCP/UDP/ICMP datagrami za WWW, FTP, SMTP i t.n. protokoli kym dadeniq maskiran host. Otvun oba4e se tyrsi Masq servera, a ne maskiranata machina (tq e nevidima) i tozi Masq server pranaso4va zaqvkite kym neq - internal IP :port. Kapish ? :) Taka mozhe da imash primerno maskiran web/ftp server kojto sedi zad Maskirasht Server, kojto osven tova go igrae i firewall i proxy za nqkoj services. ( i www.netcraft.com v slu4aq sa bezsilni da opredelqt webserver/OS... obiknovenno otkrivat OS-a na Firewall-a, a webservera si ba4ka zad nego na syvsem druga OS ;) 4etesh kak se pravi tova s iptables i 2.4 v IP-Masqueradee HOWTO trqbva da pishe, ako ne v IPTABLES HOWTO. A mozhe da pravish i PortForwarding i kym NE-maskirani mashini. Az ne sym go pravil oba4e. xinetd. raboti perfektno forwardinga. I drugi glezotii okolo nego mogat da se naglasiat. naprimer az sum si napravil prez rabotno vreme da si vurvi trafika kum edin web server, a vecherta se pravi port forwarding kum druga mashina. pushka! === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
Re: lug-bg: Problemi pri linux 2.4 i NAT sus iptables
- Original Message - From: George Danchev [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 5:21 PM Subject: Re: lug-bg: Problemi pri linux 2.4 i NAT sus iptables On Tuesday 18 December 2001 16:16, you wrote: uhmz ... zashto li prez cqloto wreme si mislq, che stawa duma za static NAT, t.e. ne nqkakyw forwarding a prosto static (syshto izwesten kato dwuposochen ili source) NAT. edinstwenoto, koeto mi idwa naum w momenta, e che na interface-a, kojto e s IP 172.16.31.100 trqbwa da mu se digne edin alias 172.16.31.110. hope this helps. bOmbe. ami mozhe da si napravi ip alias na eth0: (vpro4em az ne ogledah ip-tata) # ifconfig eth0:0 172.16.31.110 Mozhe da si napravi i oste aliasi... no tova ne ozna4ava 4e nqkoj ste mozhe da napravi connection otvyn kym maskiranite machini dokato ne e set-nat pravilno IP PortForwarding na Masq servera da redirectva ip trafika kym maskiranite hostove. Vpro4em toj se e opital da napravi to4no tova s iptables ama nesto ne e ocelil syntax-a, maj. mislq 4e za tova pitashe toj: http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO/x1583.html mdam .. my mistake :) az imah predwid neshto drugo, koeto beshe narecheno Fast NAT, no sefte se zaglevdam seriozno w kernel-a da widq kyde e i se okaza, che go nqma ... posle check-nah i site-a de: http://www.suse.de/~mha/HyperNews/get/linux-ip-nat.html tam horata sa izpisali dosta, no ne movah da namerq towa neshto w kernela ... tapo :) a move bi ima nachin da se naprawi static nat s kombinaciq ot iptables i iproute2, samo deto ne moga da razpyna testowa postanowka naokolo :( P.S. bOmbe, sega neznam kak e pri solarisa, no linux ip masquarading-a ne mozhe da se opravq s incoming services v tozi slu4aj, za tova se pravi tozi trik s ipportfw :) mdam .. fw1 razglezwa ;-) -- Greets, fr33zb1 bOmbe. === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
RE: lug-bg: Problemi pri linux 2.4 i NAT sus iptables
neshto ili az ne razbiram ili ... Naistina li nqma nachin da se nakara linux box da premapwa adresite ot edna mreja kym druga. Ili edin wytreshen za NATa adres kym wynshen. Imeto na towa chudo e naistina static NAT. I Cisco IOS i Cisco PIX go umeqt (sorry za nevolno vmyknatata reklamka). Iskate da kajete che static NAT, Linux 2.4 ne moje da prawi? Ne smeq da powqrwam :) Nqma li neshto kato destination address translation? Shtoto ako ima problema za pylen dostyp do pc-to wytre (ot gledna tochka na NATa) se reshawa mnogo prosto. Regards, Boyan -Original Message- From: George Danchev [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 18, 2001 5:21 PM To: [EMAIL PROTECTED] Subject: Re: lug-bg: Problemi pri linux 2.4 i NAT sus iptables On Tuesday 18 December 2001 16:16, you wrote: uhmz ... zashto li prez cqloto wreme si mislq, che stawa duma za static NAT, t.e. ne nqkakyw forwarding a prosto static (syshto izwesten kato dwuposochen ili source) NAT. edinstwenoto, koeto mi idwa naum w momenta, e che na interface-a, kojto e s IP 172.16.31.100 trqbwa da mu se digne edin alias 172.16.31.110. hope this helps. bOmbe. ami mozhe da si napravi ip alias na eth0: (vpro4em az ne ogledah ip-tata) # ifconfig eth0:0 172.16.31.110 Mozhe da si napravi i oste aliasi... no tova ne ozna4ava 4e nqkoj ste mozhe da napravi connection otvyn kym maskiranite machini dokato ne e set-nat pravilno IP PortForwarding na Masq servera da redirectva ip trafika kym maskiranite hostove. Vpro4em toj se e opital da napravi to4no tova s iptables ama nesto ne e ocelil syntax-a, maj. mislq 4e za tova pitashe toj: http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO/x1583.html P.S. bOmbe, sega neznam kak e pri solarisa, no linux ip masquarading-a ne mozhe da se opravq s incoming services v tozi slu4aj, za tova se pravi tozi trik s ipportfw :) -- Greets, fr33zb1 == = A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
RE: lug-bg: Problemi pri linux 2.4 i NAT sus iptables
-Original Message- From: Nikolay Kabaivanov [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 18, 2001 6:29 PM To: [EMAIL PROTECTED] Subject: Re: lug-bg: Problemi pri linux 2.4 i NAT sus iptables Zdrawej Taka e praw si za static nat stawa duma ili Source NAT (SNAT). Interfaceto sum go wdignal otdawna - inache wuobshte ne poteglia NAT-a Problema e kak da potegli trafika i wuw 2-rata posoka t.e. ot router-a 172.16.31.110 kum wutreshnata mashina ? Triabwa li tam da polzwam DNAT ? t.e. da napisha obratnoto prawilo ili samo SNAT-a e dostatuchen ? Do kolkoto poznawam Linux NAT-a ot 2.2 sweta, shte trqbwa paketite za otwarqne na konekcii ot wyn (po otnoshenie na NATa) nawytre da se matchnat ot nqkakwo ipchains(iptables) prawilo, koeto da kaje kakwo da se prawi s tqh (primerno DNAT). W Linux NATa (do kolkoto go poznawam) nqma full translations t.e. nqma wyzmojnost w NAT tablicata da pishe wseki port na ip1 otwyn da se premapwa na wseki port na IP2 wytre. BR, Boyan === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
Re: lug-bg: Problemi pri linux 2.4 i NAT sus iptables
On Tuesday 18 December 2001 18:29, you wrote: Zdrawej Taka e praw si za static nat stawa duma ili Source NAT (SNAT). Interfaceto sum go wdignal otdawna - inache wuobshte ne poteglia NAT-a ne stava duma za vdigane na interfejsa, to qsno 4e trqbwa da e vdignat, stavashe vypros da vdignesh i ip alias za tozi interfejs (iglezhda taka beshe napisal ip-tata) , no tova e po zhelanie: kakto imash eth0 s IP 172.16.31.100, praish my edin ip alias ifconfig eth0:0 172.16.31.110 (t.e. pravish virtual hosting na network layer-a..., mozhe da slozhish i oste ip aliases na tozi interfejs: ifconfig eth0:1 172.16.31.111 i t.n. nqma zna4enie koe ot tezi IP-ta ste se polzwa) Problema e kak da potegli trafika i wuw 2-rata posoka t.e. ot router-a 172.16.31.110 kum wutreshnata mashina ? Triabwa li tam da polzwam DNAT ? t.e. da napisha obratnoto prawilo ili samo SNAT-a e dostatuchen ? DNAT (destination NAT) trqbva da ima. T.e ste se promenq destination ip/port na paketite idvashti otvyn, stoto otvyn nikoj ne znae za tvoq maskiran host, samo Masq servera mozhe da znae negovite ip/port i syotvetno pravi promenite v tcp/udp/icmp paketite. za nat tablicata za prerouting chain-a trqbwa da imash: iptables -t nat -A PREROUTING -d 172.16.31.100 -o eth1 -j DNAT --to-destination 192.168.0.10 a predi tova bi trqbvalo da imash: iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT (edni zdravi pravila v filter tablica si napravi, stoto tazi machina ste ti byde i kato firewall, i vsi4kiq trafik kojto ste e za maskiranite machini e hubavo da se filtrosva zdravo tuka i posle da vliza navytre). sega neznam dali sym ocelil vsi4ko ... ta tova se kazva ipportforwarding ot masq servera kym maskiraniq host (mozhe i kym nemaskiran takyv). na masq server-a vmesto 172.16.31.100 mozhe da polzvash aliasa 172.16.31.110. za DNAT vmesto single ip-ta i portove mozhe da zadadesh ranges ot ip-ta i portove (vizh man-a na iptables za DNAT). -- Greets, fr33zb1 === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora