On Mon, 2005-10-17 at 11:46 +0200, lore wrote:
> hi all,
> googling seems that i can't use multiple eth ( eg. eth0:0 ) in iptables rules
> and that a rule for eth0 will also affect all additional IPs; and this is
> that i knew.
> But if i use nessus to test all range of my IPs and i've no respose from eth0
> scan, but i've a lot of response from additional eth. Are they a wrong
> posivite?Is there something i don't know?...Could anyone explain me why this
> behavior?
I'm not sure exactly what you want, but let me start by saying that
there are some things, like SNAT to different IPs based on the outbound
route, that can not be done by using ifconfig, route and iptables; some
complex setups (like source based routing) can only be done by dropping
ifconfig and route and then configuring interfaces, routes and
route-rules using the /sbin/ip utility and iptables. Unfortunately, the
current networking scripts don't know much about /sbin/ip, but it is
much more powerful.
If you just want to SNAT to multiple IPs (in a round-robin fashion), all
of which are bound to the same interface using interfaces aliases (eth0,
eth0:0, eth0:1, eth0:2, etc), then you can do it like the following:
This assumes the default gateway is on eth0, there are multiple IPs
bound to eth0 (for this example, 10.3.2.1, 10.3.2.2, 10.3.2.3). The
"internal", to-be-NAT'ed network is $INTERNAL_NET (and should take the
form 192.168.1.0/24)
iptables -t nat -A POSTROUTING \
-o eth0 \
-s $INTERNAL_NET \
-j SNAT \
--to 10.3.2.1 \
--to 10.3.2.2 \
--to 10.3.2.3
The -o eth0 ensures that we are SNAT'ing packets that are going to go
out our public interface, and the -s $INTERNAL_NET is a sanity check to
make sure we don't route martians.
Of course, you can stick other conditions in there too -- for example, I
have a rule that says anything that is TCP to port 5190 SNAT to a single
IP rather than use round-robin (this gets around some stupid
you're-coming-from-a-different-IP authentication issues with AOL Instant
Messenger).
For DNAT, you have to do in the PREROUTING nat rule:
iptables -t nat -A PREROUTING \
-d $PUBLIC_IP \
-j DNAT \
--to $INTERNAL_SERVICE_IP
(mine are actually more complex than this because I only DNAT specific
services). Note that I left -i eth0 out of this, but it might be a good
idea to add it. $PUBLIC_IP can be any IP, but it makes sense to make
sure it is one that an interface is bound to, or, if you use -i eth0,
that eth0 is bound to.
I hope this helps.
--
Andy Bakun <[EMAIL PROTECTED]>
_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss
