Question

linux iptables

Asked by: patrick24

Hi all,

I got a question.

I got two NIC eth0 (Public) and eth1 (internal).
eth0 IP 10.0.0.1/8
eth1 IP 192.168.0.1/24

All users are connected to eth1, i did a SNAT  and it works fine.
But if i got a internal user who want to use the Public IP address to access, how am i going to do it ???
The user will be given a Public IP address of 10.0.0.5/8 on the internal network which is 192.168.0.0/24 network.
Since i already configures SNAT for this network, how am i going to configure for this stupiq user to access the internet directly.

I tried to create a virtual interface eth1:1 with the IP address 10.0.0.2/8, I allow traffic from eth1:1  in the INPUT and FORWARD chains but it don't seem to work....

Thanks for any help :)

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2003-07-12 at 12:50:57ID20676713
Tags

iptables

Topic

Linux Network Security

Participating Experts
4
Points
250
Comments
13

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. IPTables Script
    I am having two NIC on linux box ( hereafter by name INTserver). I have set this box as router ( for servicing internet services to my clients), webserver, FTP server. This box is connected to my ISP via ADSL router. Now it is serving fine as webserver, FTP for external cli...
  2. Disable communcation/services between eth0 and eth1
    I have recently setup a new linux machine running Red Hat Linux. This machine is located on two network with eth0 being an internal/private network and eth1 being external. I was wondering if there is a method to stop communcation between the two network devices (including se...
  3. IPTABLES for Linux
    Below is my script for iptables on a Red Hat Fedora server. I run a web server on this linux box on eth0 and connect 2 other computes through a switch on eth1. Problem 1. --> I can not access the internet from either of the 2 computers interfacing with eth1 on the server ...
  4. iptables SNAT not working for reply packets
    I've the following setup L1 L3 | | |[ 172.16.0.10 ] |[172.16.0.30] ___|________________ |_______________172.16.0.0/16 | | eth0 [172.16.0.20 ] | -------...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: philjones85Posted on 2003-07-12 at 14:15:14ID: 8909887

use masquerading, this script should help, just setup default gateway (for the internal computer) to the machine running this.
----------------------------------------------------
#!/bin/bash

echo -n "Removing ipchains crap: "
rmmod ipchains
insmod ip_tables
echo

echo -n "Setup system parameters: "
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_source_route
echo

echo -n "Flush old tables: "
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -t nat -F POSTROUTING
echo

echo -n "Setting up masquerading: "
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
echo

 

by: brabardPosted on 2003-07-13 at 01:12:19ID: 8911399

Well , you must use some kind of tunneling to access an ip address from eth0's network through eth1 . But there are two ways to connect this "stupiq" :)) user to Internet - two stupid , but usefull chanses I think .
First - ask your provider give you a little ( may be /30) real network and do eth1:0 with this .
Second (more stupid , because you will not be ableto control that user) - lay a switch before eth0 and connect the user to it , and give him a real ip address .

 

by: patrick24Posted on 2003-07-13 at 01:47:47ID: 8911458

Hi,

I don't think i should set up masquerading cos i using SNAT, my public ip address is static not dynamic.
My concern is how to configure so that a internal stupiq user holding a public ip address able to access to internet :)

My setup is  ....

Internet  ------ eth0 (Linux) eth1 ------ 3 COM Switch ----- internal network.

I got a few public ip addresses, but my internal network are connecting to eth1, so i can only create eth1:1 instead of eth0:1
Buying a switch is not an option too...

sign ....  all because of that stupiq user.
Thanks guys :)

 

by: brabardPosted on 2003-07-13 at 02:31:26ID: 8911537

Ok , I do not understand what is the problem to subnet your public net if you have a lot of real addresses ?
Asuming you was given a C-class network subneted with /28 mask - let us ranging it from 192.168.0.0 to 192.168.0.15 and your ip address is 192.168.0.2 your dafault gw is 192.168.0.1 , just ask your provider to cut this network on two parts with /29 mask and to route 192.168.0.8/29 through 192.168.0.2 . Then do eth1:0 192.168.0.9 and your client 192.168.0.10 and go ahead .
"Buying a switch is not an option too..." but who pays your time spent in dealing with stupiq users ?:))

 

by: jleviePosted on 2003-07-13 at 07:01:56ID: 8912096

IPtables can do static NAT (1:1) translations in addition to the more familiar network port address translations (many to 1, aka masquerade. I've only done this where all of the NAT translations were static, but I don't see anything in the Netfilter doc's that says you can't mix NAT and NPAT.

To establish a static NAT translation the first step is to create an IP alias on the outside interface for the outside IP. Then create an SNAT rule to map the inside IP onto that outside IP  and a DNAT rule to map the that outside IP onto the inside IP.

 

by: j2Posted on 2003-07-13 at 11:00:00ID: 8912626

Proxy-ARP would solve this problem for you.

 

by: brabardPosted on 2003-07-13 at 23:43:08ID: 8914973

Well , j2 , I don't think so . As I remember , ARP is used to map destination MAC address to packet with known destination IP address , and Proxy ARP returns the MAC address of first hop to the source node . If 192.168.0.15 look for 62.62.62.62 , router will return the MAC address of eth1 and source - 192.168.0.15 will put this address in the packets to 62.62.62.62 . How this could solve the problem ?
Let go back - patrick24's trouble is that he wants to map one network trough two phisical interfaces - eth0=10.0.0.1/8 , eth1=10.0.0.2/8 and phisicali connected to eth1 node=10.0.0.3/8 and it try to access internet via eth0 and 10.0.0.4/8(asuming this is defaut gw) .
What will be with the routing table ?
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0           0.0.0.0         255.0.0.0              U     0      0        0 eth1
10.0.0.0           0.0.0.0         255.0.0.0              U     0      0        0 eth0
0.0.0.0             10.0.0.4       0.0.0.0                  UG    0      0        0 eth0
I could not see how this will work ....

 

by: j2Posted on 2003-07-14 at 01:03:42ID: 8915256

That is not how proxy-ARP works in a practical sense.

Basically, he has more then one address available on the "public side", and wants a system on the internal side to be able to use this?

Lets say he has the addresses A, B and C available on eth0

Most likely the interface itself will use "A", leaving B and C for proxy-ARP.

Just tell the firewall system to proxy-ARP the B-adress to eth1, then set the client up on the inside to use the B-adress, and everything is transparent, then you can route/create FW-rules between your different subnets.

Now, a clever firewall (liek shorewall, that i like to plug for) will have all these features already in place, just update your config files accordingly.

 

by: brabardPosted on 2003-07-14 at 01:49:33ID: 8915430

As I see , you mean that if we have "IPAddrss_eth0<->MACAddrss_eth0" and "IPAddrss_eth1<->MACAddrss_eth1" to make arp entry like "IPAddrss_eth0<->MACAddrss_eth1" ?
It is interesting , I have to think it over ...

 

by: j2Posted on 2003-07-14 at 02:00:24ID: 8915475

Well, it works. Thats how we handle our DMZ, as well as a few systems for our customers.

 

by: brabardPosted on 2003-07-14 at 02:21:05ID: 8915563

And wich sofware are you use ? Or just arp and iptables ?
"NOTE: As of kernel 2.2.0 it is no longer possible to set an ARP entry for an entire subnet. Linux  instead
              does automagic proxy arp when a route exists and it is forwarding. See arp(7) for details. "
May be I was confused , because I read that part of man arp .

 

by: j2Posted on 2003-07-14 at 03:56:42ID: 8915969

Shorewall (www.shorewall.net) has this automatically.

Lets say i want to make 10.0.0.25 available on the internal interface, i just edit the proxyarp file in shorewall and add

#ADDRESS                INTERFACE       EXTERNAL        HAVEROUTE
10.0.0.25                  eth1                 eth0                 no      


then restart Shorewall, and the proxyarp is complete.

 

by: brabardPosted on 2003-07-14 at 04:15:35ID: 8916034

aha , it runs iproute/iproute2 ... pretty nice thing by sure .

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...