mokkan
asked on
IP Masquerading on linux
I'm new to IP masquerading. I have 2 networks in my linux box and would like to take all the traffic from my eth1 and need to forward all the traffic to eth0, from eth0 I need to connect to switch, and then I need to connect to my other boxes. If I understand correctly, when I do IP masquerading, all of my private IPs will change to eth1 IP address or eth0 IP address?
ASKER
Masquerading IP will be the public IP address?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the info. What I'm doing is that connecting internet to eth0 interface and eth1 interface to private network.
I checked the link you have given and trying to get clear understanding.
>>> /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The packets are leaving from eth0 source address will be changed because of the above command. If I'm wrong correct me
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
Any packets come to etho will be forwarded to eth1, but only related and established and if there is a new packet, what will happen?
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Any packets coming to eth1 will be forwarded to eth0
If there is a external request from private network, packet will go through eth1 to eth0, once the connection is established, when packet come back, etho interface will accpet since we put established on iptables command.
I'm trying to get clear understanding..........
thanks in advance
I checked the link you have given and trying to get clear understanding.
>>> /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The packets are leaving from eth0 source address will be changed because of the above command. If I'm wrong correct me
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
Any packets come to etho will be forwarded to eth1, but only related and established and if there is a new packet, what will happen?
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Any packets coming to eth1 will be forwarded to eth0
If there is a external request from private network, packet will go through eth1 to eth0, once the connection is established, when packet come back, etho interface will accpet since we put established on iptables command.
I'm trying to get clear understanding..........
thanks in advance
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much. I'm almost there. Also, I believe before it transfer the packets, it store the packet's source IP and send the packet. I believe it is storing locally. Can we able to check that table?
ASKER
Also, if I want to test the box from eth1 to private network, I need the cross over cable right?
Hi,
Something that might help if iptables makes you sick :)
Install "shorewall" (there's a package for that). It's, let say, a easier tool to write iptables rules.
With shorewall, masquerading is easy as writing "eth1 eth0" in the "/etc/shorewall/masq" configuration file.
This means: trafic from eth0 (my LAN) has masquerading enabled through eth1 (my public interface)
Then, some examples of a simple rule in /etc/shorewall/rules :
ACCEPT net fw tcp 25 # will allow incoming traffic from your interNET interface to your local FireWall
ACCEPT loc net tcp 80,443 # allow your LAN to go to http[s] (however, a bit stupid, you might want to use a proxy ; just an example)
On the web site (or in the documentation), you'll have pre-configured configuration files for 1-, 2-, 3-interfaces server. "3" in your case : net, loc and the fw itself.
bye bye iptables complex rules. shorewall will generate them for you.
This was a quick example. You can really write awesome things easily with shorewall.
I hope it'll help you
Something that might help if iptables makes you sick :)
Install "shorewall" (there's a package for that). It's, let say, a easier tool to write iptables rules.
With shorewall, masquerading is easy as writing "eth1 eth0" in the "/etc/shorewall/masq" configuration file.
This means: trafic from eth0 (my LAN) has masquerading enabled through eth1 (my public interface)
Then, some examples of a simple rule in /etc/shorewall/rules :
ACCEPT net fw tcp 25 # will allow incoming traffic from your interNET interface to your local FireWall
ACCEPT loc net tcp 80,443 # allow your LAN to go to http[s] (however, a bit stupid, you might want to use a proxy ; just an example)
On the web site (or in the documentation), you'll have pre-configured configuration files for 1-, 2-, 3-interfaces server. "3" in your case : net, loc and the fw itself.
bye bye iptables complex rules. shorewall will generate them for you.
This was a quick example. You can really write awesome things easily with shorewall.
I hope it'll help you
ASKER
Thank you very much. I really wanted to do it in command line since at work are not allowed to download any third party RPM. Now, I understood most of the part and I can play around with the rule. Also, I need to use cross over cable from eth1 to private box right?
ASKER
Also, if private linux box needs web access, then following command should work right?
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is for my personal use and testing purpose. I might going to work on one of the IPtables project that's why I'm testing at my hours.l Sorry, private box mean which is under private network.
ASKER
Thanks a lot. I will try and if there is any questions let you know.
ASKER