Mapping of IPs

Proteus · Posted: Tue Jan 14, 2003 2:59 am Post subject: Mapping of IPs

Hi!

When I don't want to do NAT but instead want to map all traffic comming from i.e. 192.168.0.10 to some public ip i.e. 217.55.55.12 and vice versa how can I do that?

I cannot find a rule for that. Is it possible?
_________________
Greetings,
Proteus

Sven Vermeulen · Posted: Tue Jan 14, 2003 5:50 pm Post subject:

What do you mean with "map"? You mean IP-spoofing?
http://www.linuxgazette.com/issue63/sharma.html

slartibartfasz · Posted: Tue Jan 14, 2003 5:58 pm Post subject: Re: Mapping of IPs

Matje · Posted: Tue Jan 14, 2003 6:17 pm Post subject:

IPTABLES -A FORWARD tcp -i eth0 -j REDIRECT --to eth1
IPTABLES -A FORWARD tcp -i eth1 -j REDIRECT --to eth0

something like this?

_________________
Life is like a box of chocolates... Before you know it, it's empty...

Proteus · Posted: Tue Jan 14, 2003 6:28 pm Post subject:

NAT is not for me because the clients are Win PCs and they must be able to run any game online. Sometimes NAT causes problems with that.

What I want to do is to tell iptables that it should route traffic coming from i.e. 192.168.1.10 to a public ip like i.e. 194.50.50.10 and so on. We have 30 public ips that shuld be routed this way.

Therefore, I think, my router must be able to respond to any traffic that is directed to any of the public ips. That is my problem.

@Matje: I don't exactly understand what your rules would do. Looks like a never ending loop to me??
_________________
Greetings,
Proteus

Sven Vermeulen · Posted: Tue Jan 14, 2003 6:33 pm Post subject:

I've never had any troubles with gaming (my brother games a lot) and, to share internet, I use the following rules:

Proteus · Posted: Tue Jan 14, 2003 6:36 pm Post subject:

I already do NAT. It works. But it does cause problems with games when multiple users play on the LAN. Just believe me.
Also we have just want to use the public ips we got.
_________________
Greetings,
Proteus

mrhodes · Guru Joined: 01 May 2002 Posts: 310 Location: Halifax, NS

Hello,

I had similar problems with Empire Earth. I could join anyone from my WinXP client, however I couldn't host games because of being behind a real IP... I solved that problem by finding out what port EE uses and just forward all incoming packages to those ports to my WinXP machine.... Hosting worked great after that :

Mike

Proteus · Posted: Wed Jan 15, 2003 9:08 pm Post subject:

yes, you can do port forwarding. But then you can only have one specific machine acting as a server- That solution does not work for me. I must be able to use any client as server with any game (even those not yet released) and it must not require any configuration of the router.

I just know there must be a solution - this is Linux after all. Must find it...
_________________
Greetings,
Proteus

kashani · Posted: Thu Jan 16, 2003 2:25 am Post subject: one to one NATing

You need NAT at some point otherwise the far end of the connection will see the internal IP's and most likely a provider in the middle will filter the NAT IP space in the middle. At least they should.

let's say you have 4 machines internally

192.168.0.11/24
192.168.0.12/24
192.168.0.13/24
192.168.0.14/24

They all use the Linux box as the gateway which is 192.168.0.1/24

Now your firewall has an external IP of 217.55.55.2/24. You'll want to match additional IP's to each internal machine

217.55.55.11 --> 192.168.0.11 and so on.

iptables -A POSTROUTING -t nat -s 192.168.0.11 -o eth0 -j SNAT --to-source 217.55.55.11
iptables -A PREROUTING -t nat -s 217.55.55.11 -d eth1 -j NAT --to 192.168.0.11

The above might even work though I seriously doubt it, but it shoudl give a better idea on what the config should look like. Also googling for "static nat iptables linux one-to-one SNAT NAT" might narrow it down.

kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape.

Proteus · Posted: Thu Jan 16, 2003 8:12 pm Post subject:

Thanks a lot! You understood what I want to do.
_________________
Greetings,
Proteus

kashani · Posted: Thu Jan 16, 2003 10:00 pm Post subject: and one more thing

Ran accross this in another thread. You'll want to bind all the IP's to your Linux box. Your /etc/conf.d/net might look like this

iface_eth0="217.55.55.1 broadcast 217.55.55.255 netmask 255.255.255.0"

# For adding aliases to a interface
#
alias_eth0="217.55.55.11 217.55.55.12 etc"

kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape.

Rroet · Posted: Fri Jan 17, 2003 6:41 am Post subject:

yes, virtual ip-addresses on a nic is possible, but keep in mind that this will only work if you have MULTIPLE EXTERNAL ipadresses. If you don't have em, you're whole idea will not work.

a external ipaddress can only be mapped 1 on 1. With that I offcourse mean every external socket.

so redirecting 1 external ipaddres to 2 internal machines will not work unless you divide some sockets accross those machines.
_________________
Workstation: Shuttle SN85G4v2, AMD64 3200+, 512MB, 250GB sata, Radeon 9800 Pro.
Server 1: here
Server 2: here

Proteus · Posted: Sat Jan 18, 2003 4:46 pm Post subject:

Yes, thats exactly what I want to do. Map 1 internal for each 1 external adress. We got 30 clients and about 32 external ips - that should suffice ;-)

_________________
Greetings,
Proteus

splooge · l33t Joined: 30 Aug 2002 Posts: 636

Here's what I use:

Proteus · Posted: Sun Jan 19, 2003 3:27 pm Post subject:

Excuse me but why is that insecure?
Or do you mean because of the absence of any other filtering rules inbetween? I assume that those exist but are not listed because we just talked about the mapping here.

Or is there anything that prohibits filtering with this setup? I'd be surprised to hear that but you never know...
_________________
Greetings,
Proteus

Rroet · Posted: Mon Jan 20, 2003 7:01 am Post subject:

No, it can't be filtered if I remember correctly.
check this scheme and know what you have to do:
[img:d4fe4244a1]http://iptables-tutorial.frozentux.net/images/tables_traverse.jpg[/img:d4fe4244a1]

I partially participated in this project. Mostly on reading the stuff and commenting on little errors, but this is a good study for anyone who wants to know all about iptables:

Iptables-Tutorial
_________________
Workstation: Shuttle SN85G4v2, AMD64 3200+, 512MB, 250GB sata, Radeon 9800 Pro.
Server 1: here
Server 2: here

Proteus · Posted: Mon Jan 20, 2003 11:12 am Post subject:

Well, I think that there can be filtering rules implemented.
Do the filtering in the forward chain because everything thats forwarded must go through it.
I don't see why that should not work.
_________________
Greetings,
Proteus

splooge · l33t Joined: 30 Aug 2002 Posts: 636

You could for example filter based on port or source ip such as:

iptables -P INPUT DROP
iptables -t nat -A PREROUTING -d 123.456.789.0 -s 234.567.890.1 -p tcp --dport 80 -j DNAT --to 10.1.1.1

That would only allow port 80 connections from 234.567.890.1 to 123.456.789.0 and then the rest of the traffic would hit the input drop rule.

Right?

Or like Proteus said you could do it here also:

iptables -P FORWARD DROP
iptables -A FORWARD -s 234.567.890.1 -d 123.456.789.0 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Right?

Rroet · Posted: Mon Jan 20, 2003 8:20 pm Post subject:

again, THAT CANNOT BE DONE!

like he said:
he want to connect internal IP's [192.168.x.x / 10.x.x.x] to external ip-adresses... so it's nice to forward incoming stuff to 192.168.x.x and try to NAT it outgoing again, but iptables can't comprehend this complex thing your trying to make of it. iptables cannot connection track forwarded packets which aren't prerouted before and correctly nat them back to the external ip that was trying to talk to this machine.

There is a little basic filtering you can do to filter out bad / malformed packages, but that's about it.

RTFM and see what can and cannot be done.
_________________
Workstation: Shuttle SN85G4v2, AMD64 3200+, 512MB, 250GB sata, Radeon 9800 Pro.
Server 1: here
Server 2: here

Proteus · Posted: Mon Jan 20, 2003 10:26 pm Post subject:

Ok, I did not mean to be offensive.
I do believe that you know what you are talking about.

What I never knew was that this is a complex thing to achive with iptables, I always thought of it being extremely simple

And btw, I really tried RTFM even before posting the first message in here but I can still not find the part where it states that forwarded traffic cannot be filtered. But I will be glad if you give me a hint or hit my dumb head on a stone until I can see it myself ;-)

_________________
Greetings,
Proteus

Rroet · Posted: Tue Jan 21, 2003 7:18 am Post subject:

dunno, must have missed a couple of hours of sleep somewhere this week. Normally I tend to behave on forums...

what do you want to have filtered out, because some basic filtering .... I might wanna try brake my head over it see if it indeed can / can't be done.. afaik it couldn't be done cording to the manual. Seeing the entire structure you can also see it can't be done, but I remember there are ways to fool the system :twisted:

.
_________________
Workstation: Shuttle SN85G4v2, AMD64 3200+, 512MB, 250GB sata, Radeon 9800 Pro.
Server 1: here
Server 2: here

Proteus · Posted: Tue Jan 21, 2003 12:38 pm Post subject:

But the structure that is shown in this thread is my problem.
There is a "forward filter" section in it and I thought that there is the point where forwarded (i.e. SNAT/DNAT/MASQUERADE) traffic can be filtered.

Or is that something completely different?
_________________
Greetings,
Proteus