View previous topic :: View next topic |
Author |
Message |
Proteus Guru
Joined: 14 Jul 2002 Posts: 346 Location: Hamburg, Germany
|
Posted: Tue Jan 14, 2003 2:59 am Post subject: Mapping of IPs |
|
|
Hi!
When I don't want to do NAT but instead want to map all traffic comming from i.e. 192.168.0.10 to some public ip i.e. 217.55.55.12 and vice versa how can I do that?
I cannot find a rule for that. Is it possible? _________________ Greetings,
Proteus |
|
Back to top |
|
|
Sven Vermeulen Retired Dev
Joined: 29 Aug 2002 Posts: 1345 Location: Mechelen, Belgium
|
|
Back to top |
|
|
slartibartfasz Veteran
Joined: 29 Oct 2002 Posts: 1462 Location: Vienna, Austria
|
Posted: Tue Jan 14, 2003 5:58 pm Post subject: Re: Mapping of IPs |
|
|
Proteus wrote: | I cannot find a rule for that. Is it possible? |
...if u want to use iptables, i think nat is the way to do it... _________________ To an engineer the glass is neither half full, nor half empty - it is just twice as big as it needs to be. |
|
Back to top |
|
|
Matje l33t
Joined: 29 Oct 2002 Posts: 619 Location: Hasselt, Belgium
|
Posted: Tue Jan 14, 2003 6:17 pm Post subject: |
|
|
IPTABLES -A FORWARD tcp -i eth0 -j REDIRECT --to eth1
IPTABLES -A FORWARD tcp -i eth1 -j REDIRECT --to eth0
something like this? _________________ Life is like a box of chocolates... Before you know it, it's empty... |
|
Back to top |
|
|
Proteus Guru
Joined: 14 Jul 2002 Posts: 346 Location: Hamburg, Germany
|
Posted: Tue Jan 14, 2003 6:28 pm Post subject: |
|
|
NAT is not for me because the clients are Win PCs and they must be able to run any game online. Sometimes NAT causes problems with that.
What I want to do is to tell iptables that it should route traffic coming from i.e. 192.168.1.10 to a public ip like i.e. 194.50.50.10 and so on. We have 30 public ips that shuld be routed this way.
Therefore, I think, my router must be able to respond to any traffic that is directed to any of the public ips. That is my problem.
@Matje: I don't exactly understand what your rules would do. Looks like a never ending loop to me?? _________________ Greetings,
Proteus |
|
Back to top |
|
|
Sven Vermeulen Retired Dev
Joined: 29 Aug 2002 Posts: 1345 Location: Mechelen, Belgium
|
Posted: Tue Jan 14, 2003 6:33 pm Post subject: |
|
|
I've never had any troubles with gaming (my brother games a lot) and, to share internet, I use the following rules:
Code: |
/sbin/iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -o eth0 -i eth1 -d 192.168.0.0/24 -s ! 192.168.0.0/24 -j ACCEPT
|
Yes, that's NAT. What games do you have troubles with? Perhaps google'ing would help. |
|
Back to top |
|
|
Proteus Guru
Joined: 14 Jul 2002 Posts: 346 Location: Hamburg, Germany
|
Posted: Tue Jan 14, 2003 6:36 pm Post subject: |
|
|
I already do NAT. It works. But it does cause problems with games when multiple users play on the LAN. Just believe me.
Also we have just want to use the public ips we got. _________________ Greetings,
Proteus |
|
Back to top |
|
|
mrhodes Guru
Joined: 01 May 2002 Posts: 310 Location: Halifax, NS
|
Posted: Wed Jan 15, 2003 8:55 pm Post subject: What I had to do.... |
|
|
Hello,
I had similar problems with Empire Earth. I could join anyone from my WinXP client, however I couldn't host games because of being behind a real IP... I solved that problem by finding out what port EE uses and just forward all incoming packages to those ports to my WinXP machine.... Hosting worked great after that :
Mike |
|
Back to top |
|
|
Proteus Guru
Joined: 14 Jul 2002 Posts: 346 Location: Hamburg, Germany
|
Posted: Wed Jan 15, 2003 9:08 pm Post subject: |
|
|
yes, you can do port forwarding. But then you can only have one specific machine acting as a server- That solution does not work for me. I must be able to use any client as server with any game (even those not yet released) and it must not require any configuration of the router.
I just know there must be a solution - this is Linux after all. Must find it... _________________ Greetings,
Proteus |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Thu Jan 16, 2003 2:25 am Post subject: one to one NATing |
|
|
You need NAT at some point otherwise the far end of the connection will see the internal IP's and most likely a provider in the middle will filter the NAT IP space in the middle. At least they should.
let's say you have 4 machines internally
192.168.0.11/24
192.168.0.12/24
192.168.0.13/24
192.168.0.14/24
They all use the Linux box as the gateway which is 192.168.0.1/24
Now your firewall has an external IP of 217.55.55.2/24. You'll want to match additional IP's to each internal machine
217.55.55.11 --> 192.168.0.11 and so on.
iptables -A POSTROUTING -t nat -s 192.168.0.11 -o eth0 -j SNAT --to-source 217.55.55.11
iptables -A PREROUTING -t nat -s 217.55.55.11 -d eth1 -j NAT --to 192.168.0.11
The above might even work though I seriously doubt it, but it shoudl give a better idea on what the config should look like. Also googling for "static nat iptables linux one-to-one SNAT NAT" might narrow it down.
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
Proteus Guru
Joined: 14 Jul 2002 Posts: 346 Location: Hamburg, Germany
|
Posted: Thu Jan 16, 2003 8:12 pm Post subject: |
|
|
Thanks a lot! You understood what I want to do. _________________ Greetings,
Proteus |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Thu Jan 16, 2003 10:00 pm Post subject: and one more thing |
|
|
Ran accross this in another thread. You'll want to bind all the IP's to your Linux box. Your /etc/conf.d/net might look like this
iface_eth0="217.55.55.1 broadcast 217.55.55.255 netmask 255.255.255.0"
# For adding aliases to a interface
#
alias_eth0="217.55.55.11 217.55.55.12 etc"
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
Rroet Apprentice
Joined: 27 May 2002 Posts: 176 Location: The Hague, The Netherlands
|
Posted: Fri Jan 17, 2003 6:41 am Post subject: |
|
|
yes, virtual ip-addresses on a nic is possible, but keep in mind that this will only work if you have MULTIPLE EXTERNAL ipadresses. If you don't have em, you're whole idea will not work.
a external ipaddress can only be mapped 1 on 1. With that I offcourse mean every external socket.
so redirecting 1 external ipaddres to 2 internal machines will not work unless you divide some sockets accross those machines. _________________ Workstation: Shuttle SN85G4v2, AMD64 3200+, 512MB, 250GB sata, Radeon 9800 Pro.
Server 1: here
Server 2: here |
|
Back to top |
|
|
Proteus Guru
Joined: 14 Jul 2002 Posts: 346 Location: Hamburg, Germany
|
Posted: Sat Jan 18, 2003 4:46 pm Post subject: |
|
|
Yes, thats exactly what I want to do. Map 1 internal for each 1 external adress. We got 30 clients and about 32 external ips - that should suffice _________________ Greetings,
Proteus |
|
Back to top |
|
|
splooge l33t
Joined: 30 Aug 2002 Posts: 636
|
Posted: Sat Jan 18, 2003 9:26 pm Post subject: |
|
|
Here's what I use:
Code: | iptables -t nat -A POSTROUTING -s 10.1.1.1 -j SNAT --to 123.456.789.1
iptables -t nat -A PREROUTING -d 123.456.789.1 -j DNAT --to 10.1.1.1 |
Of course that's very insecure =) |
|
Back to top |
|
|
Proteus Guru
Joined: 14 Jul 2002 Posts: 346 Location: Hamburg, Germany
|
Posted: Sun Jan 19, 2003 3:27 pm Post subject: |
|
|
Excuse me but why is that insecure?
Or do you mean because of the absence of any other filtering rules inbetween? I assume that those exist but are not listed because we just talked about the mapping here.
Or is there anything that prohibits filtering with this setup? I'd be surprised to hear that but you never know... _________________ Greetings,
Proteus |
|
Back to top |
|
|
Rroet Apprentice
Joined: 27 May 2002 Posts: 176 Location: The Hague, The Netherlands
|
Posted: Mon Jan 20, 2003 7:01 am Post subject: |
|
|
No, it can't be filtered if I remember correctly.
check this scheme and know what you have to do:
[img:d4fe4244a1]http://iptables-tutorial.frozentux.net/images/tables_traverse.jpg[/img:d4fe4244a1]
I partially participated in this project. Mostly on reading the stuff and commenting on little errors, but this is a good study for anyone who wants to know all about iptables:
Iptables-Tutorial _________________ Workstation: Shuttle SN85G4v2, AMD64 3200+, 512MB, 250GB sata, Radeon 9800 Pro.
Server 1: here
Server 2: here |
|
Back to top |
|
|
Proteus Guru
Joined: 14 Jul 2002 Posts: 346 Location: Hamburg, Germany
|
Posted: Mon Jan 20, 2003 11:12 am Post subject: |
|
|
Well, I think that there can be filtering rules implemented.
Do the filtering in the forward chain because everything thats forwarded must go through it.
I don't see why that should not work. _________________ Greetings,
Proteus |
|
Back to top |
|
|
splooge l33t
Joined: 30 Aug 2002 Posts: 636
|
Posted: Mon Jan 20, 2003 7:05 pm Post subject: |
|
|
You could for example filter based on port or source ip such as:
iptables -P INPUT DROP
iptables -t nat -A PREROUTING -d 123.456.789.0 -s 234.567.890.1 -p tcp --dport 80 -j DNAT --to 10.1.1.1
That would only allow port 80 connections from 234.567.890.1 to 123.456.789.0 and then the rest of the traffic would hit the input drop rule.
Right?
Or like Proteus said you could do it here also:
iptables -P FORWARD DROP
iptables -A FORWARD -s 234.567.890.1 -d 123.456.789.0 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Right? |
|
Back to top |
|
|
Rroet Apprentice
Joined: 27 May 2002 Posts: 176 Location: The Hague, The Netherlands
|
Posted: Mon Jan 20, 2003 8:20 pm Post subject: |
|
|
again, THAT CANNOT BE DONE!
like he said:
he want to connect internal IP's [192.168.x.x / 10.x.x.x] to external ip-adresses... so it's nice to forward incoming stuff to 192.168.x.x and try to NAT it outgoing again, but iptables can't comprehend this complex thing your trying to make of it. iptables cannot connection track forwarded packets which aren't prerouted before and correctly nat them back to the external ip that was trying to talk to this machine.
There is a little basic filtering you can do to filter out bad / malformed packages, but that's about it.
RTFM and see what can and cannot be done. _________________ Workstation: Shuttle SN85G4v2, AMD64 3200+, 512MB, 250GB sata, Radeon 9800 Pro.
Server 1: here
Server 2: here |
|
Back to top |
|
|
Proteus Guru
Joined: 14 Jul 2002 Posts: 346 Location: Hamburg, Germany
|
Posted: Mon Jan 20, 2003 10:26 pm Post subject: |
|
|
Ok, I did not mean to be offensive.
I do believe that you know what you are talking about.
What I never knew was that this is a complex thing to achive with iptables, I always thought of it being extremely simple
And btw, I really tried RTFM even before posting the first message in here but I can still not find the part where it states that forwarded traffic cannot be filtered. But I will be glad if you give me a hint or hit my dumb head on a stone until I can see it myself _________________ Greetings,
Proteus |
|
Back to top |
|
|
Rroet Apprentice
Joined: 27 May 2002 Posts: 176 Location: The Hague, The Netherlands
|
Posted: Tue Jan 21, 2003 7:18 am Post subject: |
|
|
dunno, must have missed a couple of hours of sleep somewhere this week. Normally I tend to behave on forums...
what do you want to have filtered out, because some basic filtering .... I might wanna try brake my head over it see if it indeed can / can't be done.. afaik it couldn't be done cording to the manual. Seeing the entire structure you can also see it can't be done, but I remember there are ways to fool the system . _________________ Workstation: Shuttle SN85G4v2, AMD64 3200+, 512MB, 250GB sata, Radeon 9800 Pro.
Server 1: here
Server 2: here |
|
Back to top |
|
|
Proteus Guru
Joined: 14 Jul 2002 Posts: 346 Location: Hamburg, Germany
|
Posted: Tue Jan 21, 2003 12:38 pm Post subject: |
|
|
But the structure that is shown in this thread is my problem.
There is a "forward filter" section in it and I thought that there is the point where forwarded (i.e. SNAT/DNAT/MASQUERADE) traffic can be filtered.
Or is that something completely different? _________________ Greetings,
Proteus |
|
Back to top |
|
|
|