ipchains & masquerading & NAT
Matt Terry
matt@abernackie.com
Sat, 11 Nov 2000 18:37:57 -0500
on 11/11/00 11:38 AM, Matt Terry at matt@abernackie.com wrote:
I know port redirection works with ipchains, I do it my self. Why do you
want to redirect ALL traffic request for ip eth1:0: to an internal machine?
I could see redirecting certain ports for services such as ftp, ssh, vnc,
samba, nfs, or whatever to various machines on the network.
Anyways,
Off the top of my head, there are two ways to do this, either set up
redirection rules for the ip you want to redirect, or what might be less
confusing is to scrounge up a third interface and create a second internal
subnet. (this way seems a little more organized). Of course im no expert
either.
The tool I use is ipchains, with "ipmasqadm portfw" here is an example from
my rule set for port redirection of http port 8080.
ipmasqadm portfw -f ## this activates portforwarding.
ipmasqadm portfw -a -P tcp -L<externalip> 8080 -R <intip> 8080
#
ipmasqadm portfw -a -P tcp -L <otherexip> 8080 -R <otherintip> 8080
as you can see if you have two ip addresses assigned to one interface
(which
i am assuming you have) then you will just have to create a rule specific
to
that ip address. you can also redirect udp too, just change the tcp option
to udp.
the ipmasqdm tool comes in a seperate package than ipchains.
but both work together.
I think there is a newer form of ipchains called iptables this may be
simpler to use I personally haven't used or even read any man pages about
iptables.
I hope this helps you out, or at least answers a question or two..
Like I said I'm no expert.
Let me know if I can help out any further.
Matt Terry
mterry@tcimet.net
> on 11/9/00 12:29 AM, Paul Donahue at donahu16@msu.edu wrote:
>
>> okay,
>>
>> so i've had masquerading and all that cool stuff setup for a couple of years
>> now and it's really great. However I am no longer satisfied by this. I have
>> been slowly learning that ipchains is really cool and can do a lot.
>>
>> I currently have this:
>>
>> eth0: 192.168.1.1
>> eth1: <my real world ip>
>>
>> Chain input (policy ACCEPT):
>> target prot opt source destination ports
>> ACCEPT tcp ------ anywhere localhost.localdomain any ->
>> 1234
>> DENY tcp ------ anywhere anywhere any ->
>> 1234
>> Chain forward (policy DENY):
>> target prot opt source destination ports
>> MASQ all ------ 192.168.1.0/24 anywhere n/a
>> Chain output (policy ACCEPT):
>>
>> this basically limits port 1234 to localhost connection only (don't ask) :)
>> and allows masquerading for everything on my internal network...
>>
>> This is what I WANT TO DO:
>> eth0: 192.168.1.1
>> eth1: <my current real world ip>
>> eth1:0: <another real world ip>
>>
>> getting the other ip on eth1:0 is trival and I have already done that. Now
>> the hard part.
>> I want EVERYTHING (icmp too if possible, definately tcp and udp) that comes
>> in destined for "<another real world ip>" to be redirected to say
>> 192.168.1.254. This redirect must be transparent at the network layer as I
>> wish to have external computers to be able to connect to the internal one
>> via this "<another real world ip>"
>>
>> I've spend the past couple of hours mulling over this and have not made much
>> progress. Have any of you out there been able to do this successfully??
>>
>> Any help that is offered is much appreciated,
>>
>> Paul Donahue
>> Computer Science Senior
>> Computer/Network Technician
>> Michigan State University
>> http://www.pdonahue.com/
>> ICQ: 1624723 Phone: 517-204-6047
>>
>> _______________________________________________
>> linux-user mailing list
>> linux-user@egr.msu.edu
>> http://www.egr.msu.edu/mailman/listinfo/linux-user
>
>