* 1:1 nat not working;
@ 2005-06-04 20:04 R. DuFresne
2005-06-04 20:59 ` Jason Opperisano
0 siblings, 1 reply; 4+ messages in thread
From: R. DuFresne @ 2005-06-04 20:04 UTC (permalink / raw)
To: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Okay, I need help getting this working, I've wasted too much time on it
and can't get it functional.
address mappings in /etc/hosts ;
# IP Block: public-IP.16/28
# usable IPs are public-IP.18 - public-IP.30
# base subnet public-IP.16
# broadcast address public-IP.31
# subnet mask 255.255.255.240
public-IP.18 darkstar. darkstar
public-IP.19 blackhole. blackhole
public-IP.20 nebula. nebula
public-IP.21 comet. comet
public-IP.22 orion. orion
public-IP.23 nova. nova
public-IP.24 quasar. quasar
public-IP.25 pulsar. pulsar
public-IP.26 venus. venus
public-IP.27 saturn. saturn
public-IP.28 jupiter. jupiter
public-IP.29 mars. mars
public-IP.30 pluto. pluto
# IP Block: 192.168.80.16/28
# usable IPs are 192.168.80.17 - 192.168.80.30
# base subnet 192.168.80.16
# broadcast address 192.168.80.31
# subnet mask 255.255.255.240
# 192.168.80.17 unused not.used
# 192.168.80.18 darkstar. darkstar.net
192.168.80.19 blackhole. blackhole.net
192.168.80.20 nebula. nebula.net
192.168.80.21 comet. comet.net
192.168.80.22 orion. orion.net
192.168.80.23 nova. nova.net
192.168.80.24 quasar. quasar.net
192.168.80.25 pulsar. pulsar.net
192.168.80.26 venus. venus.net
192.168.80.27 saturn. saturn.net
192.168.80.28 jupiter. jupiter.net
192.168.80.29 mars. mars.net
192.168.80.30 pluto. pluto.net
firewall script includes <and tried in various combinations on these settings>;
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.80.19 -j DNAT --to-destination 70.61.80.19
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.80.20 -j DNAT --to-destination 70.61.80.20
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.80.21 -j DNAT --to-destination 70.61.80.21
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.80.22 -j DNAT --to-destination 70.61.80.22
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.80.23 -j DNAT --to-destination 70.61.80.23
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.80.24 -j DNAT --to-destination 70.61.80.24
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.80.25 -j DNAT --to-destination 70.61.80.25
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.80.26 -j DNAT --to-destination 70.61.80.26
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.80.27 -j DNAT --to-destination 70.61.80.27
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.80.28 -j DNAT --to-destination 70.61.80.28
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.80.29 -j DNAT --to-destination 70.61.80.29
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.80.30 -j DNAT --to-destination 70.61.80.30
iptables -t nat -A PREROUTING -i eth1 -s 70.61.80.19 -j DNAT --to-destination 192.168.80.19
iptables -t nat -A PREROUTING -i eth1 -s 70.61.80.20 -j DNAT --to-destination 192.168.80.20
iptables -t nat -A PREROUTING -i eth1 -s 70.61.80.21 -j DNAT --to-destination 192.168.80.21
iptables -t nat -A PREROUTING -i eth1 -s 70.61.80.22 -j DNAT --to-destination 192.168.80.22
iptables -t nat -A PREROUTING -i eth1 -s 70.61.80.23 -j DNAT --to-destination 192.168.80.23
iptables -t nat -A PREROUTING -i eth1 -s 70.61.80.24 -j DNAT --to-destination 192.168.80.24
iptables -t nat -A PREROUTING -i eth1 -s 70.61.80.25 -j DNAT --to-destination 192.168.80.25
iptables -t nat -A PREROUTING -i eth1 -s 70.61.80.26 -j DNAT --to-destination 192.168.80.26
iptables -t nat -A PREROUTING -i eth1 -s 70.61.80.27 -j DNAT --to-destination 192.168.80.27
iptables -t nat -A PREROUTING -i eth1 -s 70.61.80.28 -j DNAT --to-destination 192.168.80.28
iptables -t nat -A PREROUTING -i eth1 -s 70.61.80.29 -j DNAT --to-destination 192.168.80.29
iptables -t nat -A PREROUTING -i eth1 -s 70.61.80.30 -j DNAT --to-destination 192.168.80.30
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.19 -j SNAT --to-source 70.61.80.19
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.20 -j SNAT --to-source 70.61.80.20
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.21 -j SNAT --to-source 70.61.80.21
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.22 -j SNAT --to-source 70.61.80.22
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.23 -j SNAT --to-source 70.61.80.23
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.24 -j SNAT --to-source 70.61.80.24
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.25 -j SNAT --to-source 70.61.80.25
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.26 -j SNAT --to-source 70.61.80.26
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.27 -j SNAT --to-source 70.61.80.27
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.28 -j SNAT --to-source 70.61.80.28
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.29 -j SNAT --to-source 70.61.80.29
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.30 -j SNAT --to-source 70.61.80.30
#iptables -t nat -A POSTROUTING -o eth0 -s 70.61.80.19 -j SNAT --to-source 192.168.80.19
#iptables -t nat -A POSTROUTING -o eth0 -s 70.61.80.20 -j SNAT --to-source 192.168.80.20
#iptables -t nat -A POSTROUTING -o eth0 -s 70.61.80.21 -j SNAT --to-source 192.168.80.21
#iptables -t nat -A POSTROUTING -o eth0 -s 70.61.80.22 -j SNAT --to-source 192.168.80.22
#iptables -t nat -A POSTROUTING -o eth0 -s 70.61.80.23 -j SNAT --to-source 192.168.80.23
#iptables -t nat -A POSTROUTING -o eth0 -s 70.61.80.24 -j SNAT --to-source 192.168.80.24
#iptables -t nat -A POSTROUTING -o eth0 -s 70.61.80.25 -j SNAT --to-source 192.168.80.25
#iptables -t nat -A POSTROUTING -o eth0 -s 70.61.80.26 -j SNAT --to-source 192.168.80.26
#iptables -t nat -A POSTROUTING -o eth0 -s 70.61.80.27 -j SNAT --to-source 192.168.80.27
#iptables -t nat -A POSTROUTING -o eth0 -s 70.61.80.28 -j SNAT --to-source 192.168.80.28
#iptables -t nat -A POSTROUTING -o eth0 -s 70.61.80.29 -j SNAT --to-source 192.168.80.29
#iptables -t nat -A POSTROUTING -o eth0 -s 70.61.80.30 -j SNAT --to-source 192.168.80.30
besides a few blacks to the input chain, everything is set to accept, and we show;
# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 8090 packets, 506K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- eth1 * 70.61.80.19 0.0.0.0/0 to:192.168.80.19
0 0 DNAT all -- eth1 * 70.61.80.20 0.0.0.0/0 to:192.168.80.20
0 0 DNAT all -- eth1 * 70.61.80.21 0.0.0.0/0 to:192.168.80.21
0 0 DNAT all -- eth1 * 70.61.80.22 0.0.0.0/0 to:192.168.80.22
0 0 DNAT all -- eth1 * 70.61.80.23 0.0.0.0/0 to:192.168.80.23
0 0 DNAT all -- eth1 * 70.61.80.24 0.0.0.0/0 to:192.168.80.24
0 0 DNAT all -- eth1 * 70.61.80.25 0.0.0.0/0 to:192.168.80.25
0 0 DNAT all -- eth1 * 70.61.80.26 0.0.0.0/0 to:192.168.80.26
0 0 DNAT all -- eth1 * 70.61.80.27 0.0.0.0/0 to:192.168.80.27
0 0 DNAT all -- eth1 * 70.61.80.28 0.0.0.0/0 to:192.168.80.28
0 0 DNAT all -- eth1 * 70.61.80.29 0.0.0.0/0 to:192.168.80.29
0 0 DNAT all -- eth1 * 70.61.80.30 0.0.0.0/0 to:192.168.80.30
Chain POSTROUTING (policy ACCEPT 1488 packets, 95181 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth0 192.168.80.19 0.0.0.0/0 to:70.61.80.19
0 0 SNAT all -- * eth0 192.168.80.20 0.0.0.0/0 to:70.61.80.20
0 0 SNAT all -- * eth0 192.168.80.21 0.0.0.0/0 to:70.61.80.21
0 0 SNAT all -- * eth0 192.168.80.22 0.0.0.0/0 to:70.61.80.22
11 726 SNAT all -- * eth0 192.168.80.23 0.0.0.0/0 to:70.61.80.23
12 740 SNAT all -- * eth0 192.168.80.24 0.0.0.0/0 to:70.61.80.24
0 0 SNAT all -- * eth0 192.168.80.25 0.0.0.0/0 to:70.61.80.25
0 0 SNAT all -- * eth0 192.168.80.26 0.0.0.0/0 to:70.61.80.26
0 0 SNAT all -- * eth0 192.168.80.27 0.0.0.0/0 to:70.61.80.27
0 0 SNAT all -- * eth0 192.168.80.28 0.0.0.0/0 to:70.61.80.28
0 0 SNAT all -- * eth0 192.168.80.29 0.0.0.0/0 to:70.61.80.29
0 0 SNAT all -- * eth0 192.168.80.30 0.0.0.0/0 to:70.61.80.30
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
which almost makes it appear to be functioning, but, it's an illusion.
Since my internal interface <now eth0 to work with established standards> is also my MX recorded in public DNS, I had to munge a route/nic on the external interface just to keep e-mail flowing ifconfig'ed an eth0:1 and set a host route to it.
lsmod reports these tables related modules;
ipt_multiport 664 11
iptable_mangle 2072 0 (unused)
iptable_nat 15438 1
ipt_limit 856 1
ipt_state 504 110
ipt_recent 7908 0 (unused)
ipt_LOG 3416 6
ipt_conntrack 1016 0 (unused)
ip_conntrack_ftp 3888 0 (unused)
ip_conntrack_irc 3024 0 (unused)
ip_conntrack 19236 7 [iptable_nat ipt_state ipt_conntrack ip_conntrack_ftp ip_conntrack_irc]
iptable_filter 1644 1
ip_tables 12416 11 [ipt_multiport iptable_mangle iptable_nat ipt_limit ipt_state ipt_recent ipt_LOG ipt_conntrack iptable_filter]
ny help is appreciated.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant:
http://
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCoglFst+vzJSwZikRAiLpAJ9D2ghrDUnVPLS4+FkNxIpkxNR5hACfQdzU
Xdu0Ri7L5X32N1UqeHD68h4=
=hzkk
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: 1:1 nat not working;
2005-06-04 20:04 1:1 nat not working; R. DuFresne
@ 2005-06-04 20:59 ` Jason Opperisano
2005-06-04 22:19 ` R. DuFresne
0 siblings, 1 reply; 4+ messages in thread
From: Jason Opperisano @ 2005-06-04 20:59 UTC (permalink / raw)
To: netfilter
On Sat, Jun 04, 2005 at 04:04:18PM -0400, R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Okay, I need help getting this working, I've wasted too much time on it
> and can't get it functional.
>
> address mappings in /etc/hosts ;
>
> # IP Block: public-IP.16/28
> # usable IPs are public-IP.18 - public-IP.30
> # base subnet public-IP.16
> # broadcast address public-IP.31
> # subnet mask 255.255.255.240
and you've added the IP's .18 - .30 as aliases on your external
interface of your firewall machine with:
for i in `seq 18 30`; do
ip addr add x.y.z.${i} dev ${EXT_IF}
done
right?
as an aside, you could reduce the number of rules you have by using
NETMAP and a bit of auto-summarization:
x.y.z.18/31
x.y.z.20/30
x.y.z.24/30
x.y.z.28/31
x.y.z.30/32
iptables -t nat -A PREROUTING -d x.y.z.18/31 \
-j NETMAP --to 192.168.80.18/31
iptables -t nat -A POSTROUTING -s 192.168.80.18/31 \
-j NETMAP --to x.y.z.18/31
etc...
-j
--
"Jennifer Love Hewitt: "I Know What You Did Last Summer"?
Peter: Nope... never heard of it.
Jennifer Love Hewitt: "The Devil and Daniel Webster"?
Peter: No.
Jennifer Love Hewitt: "Party of Five"?
Peter: Was that a porno?"
--Family Guy
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: 1:1 nat not working;
2005-06-04 20:59 ` Jason Opperisano
@ 2005-06-04 22:19 ` R. DuFresne
2005-06-05 2:54 ` Opencuseeme codewarrior
0 siblings, 1 reply; 4+ messages in thread
From: R. DuFresne @ 2005-06-04 22:19 UTC (permalink / raw)
To: Jason Opperisano; +Cc: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, 4 Jun 2005, Jason Opperisano wrote:
> On Sat, Jun 04, 2005 at 04:04:18PM -0400, R. DuFresne wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> Okay, I need help getting this working, I've wasted too much time on it
>> and can't get it functional.
>>
>> address mappings in /etc/hosts ;
>>
>> # IP Block: public-IP.16/28
>> # usable IPs are public-IP.18 - public-IP.30
>> # base subnet public-IP.16
>> # broadcast address public-IP.31
>> # subnet mask 255.255.255.240
>
> and you've added the IP's .18 - .30 as aliases on your external
> interface of your firewall machine with:
>
> for i in `seq 18 30`; do
> ip addr add x.y.z.${i} dev ${EXT_IF}
> done
>
> right?
No I had not and that was the bit if majik I was missing, thank you sir
for the spell casting!
>
> as an aside, you could reduce the number of rules you have by using
> NETMAP and a bit of auto-summarization:
>
> x.y.z.18/31
> x.y.z.20/30
> x.y.z.24/30
> x.y.z.28/31
> x.y.z.30/32
>
> iptables -t nat -A PREROUTING -d x.y.z.18/31 \
> -j NETMAP --to 192.168.80.18/31
> iptables -t nat -A POSTROUTING -s 192.168.80.18/31 \
> -j NETMAP --to x.y.z.18/31
>
I'd thought about doing that, to reduce finger fatigue and rules, but, was
not sure it was appropo to the situation since the router and the external
interface are not matched up on the inside directly. The router wihch has
a x.y.z.17 address does not appear on the inside, and the ecternal
interface does not either, so to play it safe I went rule happy.
One quick question, if I might ask now that this is functioning;
I had a nice working set of rules prior to this change over, some of which
I've been using as input to the firewall directly. Can I pretty much just
pop in the whole ruleset now with these additions and pretty much expect
it to work as it was? Or will I have to specifically make change to
systems that once were inside addresses and now are private inside
adderesses? such as;
ipt -t filter -A INPUT -p TCP -i $inside -m state --state NEW -s $quasar
- -j LOG $LOGOPT --log-prefix "qu
asar internal syn to fw : "
$ipt -t filter -A INPUT -p TCP -i $inside -m state --state
NEW,ESTABLISHED,RELATED -s $quasar --dport 113
-j ACCEPT
$ipt -t filter -A INPUT -p TCP -i $inside -m state --state NEW -s $quasar
- -j DROP
$quesar being the public address, or does it now change such that I make
rules secifying the internal address in the rule;
ipt -t filter -A INPUT -p TCP -i $inside -m state --state NEW -s
$quasarnet -j LOG $LOGOPT --log-prefix "quasar internal syn to fw : "
$ipt -t filter -A INPUT -p TCP -i $inside -m state --state
NEW,ESTABLISHED,RELATED -s $quasarnet --dport 113
-j ACCEPT
$ipt -t filter -A INPUT -p TCP -i $inside -m state --state NEW -s
$quasarnet -j DROP
But I am as many other deeply indebted sir to your majik!
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCoij5st+vzJSwZikRAi3bAKCma11Z5fEZeRgSJBzIcMBTCGt2TwCfTxjb
xsAqwEqkeSp0LdvyJ/4Ql4k=
=uaDi
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
* Opencuseeme
2005-06-04 22:19 ` R. DuFresne
@ 2005-06-05 2:54 ` codewarrior
0 siblings, 0 replies; 4+ messages in thread
From: codewarrior @ 2005-06-05 2:54 UTC (permalink / raw)
To: netfilter
hello eperts all, sorry for my offtopic post.
Due to the massive influence from tycoon firms,
apple for example ,during the miss use of videolan hacks
and the ongoing software patents disscussion in europe
and the pressure from the mpaa on bittorrent users
i think there is a strong need for "Opencuseeme"
a free peer2peer multiconferencing tool.
so you might have a look
and join
best regards
www.cuseeme.de
********************************************************
opencuseeme - peer2peer multiparty conferencing
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-06-05 2:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-06-04 20:04 1:1 nat not working; R. DuFresne
2005-06-04 20:59 ` Jason Opperisano
2005-06-04 22:19 ` R. DuFresne
2005-06-05 2:54 ` Opencuseeme codewarrior
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.