LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 12-27-2007, 09:18 PM   #1
astbis
LQ Newbie
 
Registered: Dec 2007
Posts: 11

Rep: Reputation: 0
iptables forward - multiple external to multiple internal


[NOT SOLVED]

Hi

This post is a follow up on http://www.linuxquestions.org/questi...etwork-608234/ , but since the question can stand for itself here a new thread.

I'm trying to route multiple external IP's, configured on a host-server, to multiple internal IP's.

Example:
IP 74.74.74.145 to 192.168.2.2
IP 74.74.74.146 to 192.168.2.3
Internal gateway/hostip 192.168.2.1


My problem is that both ext. IP's are pointing to first internal IP (192.168.2.2). I've found different way's to route between network, but as far as i can tell all are all based on different interfaces. You can se below in my ifconfig, that both external IP's are configured as alias to the host IP.

I'm stuck now. Any ideas?

astbis



Here my attempt:
Code:
$IPTABLES --table nat --append POSTROUTING -o eth0 -j MASQUERADE
$IPTABLES -A FORWARD --in-interface vmnet1 -j ACCEPT
$IPTABLES -A INPUT -i vmnet1 -s 192.168.2.0/24 -d $LOCALIP -j ACCEPT

$IPTABLES -t nat -A PREROUTING -d 74.74.74.145 -j DNAT --to-destination 192.168.2.2
$IPTABLES -t nat -A PREROUTING -d 74.74.74.146 -j DNAT --to-destination 192.168.2.3

Ifconfig:
Code:
eth0      Link encap:Ethernet  HWaddr 00:1D:92:39:34:84
          inet addr:{HOSTIP}  Bcast:{HOSTBROADCAST}  Mask:255.255.255.224
          inet6 addr: fe80::21d:92ff:fe39:3484/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:57885 errors:0 dropped:0 overruns:0 frame:0
          TX packets:83088 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6057111 (5.7 Mb)  TX bytes:43827316 (41.7 Mb)
          Interrupt:20 Base address:0x6000

eth0:Emai Link encap:Ethernet  HWaddr 00:1D:92:39:34:84
          inet addr:47.47.47.145  Bcast:47.47.47.151  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:20 Base address:0x6000

eth0:Webs Link encap:Ethernet  HWaddr 00:1D:92:39:34:84
          inet addr:47.47.47.146  Bcast:47.47.47.151  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:20 Base address:0x6000

vmnet1    Link encap:Ethernet  HWaddr 00:50:56:C0:00:01
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:447 errors:0 dropped:0 overruns:0 frame:0
          TX packets:591 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Last edited by astbis; 01-24-2008 at 07:01 PM. Reason: not solved
 
Old 12-28-2007, 06:31 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Here's an example of how you could do it:
Code:
$IPTABLES -P FORWARD DROP

$IPTABLES -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -d 192.168.2.2 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.2.2 -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -d 192.168.2.3 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.2.3 -j ACCEPT

$IPTABLES -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -d 192.168.2.0/24 \
-m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.2.0/24 \
-m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i $WAN_IFACE -d 74.74.74.145 -j DNAT --to-destination 192.168.2.2
$IPTABLES -t nat -A PREROUTING -i $WAN_IFACE -d 74.74.74.146 -j DNAT --to-destination 192.168.2.3

$IPTABLES -t nat -A POSTROUTING -o $WAN_IFACE -s 192.168.2.2 -j SNAT --to-source 74.74.74.145
$IPTABLES -t nat -A POSTROUTING -o $WAN_IFACE -s 192.168.2.3 -j SNAT --to-source 74.74.74.146
$IPTABLES -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
Notice how the MASQUERADE rule is at the *bottom* of the POSTROUTING chain. That way the alias IPs will match their proper SNAT rule before having a chance to match that one. Also, remember that $WAN_IFACE always needs to be the name of the real WAN interface - not an alias name (iptables only cares about real interfaces).

EDIT: These rules will only work on a gateway/firewall setup in which you have a LAN and WAN interface. I just took a look at your previous post and it seems you're doing some virtual host stuff which I have no idea about. So if this isn't an old school gateway/firewall just ignore this - although it might still help you indirectly.

Last edited by win32sux; 12-28-2007 at 11:24 PM.
 
Old 12-29-2007, 08:46 AM   #3
astbis
LQ Newbie
 
Registered: Dec 2007
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks it works like a charm.
 
Old 01-24-2008, 05:27 PM   #4
astbis
LQ Newbie
 
Registered: Dec 2007
Posts: 11

Original Poster
Rep: Reputation: 0
It seems, that there are difficulties after all.

All traffic coming from externat sources to the internal/virtual machine works find and also the opposite way internal/virtual to external machine.


The setup:
Two internal machines.
192.168.2.2 / 74.74.74.145
192.168.2.3 / 74.74.74.146

I will try to explain the problem.

I am on 74.74.74.145 and try to nmap the services on 74.74.74.146 i get the result of the hostmachine. So neither 74.74.74.145 or 74.74.74.146 answeres. Ping works fine.

How can i get one internal/virtual machine to access the other internal without using the internal addresses?
 
  


Reply

Tags
forwarding, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting things straight: Apache, SSL, Multiple External IPs / Internal IPs robin.com.au Linux - Server 21 10-14-2007 12:39 AM
Multiple External IPs with iptables tvynr Linux - Networking 11 11-08-2005 03:31 PM
Question about iptables and multiple external IPs tvynr Linux - Networking 2 10-12-2005 08:48 PM
Iptables, Multiple IP Aliases and Different Rules for each external ip genmud Linux - Networking 7 09-18-2005 03:07 AM
xmodmap for multiple mice? external and laptop mice scrolling back/forward, etc. bleargh Linux - Software 3 12-31-2004 09:48 AM


All times are GMT -5. The time now is 07:13 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration