LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 04-28-2010, 12:52 PM   #1
IanVaughan
Member
 
Registered: Jun 2009
Location: Brighton, UK
Posts: 49

Rep: Reputation: 16
iptables (NAT/PAT) setup for SSH & Samba


I need to access a Linux box via SSH & Samba that is hidden/connected behind another one on its own local network.
Setup :-
Code:
 A         switch   B         C
|----|    |---|    |----|    |----|
|eth0|<-->|   |<-->|eth0|    |    |
|----|    |---|    |eth1|<-->|eth1|
                   |----|    |----|
Eg, I need to SSH/Samba from A to C
How does one go about this?

I was thinking that it cannot be done via IP alone? Or can it?
Could B say "hi on eth0, if your looking for 192.168.0.2, its here on eth1"?
Is this NAT?
This is a large private network, so what about if another PC has that IP?!

More likely it would be PAT?
A would say "hi 192.168.109.15:1234"
B would say "hi on eth0, traffic for port 1234 goes on here eth1"
How could that be done?

And would the SSH/Samba demons see the correct packet header info and work??

IP info :-
Code:
A - eth0 - 192.168.109.2
B - eth0 - 192.168.109.15
  - eth1 - 192.168.0.1
C - eth1 - 192.168.0.2
A, B & C are RHEL (RedHat)
But Windows computers can be connected to the switch.
I configured the 192.168.0.* IPs, they are changeable.

Any help?

So I have read that this should be done via iptables?
But what is the correct command line to do this?
And where does one put permanent iptable config?

Last edited by IanVaughan; 04-29-2010 at 06:49 AM. Reason: Realised that this is iptables
 
Old 04-29-2010, 06:49 AM   #2
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
Wow, you actually gave us enough information.

You need to:
  1. setup up B to be a router
  2. setup a static route on on A that says 'the gateway for 192.168.0.0/24 is 192.168.109.15'
  3. setup a static route on on B that says 'the gateway for 192.168.109.0/24 is 192.168.0.1'

To setup B as a router, run this:
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward
Look up
Code:
ip route
for the other two.

Last edited by SuperJediWombat!; 04-29-2010 at 07:40 AM.
 
Old 04-29-2010, 10:35 AM   #3
OdinnBurkni
Member
 
Registered: Feb 2007
Location: Iceland
Distribution: Fedora 14, CentOS, FreeNAS
Posts: 126

Rep: Reputation: 20
NAT-ing

Hi.
I use a iptables script I got from a friend and modified and I've used it on many firewalls/gateways. It's designed for a firewall/gateway setup so if you're not using it like that then it needs some modification. This should be running on PC B.

Here is something that might help.
Code:
#!/bin/bash
# Written by Odinn Burkni
# Iceland
####################
# Here we create names and connect it to interfaces and subnets
# then we don't have to change IP here and there, just all in one place
# Because of that we can use this as a template, only one place to change.

LAN1="eth1"
#LAN2="eth2"
#LAN3="eth3"
LAN_SUB1="192.168.1.0/24"
#LAN_SUB2="192.168.2.0/24"
PCa="192.168.1.5"
#PCb="192.168.1.200"
PCc="192.168.2.23"
#LAN_SUB3="192.168.3.0/24"
WANIP1="192.168.1.200"
#WANIP2=

####################
# What is left:
# * Reject everything, not just tcp connections
# *

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_irc

iptables -Z             # Reset counters

iptables -t filter -F   # clear filter table
iptables -t filter -X

iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP

iptables -t nat -F      # clear nat table
iptables -t nat -X

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

####################
# Packet spoofing protection
iptables -t filter -N EVILNETS
iptables -t filter -A EVILNETS -s 192.168.0.0/16				-j REJECT
iptables -t filter -A EVILNETS -s 10.0.0.0/8					-j REJECT
iptables -t filter -A EVILNETS -s 172.16.0.0/20					-j REJECT

# Kill "standard-evil" stuff
iptables -t filter -N STDEVILSTUFF
iptables -t filter -A STDEVILSTUFF -p igmp						-j REJECT
iptables -t filter -A STDEVILSTUFF -p icmp --icmp-type 13		-j DROP

# Speed bumps
iptables -t filter -N SPEEDBUMPS

####################
# Apply the evilnetstuff and standard evil stuff to out interfaces
iptables -t filter -N OUT_INTERFACES
iptables -t filter -A OUT_INTERFACES -i $WAN					-j EVILNETS     # Spoofing protection
iptables -t filter -A OUT_INTERFACES -i $WAN					-j STDEVILSTUFF # Kill evil crap

####################
# Not all Mac Adresses are allowed to travel through eth2
# This will allow us to limit traffic to specific MAC addresses
# The formatid needs to be xx:xx:xx:xx:xx:xx for this to work.
# Then you have to uncomment the lines

#iptables -t filter -N MAC_FILTER

#iptables -t filter -A MAC_FILTER -i $LAN2 --match mac --mac-source 00:00:00:00:00:00 -j ACCEPT

# OK HiJacker!  HiJack This!
#iptables -t filter -A MAC_FILTER -i $LAN2                       -j DROP


####################
# Forwards
# Here we say which traffic is allowed between interfaces
iptables -t filter -N FORWARDS

# LAN1
iptables -t filter -A FORWARDS -s $LAN_SUB1 -i $LAN1 -o $WAN	-j ACCEPT
iptables -t filter -A FORWARDS -d $LAN_SUB1 -i $WAN -o $LAN1	-j ACCEPT
iptables -t filter -A OUTPUT -s $LAN_SUB1 -o $WAN				-j ACCEPT


####################
# Portforward
# Here is a porforward example
# For this to work you have to uncomment the lines

iptables -t nat -N DNATS

iptables -t nat -A DNATS -s $PCa -d $WANIP1-p tcp -m tcp --sport 2222 --dport 22 -j DNAT --to PCc
	
####################
# Protection for local machine applied.
iptables -t filter -A INPUT -i lo						-j ACCEPT
iptables -t filter -A INPUT								-j OUT_INTERFACES # Kill evil packets
iptables -t filter -A INPUT -p tcp --dport 22			-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21			-j ACCEPT
iptables -t filter -A INPUT -p udp --dport 21			-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80			-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8080			-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443			-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 161			-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 3389			-j ACCEPT
iptables -t filter -A INPUT -p udp --dport 3389			-j ACCEPT
iptables -t filter -A INPUT -p udp --dport 3390			-j ACCEPT
#iptables -t filter -A INPUT -p tcp --dport 1723		-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 1149			-j ACCEPT
#iptables -t filter -A INPUT -p udp --dport 500			-j ACCEPT
#iptables -t filter -A INPUT -p udp --dport 3390		-j ACCEPT
iptables -t filter -A INPUT -p udp --dport 9000			-j ACCEPT 	# radius-db :)
iptables -t filter -A INPUT -p tcp --syn				-j REJECT	# Reject incoming connections

####################
# DNAT, MASQ and FORWARDS
# Tables put to work
iptables -t filter -A FORWARD							-j SPEEDBUMPS
#iptables -t filter -A FORWARD							-j MAC_FILTER
iptables -t filter -A FORWARD							-j FORWARDS

iptables -t nat -A PREROUTING							-j DNATS	# portforwards

iptables -t nat -A POSTROUTING -o lo					-j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -s $LAN_SUB1 -j SNAT --to $WANIP1
iptables -t nat -A POSTROUTING -o $WAN					-j ACCEPT


####################
Regards,
Odinn Burkni

P.s. Yes, I forgot, you have to make changes to /etc/sysctl.conf
This line should be like this:
Code:
net.ipv4.ip_forward = 1

Last edited by OdinnBurkni; 04-29-2010 at 10:41 AM.
 
Old 04-29-2010, 12:52 PM   #4
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
1. To setup B as a router, run this:
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward
2. To setup a static route on on A
Code:
ip route add 192.168.0.0/24 via 192.168.109.15
3. To setup a static route on on C
Code:
ip route add 192.168.109.0/24 via 192.168.0.1
4. If you have issues with that, post the output of any those commands. Also post the output of 'iptables-save' from B and 'route -n' from all three computers.
 
Old 04-29-2010, 01:21 PM   #5
IanVaughan
Member
 
Registered: Jun 2009
Location: Brighton, UK
Posts: 49

Original Poster
Rep: Reputation: 16
Thanks, I forgot this :-
Quote:
Originally Posted by SuperJediWombat
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward
But I have not had much luck with this :-
Quote:
Originally Posted by SuperJediWombat
  1. setup a static route on on A that says 'the gateway for 192.168.0.0/24 is 192.168.109.15'
  2. setup a static route on on B that says 'the gateway for 192.168.109.0/24 is 192.168.0.1'
Step 1 : Add route on A to point to B
Code:
$ route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.109.15
$ route
192.168.109.0   *               255.255.255.224 U     0      0        0 eth0
192.168.0.0     192.168.109.15  255.255.255.0   UG    0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
default         192.168.109.1   0.0.0.0         UG    0      0        0 eth0

$ route del -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.109.15

$ route add -net 192.168.0.0 netmask 255.255.255.0 gw 172.24.40.130
SIOCADDRT: Network is unreachable
Just saw your update :-
The ip command works for this IP, but cannot test right now as the host is down!
Code:
$ ip route add 192.168.0.0/24 via 192.168.109.15
$ ip route
192.168.109.0/27 dev eth0  proto kernel  scope link  src 192.168.109.2
192.168.0.0/24 via 192.168.109.15 dev eth0
169.254.0.0/16 dev eth0  scope link
default via 192.168.109.1 dev eth0
So I am using my backup host 172.24.40.130, and get errors :-
Code:
$ ip route add 192.168.0.0/24 via 172.24.40.130
RTNETLINK answers: Network is unreachable


Now the IP of B has changed, lets call this B2. (B=>B1)
I just want to tell A to goto B2 (172.24.40.130) if the IP is 192.168.0.0/24 (ie 192.168.0.2)



@OdinnBurkni Nice script, I'll have a close look at that.

Interesting this one, not set and didnt know about it :-
Quote:
Originally Posted by OdinnBurkni View Post
Code:
net.ipv4.ip_forward = 1


I have added a question on Server Fault as well.
Of which there are some interesting replies!

(I will consolidate and resolutions on both threads)

Last edited by IanVaughan; 04-29-2010 at 01:24 PM.
 
Old 04-29-2010, 08:16 PM   #6
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
Code:
ip route add 192.168.0.0/24 via 172.24.40.130
RTNETLINK answers: Network is unreachable
You are trying to add a gateway that is an unreachable IP range for your host. If the computer you are running the command on cannot contact 172.24.40.130, then you can not use it as a gateway.
 
Old 04-29-2010, 08:19 PM   #7
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
I just looked at the link you posted to ServerFault. You need to change the IP address of A if you want to change the IP of B.

192.168.109.2 (A) cannot talk to 172.24.40.130 (B) without a gateway.

EDIT: Using iptables to masquerade between these two networks is an overly complicated way to solve this problem. I don't think that you will have much success without a lot of additional research.

If you want any further help from me, post the output of the following, from all three computers.
Code:
iptables-save
ifconfig
ip route

Last edited by SuperJediWombat!; 04-29-2010 at 08:26 PM.
 
  


Reply

Tags
iptables, nat, routing, samba, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Installing FTP, SSH & Samba on Mandriva 2008 jcborland Linux - Software 1 09-14-2009 09:47 AM
Security through nat/pat ninjaz Linux - Security 2 10-12-2006 05:05 PM
NAT and PAT rock69 Linux - Networking 2 10-03-2006 04:34 PM
iptables PAT/NAT mcardia Linux - Networking 1 07-14-2006 02:07 PM
FC4, SAMBA & WinXP home basic setup help please?! :) KevinAlaska Linux - Networking 3 11-09-2005 11:53 AM


All times are GMT -5. The time now is 09:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration