Linux router - setting up a DMZ or default machine to route to
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Linux router - setting up a DMZ or default machine to route to
I've set up routing using iptables, thanks to a script i nicked from this forum. I now want to set my linux router to send any packets coming from the internet that it dosn't know what to do with to another machine on my network. Can anyone give me the command to do this. Also if its possible to port foward an individual port i'd like to know how do do that to.
Cheers for the help ugge. I want inbound traffic (traffic off the internet) to be fowarded to a windows machine on my internal network, so i guess it would be kind of a default gateway for incoming traffic. But i want the router to continue to do nat for the rest of my machines.
I want do do this so that to the outside world it appears that my windows machine is the one on the internet. I hope this kinda clariffys what im trying to do.
i could do that but its basicaly the fact that my linuxbox stays on all the time downstairs routing for the rest of my house and i want to use my windows machine without having to bother doing individual port fowarding for edonkey and vpn access and a load of other applications.
Basically i want the linux to do nat for my housemates but have any incoming connections unrelated to the nat, fowarded to my windows machine.
As I understand what you want, if you want all unknown packets not related directly to previous outgoing NAT rules sent to an internal Windows box, your going to get an AWFUL lot of data sent that won't route. Unless your isp has given you a block of IP's, the Windows box won't route on it's own. If the Linux box has the only available external IP, all other machines on the network must route through it. This means that all the internal machines will have their packets altered to reflect the details of your external interface. Only machines with valid external IP's will route across the web.
Even if the linux box routed all unknown traffic to the winbox, the packets would be dropped there as they would have undergone NATing and therefore would be considered useless, and the winbox would not see them as related to any sessions origianting from it. If you want the winbox to route directly over the internet without NATing, this must be the box connected to the internet.
I understand what your saying aarggh, but i want incoming packects that are unrelated to exisiting NAT connections simply fowarded to the winbox. I do not want incoming packets NATted and sent to the winbox. This is what happens on many hardware routers. Incoming connections that the router dosnt know about can be fowarded, not natted to an internal ip.
I expect that this may be a little tricky to do but if anyone knows how please let me know
I'm not sure that I completely understand what you want, but if I do, it's a _VERY_ bad idea.
You want any incoming connections that don't match any other rules to be forwarded to your Windows box, right?
That defeats one of the main points of using a Linux router, security. It will still act as a switch, but as soon as a new exploit comes along, your Windows box will immediately get hit by it.
If I were you, I'd just forward all the ports, it's really not that hard. You could use webmin to simplify it, if you want.
In trying to get unknown packets sent to your Winbox you would still have the problem in that ALL outgoing packets are re-written with the external interface of the Linux box.
As I understand it, you don't want to do port forwarding for services running on another box, but you want to actually establish a session on the Winbox, send traffic for that session outbound via the Linux box, and then have the traffic for the Winbox bypass the Linux box and go straight to the Winbox?
This will not work unless you have PUBLIC IP's on the internal boxes and the Linux box purely routes traffic, as all external traffic not related to a valid session for the Linux box will be dropped automatically. Do you have more than one public IP?
Again, if you only have one public IP assigned, all traffic MUST route through the Linux box and will be re-written with the Linux box's external interface IP. With only one external public IP and many internal private IP's there is no way to avoid using NAT.
I understand what your saying argghh. And I realise that this is a terrible idea but for the sake of avoiding arguments with some of the people im trying to set this system up with i need to have all unkown packets sent to there machine
Thanks Pilot1 I think fowarding all ports would have this affect. Is there a simple comand to foward all ports such as:-
iptables -A PREROUTING -t nat -s <your ip> --sport all -j DNAT --to-destination <ip to forward to>:all
will the all statement work here?
also will the command to foward a port be ignored it the port is open and being natted for use by another machine
The first matching rule is acted on, so just place the rules for forwarding packets to other machines before the rule to forward all the packets.
I'm not sure how to do a range of packets, but it's an option in webmin, so I assume there is a command for it.