LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-13-2004, 02:22 PM   #1
Rooboy
LQ Newbie
 
Registered: Feb 2004
Distribution: slackware
Posts: 14

Rep: Reputation: 0
Linux router - setting up a DMZ or default machine to route to


I've set up routing using iptables, thanks to a script i nicked from this forum. I now want to set my linux router to send any packets coming from the internet that it dosn't know what to do with to another machine on my network. Can anyone give me the command to do this. Also if its possible to port foward an individual port i'd like to know how do do that to.

Cheers
 
Old 02-14-2004, 04:10 AM   #2
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
iptables -A PREROUTING -t nat -s <your ip> --sport <port to forward> -j DNAT --to-destination <ip to forward to>:<port to forward to>

That should do the trick of fortforwarding.
 
Old 02-14-2004, 07:31 AM   #3
Rooboy
LQ Newbie
 
Registered: Feb 2004
Distribution: slackware
Posts: 14

Original Poster
Rep: Reputation: 0
Cheers, that worked great. Can anyone tell me how to route by default to another machine

Cheers Agan
 
Old 02-14-2004, 09:09 AM   #4
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
Are u referring to the default gateway setting? Inbound or outbound traffic or both?
 
Old 02-14-2004, 09:55 AM   #5
Rooboy
LQ Newbie
 
Registered: Feb 2004
Distribution: slackware
Posts: 14

Original Poster
Rep: Reputation: 0
Cheers for the help ugge. I want inbound traffic (traffic off the internet) to be fowarded to a windows machine on my internal network, so i guess it would be kind of a default gateway for incoming traffic. But i want the router to continue to do nat for the rest of my machines.

I want do do this so that to the outside world it appears that my windows machine is the one on the internet. I hope this kinda clariffys what im trying to do.

Cheers Again
 
Old 02-14-2004, 10:06 AM   #6
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
I see what you want to do, but I don't see why?
Easiest would be just to connect your windows machine to the internet and then let windows share the internet connection (do the NAT). ???
 
Old 02-14-2004, 10:58 AM   #7
Rooboy
LQ Newbie
 
Registered: Feb 2004
Distribution: slackware
Posts: 14

Original Poster
Rep: Reputation: 0
i could do that but its basicaly the fact that my linuxbox stays on all the time downstairs routing for the rest of my house and i want to use my windows machine without having to bother doing individual port fowarding for edonkey and vpn access and a load of other applications.

Basically i want the linux to do nat for my housemates but have any incoming connections unrelated to the nat, fowarded to my windows machine.

Any ideas.

Cheers
 
Old 02-16-2004, 03:52 PM   #8
aarggh
LQ Newbie
 
Registered: Aug 2003
Distribution: SuSE
Posts: 11

Rep: Reputation: 0
As I understand what you want, if you want all unknown packets not related directly to previous outgoing NAT rules sent to an internal Windows box, your going to get an AWFUL lot of data sent that won't route. Unless your isp has given you a block of IP's, the Windows box won't route on it's own. If the Linux box has the only available external IP, all other machines on the network must route through it. This means that all the internal machines will have their packets altered to reflect the details of your external interface. Only machines with valid external IP's will route across the web.

Even if the linux box routed all unknown traffic to the winbox, the packets would be dropped there as they would have undergone NATing and therefore would be considered useless, and the winbox would not see them as related to any sessions origianting from it. If you want the winbox to route directly over the internet without NATing, this must be the box connected to the internet.
 
Old 02-16-2004, 04:30 PM   #9
Rooboy
LQ Newbie
 
Registered: Feb 2004
Distribution: slackware
Posts: 14

Original Poster
Rep: Reputation: 0
I understand what your saying aarggh, but i want incoming packects that are unrelated to exisiting NAT connections simply fowarded to the winbox. I do not want incoming packets NATted and sent to the winbox. This is what happens on many hardware routers. Incoming connections that the router dosnt know about can be fowarded, not natted to an internal ip.

I expect that this may be a little tricky to do but if anyone knows how please let me know

Cheers

Last edited by Rooboy; 02-16-2004 at 04:40 PM.
 
Old 02-16-2004, 05:01 PM   #10
pilot1
Member
 
Registered: Jun 2002
Location: USA
Distribution: Gentoo, Fedora Core
Posts: 408

Rep: Reputation: 30
I'm not sure that I completely understand what you want, but if I do, it's a _VERY_ bad idea.

You want any incoming connections that don't match any other rules to be forwarded to your Windows box, right?
That defeats one of the main points of using a Linux router, security. It will still act as a switch, but as soon as a new exploit comes along, your Windows box will immediately get hit by it.

If I were you, I'd just forward all the ports, it's really not that hard. You could use webmin to simplify it, if you want.
 
Old 02-16-2004, 06:41 PM   #11
aarggh
LQ Newbie
 
Registered: Aug 2003
Distribution: SuSE
Posts: 11

Rep: Reputation: 0
In trying to get unknown packets sent to your Winbox you would still have the problem in that ALL outgoing packets are re-written with the external interface of the Linux box.

As I understand it, you don't want to do port forwarding for services running on another box, but you want to actually establish a session on the Winbox, send traffic for that session outbound via the Linux box, and then have the traffic for the Winbox bypass the Linux box and go straight to the Winbox?

This will not work unless you have PUBLIC IP's on the internal boxes and the Linux box purely routes traffic, as all external traffic not related to a valid session for the Linux box will be dropped automatically. Do you have more than one public IP?

Again, if you only have one public IP assigned, all traffic MUST route through the Linux box and will be re-written with the Linux box's external interface IP. With only one external public IP and many internal private IP's there is no way to avoid using NAT.
 
Old 02-18-2004, 06:30 AM   #12
Rooboy
LQ Newbie
 
Registered: Feb 2004
Distribution: slackware
Posts: 14

Original Poster
Rep: Reputation: 0
I understand what your saying argghh. And I realise that this is a terrible idea but for the sake of avoiding arguments with some of the people im trying to set this system up with i need to have all unkown packets sent to there machine

Thanks Pilot1 I think fowarding all ports would have this affect. Is there a simple comand to foward all ports such as:-
iptables -A PREROUTING -t nat -s <your ip> --sport all -j DNAT --to-destination <ip to forward to>:all

will the all statement work here?

also will the command to foward a port be ignored it the port is open and being natted for use by another machine
 
Old 02-18-2004, 03:44 PM   #13
pilot1
Member
 
Registered: Jun 2002
Location: USA
Distribution: Gentoo, Fedora Core
Posts: 408

Rep: Reputation: 30
The first matching rule is acted on, so just place the rules for forwarding packets to other machines before the rule to forward all the packets.
I'm not sure how to do a range of packets, but it's an option in webmin, so I assume there is a command for it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
dhclient not setting default gateway - no WAN route kadissie Linux - Networking 2 03-10-2005 04:55 AM
dhcp w/ comcast not setting default route pengcow Linux - Networking 0 05-25-2004 11:16 AM
setting my router as the default gateway TheOneAndOnlySM Linux - Networking 10 03-27-2004 06:12 PM
Default route apparently overwritten whenever LAN machine is turned on icarus24 Linux - Networking 9 10-05-2003 05:05 AM
linux router 3 nics amd dmz sheryco Linux - Networking 2 02-11-2003 06:26 PM


All times are GMT -5. The time now is 11:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration