Multiple External IPs with iptables
Hello, again. I was requesting information about a month ago on how one goes about assigning multiple IP addresses to a Linux box and mapping them using iptables. I figured out my problem and everything worked fine until the router experienced an unfortunate hardware failure.
I've copied the firewall script onto the new installation of Linux and, of course, it doesn't work anymore. I know it was working because this desktop and the one across the room from it showed different addresses when visiting www.whatismyip.com. But now, we have problems. I am doing the following to accomplish this task in my firewall script. Assume that A.B.C.D indicates an IP address. Code:
iptables -t nat -A POSTROUTING -s 192.168.0.129 -o eth0 -j SNAT --to A.B.C.153 It is my understanding that, by changing the source IP address, netfilter will be able to realize that response packets sent to that address on the return port should be forwarded back to the machine. The last line above (which routes any thus-far-unrecognized packets to .19, our default external IP) works fine if I just leave it like that. However, any machine that I map as shown above (for example, 192.168.0.129) can't talk to the rest of the world... pings time out, for example. It is my suspicion that the packet is being sent but the response is not being properly handled; however, I have yet to prove this. Does anyone have any suggestions as to how I can fix this? Many thanks! |
Re: Multiple External IPs with iptables
Quote:
Quote:
|
Ah, yes, silly me for not mentioning. I have the following as well:
Code:
iptables -A primary_chain -m state --state ESTABLISHED,RELATED -j ACCEPT |
Quote:
|
I can do so if you *really* want, but the script is mildly complex, reasonably long (for a personal machine), and badly written ('cause I'm a newbie when it comes to bash scripting). It also runs out of a configuration file. So if you like, I can post it... but I'm hoping this will be enough for you to see what's happening. I ran the command
bash -x /etc/rc.d/rc.firewall | grep iptables and, after removing the output that my firewall script uses to show progress, this is what we have: a list of all of the actual calls to iptables that my script makes. Code:
/usr/sbin/iptables -P INPUT ACCEPT Is this helpful? Is there any more information you need? When it comes to iptables, I'm almost entirely self-taught. And this firewall script is something that resulted from two years of tinkering and a recent rewrite (to accomodate the config file). So my biggest question is this: is the approach that I'm using a sound one? Is just changing the source IP of the packet to the desired external IP as it leaves my network sufficient to effectively give that machine a presence on the IP address? It is my eventual hope to be able to perform fairly complex mapping. For example, computer A uses IP X and computer B uses IP Y except that port 40030 on IP X is routed to computer B. Stuff like that. Thanks again for your help; I really appreciate it! :) |
okay, let's take a step back and re-group... run this over-simplified script (made from the rules you posted) and test it out... AFAIK it should work since you got this working like this once before (in this test script you should be able to connect to the internet ONLY from those three LAN IPs)...
Code:
#!/bin/sh in this test script, any packets that get dropped will be logged, so you can check your logfile (grep /var/log/syslog for "FORWARD DROP" and/or "INPUT DROP" or just "tail -f" it...) to see what's going on if the LAN hosts' internet access still doesn't work during this test... good luck... |
how did it go?? any luck??
|
Hehe... been busy today so I haven't had time to try it. Thanks for your great response, though... I'll probably test it within the next two days. Thanks also for your help; it looks like you put a fair amount of work into understanding my question and I can appreciate the philanthropy of knowledge. ;)
I'll post here as soon as I test it. :) |
Strange...
I ran the script segment you sent me. It really looked like it should work. However, once it was run, none of the computers (not even 192.168.0.129 or 192.168.0.142) could reach the outside network. And I didn't get *anything* in /var/log/debug.
Interestingly enough, it looks as if the packet wasn't dropped. I ran tetherial while having one of my machines ping www.google.com. I got this among other things: 21.244141 A.B.C.153 -> 64.233.161.104 ICMP Echo (ping) request But there was never an ICMP echo response. Thanks for the suggestion, though. Any guess as to why my machine has lost its mind? Cheers, and thanks again for all the help! |
Oh... actually, I just noticed something. If I change my firewall script in such a way that it routes outward through A.B.C.153 instead of A.B.C.19... without any special cases... we get nothing. I'm beginning to wonder if my ISP is behaving properly or if they think that our six IP block is being spoofed. I'll give them a call tomorrow. :)
|
Yeah... my ISP apparently removed routing for that block a few days ago as a result of a mistake during maintenance. I called them and got it sorted; the script, just as I posted above, is working fine now.
Thanks again for all your help... tracing this back to the ISP would have taken me a lot longer without it. Cheers! |
cool man. i'm glad you got it sorted out. :)
|
All times are GMT -5. The time now is 11:02 AM. |