Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Does this take any incoming packets as part of an existing connection (assuming source NAT is set up), and automatically forward them to the right local address?
Would a valid range be say, 10.1.1.0-10.1.1.255? Would all addresses in the range have to be contiguous?
My problem might be that NAT might be needed for some DHCP clients in that range, would I have to give them all static addresses?
I'm not 100% sure, but I think giving a range of ip addresses with the DNAT target does a form of load sharing. So if you had remote hosts A,B, and C all trying to connect to your router, the first one (Host A) would be routed to the first machine in the DNAT range, Host B would then be routed to the second, and Host C would go to the third, etc. So I don't think that's what you're trying to do. I could be wrong on that though.
If you could be a little more specific on what you're trying to accomplish, that might help. If you're trying to NAT a bunch of clients on a LAN and you're just looking for a way to allow them to connect out, what you're after is either SNAT or IP Masquerading. Which one you need depends on whether your router/gateway machine itself has a permanent ip address or if it's dynamically assigned.
Yeah connection sharing is what i'm after - basically a hard-as-a-jawbreaker proxy gateway for web, ftp access from a LAN. I'm pre-empting my boss though as he hasn't decided what to go for, and I want to have the script ready if he chooses Linux
Its ethernet 10/100 and we're going out through a DSL connection - the proxy server (2 NICS) would be hooked into the router. Its got a static IP address, so I'd only need source NAT for that? How do the packets find their way back to the right host on the LAN? Is it done automatically (magically)?
Where eth0 is the external interface connected to the 'net and xxx.xxx.xxx.xxx is the external ip address of the gateway/router box. If you ever find yourself in a situation with a dynamic ip on the gateway, you'd use ip masquerading instead. The syntax is pretty much the same:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
As for how do the packets find there way back in to the proper machine on the LAN side, iptables keeps track of what connections go with which remote host and match those to the proper LAN host. I think you could visualize it like a sort of "routing table". If you're ever curious, you can actually watch it work by checking out /proc/net/ip_conntrack and see the various states of connections. So yeah, it's kind of automagically.
The nice part about setting it up that way is that the LAN hosts can connect out and maintain connections with remote hosts, but someone from the outside shouldn't be able to initiate a connection into the LAN (at least if you do it right).
If you want to allow incoming traffic, to say a public webserver in the LAN, then you'd use DNAT'ing and FORWARDing to direct that traffic to the specified internal host.
Ahh love that iptables magic I never thought it would be so simple, some of the example scripts in my book are V. complex...
Shouldn't need to muck about with forwarding though as we have another connection for our mail + web server using a HW firewall box.
One more point though: does the INPUT chain apply to all NICS in the box? Likewise the OUTPUT chain? I was kind of thinking that INPUT was incoming traffic from the external network, and OUTPUT was outgoing traffic to the external network... I'm wrong, right?
Originally posted by MadCactus Ahh love that iptables magic I never thought it would be so simple, some of the example scripts in my book are V. complex...
You'll see people with ridiculuosly long rule sets that are really complex. Alot of the time they have redundant rules that are unnecessary. Even though the iptables syntax and structure can be complex, your ruleset really can be surprisingly short depending on your needs.
Quote:
One more point though: does the INPUT chain apply to all NICS in the box? Likewise the OUTPUT chain?
Correct, both the INPUT and OUTPUT chains apply to all interfaces unless you specify one directly, for example "iptables -A INPUT -i eth0", would be limited to incoming packets on the eth0 interface.
Quote:
I was kind of thinking that INPUT was incoming traffic from the external network, and OUTPUT was outgoing traffic to the external network... I'm wrong, right?
No, INPUT is ANY traffic that is coming into the box, regardless of which interface or whether it's coming from the LAN side or from the internet side. The OUPUT chain is ANY traffic going out of the box, regardless of interface or direction. Again, you could the use the -i and -o desriptors to further narrow down which interface the traffic is coming into and which one it would be going out. There are some exceptions to that with traffic that is being forwarded to other boxes, but that's another story in itself.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.