|
Linux router - setting up a DMZ or default machine to route to
I've set up routing using iptables, thanks to a script i nicked from this forum. I now want to set my linux router to send any packets coming from the internet that it dosn't know what to do with to another machine on my network. Can anyone give me the command to do this. Also if its possible to port foward an individual port i'd like to know how do do that to.
Cheers |
iptables -A PREROUTING -t nat -s <your ip> --sport <port to forward> -j DNAT --to-destination <ip to forward to>:<port to forward to>
That should do the trick of fortforwarding. |
Cheers, that worked great. Can anyone tell me how to route by default to another machine
Cheers Agan |
Are u referring to the default gateway setting? Inbound or outbound traffic or both?
|
Cheers for the help ugge. I want inbound traffic (traffic off the internet) to be fowarded to a windows machine on my internal network, so i guess it would be kind of a default gateway for incoming traffic. But i want the router to continue to do nat for the rest of my machines.
I want do do this so that to the outside world it appears that my windows machine is the one on the internet. I hope this kinda clariffys what im trying to do. Cheers Again |
I see what you want to do, but I don't see why?
Easiest would be just to connect your windows machine to the internet and then let windows share the internet connection (do the NAT). ??? |
i could do that but its basicaly the fact that my linuxbox stays on all the time downstairs routing for the rest of my house and i want to use my windows machine without having to bother doing individual port fowarding for edonkey and vpn access and a load of other applications.
Basically i want the linux to do nat for my housemates but have any incoming connections unrelated to the nat, fowarded to my windows machine. Any ideas. Cheers |
As I understand what you want, if you want all unknown packets not related directly to previous outgoing NAT rules sent to an internal Windows box, your going to get an AWFUL lot of data sent that won't route. Unless your isp has given you a block of IP's, the Windows box won't route on it's own. If the Linux box has the only available external IP, all other machines on the network must route through it. This means that all the internal machines will have their packets altered to reflect the details of your external interface. Only machines with valid external IP's will route across the web.
Even if the linux box routed all unknown traffic to the winbox, the packets would be dropped there as they would have undergone NATing and therefore would be considered useless, and the winbox would not see them as related to any sessions origianting from it. If you want the winbox to route directly over the internet without NATing, this must be the box connected to the internet. |
I understand what your saying aarggh, but i want incoming packects that are unrelated to exisiting NAT connections simply fowarded to the winbox. I do not want incoming packets NATted and sent to the winbox. This is what happens on many hardware routers. Incoming connections that the router dosnt know about can be fowarded, not natted to an internal ip.
I expect that this may be a little tricky to do but if anyone knows how please let me know Cheers |
I'm not sure that I completely understand what you want, but if I do, it's a _VERY_ bad idea.
You want any incoming connections that don't match any other rules to be forwarded to your Windows box, right? That defeats one of the main points of using a Linux router, security. It will still act as a switch, but as soon as a new exploit comes along, your Windows box will immediately get hit by it. If I were you, I'd just forward all the ports, it's really not that hard. You could use webmin to simplify it, if you want. |
In trying to get unknown packets sent to your Winbox you would still have the problem in that ALL outgoing packets are re-written with the external interface of the Linux box.
As I understand it, you don't want to do port forwarding for services running on another box, but you want to actually establish a session on the Winbox, send traffic for that session outbound via the Linux box, and then have the traffic for the Winbox bypass the Linux box and go straight to the Winbox? This will not work unless you have PUBLIC IP's on the internal boxes and the Linux box purely routes traffic, as all external traffic not related to a valid session for the Linux box will be dropped automatically. Do you have more than one public IP? Again, if you only have one public IP assigned, all traffic MUST route through the Linux box and will be re-written with the Linux box's external interface IP. With only one external public IP and many internal private IP's there is no way to avoid using NAT. |
I understand what your saying argghh. And I realise that this is a terrible idea but for the sake of avoiding arguments with some of the people im trying to set this system up with i need to have all unkown packets sent to there machine
Thanks Pilot1 I think fowarding all ports would have this affect. Is there a simple comand to foward all ports such as:- iptables -A PREROUTING -t nat -s <your ip> --sport all -j DNAT --to-destination <ip to forward to>:all will the all statement work here? also will the command to foward a port be ignored it the port is open and being natted for use by another machine |
The first matching rule is acted on, so just place the rules for forwarding packets to other machines before the rule to forward all the packets.
I'm not sure how to do a range of packets, but it's an option in webmin, so I assume there is a command for it. |
| All times are GMT -5. The time now is 03:01 AM. |