Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
11-04-2005, 08:03 PM
|
#1
|
Member
Registered: Apr 2004
Distribution: Debian
Posts: 143
Rep:
|
Multiple External IPs with iptables
Hello, again. I was requesting information about a month ago on how one goes about assigning multiple IP addresses to a Linux box and mapping them using iptables. I figured out my problem and everything worked fine until the router experienced an unfortunate hardware failure.
I've copied the firewall script onto the new installation of Linux and, of course, it doesn't work anymore. I know it was working because this desktop and the one across the room from it showed different addresses when visiting www.whatismyip.com. But now, we have problems.
I am doing the following to accomplish this task in my firewall script. Assume that A.B.C.D indicates an IP address.
Code:
iptables -t nat -A POSTROUTING -s 192.168.0.129 -o eth0 -j SNAT --to A.B.C.153
iptables -t nat -A POSTROUTING -s 192.168.0.142 -o eth0 -j SNAT --to A.B.C.154
iptables -t nat -A POSTROUTING -s 192.168.0.203 -o eth0 -j SNAT --to A.B.C.155
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to A.B.C.19
The actual script is a bit more complicated than that (reading from a config file, etc.), but those are the lines that are being executed with respect to the IP mapping scenario. We happen to own addresses A.B.C.19 and A.B.C.153 - A.B.C.158. And like I said... this really seemed to work before the hardware problem.
It is my understanding that, by changing the source IP address, netfilter will be able to realize that response packets sent to that address on the return port should be forwarded back to the machine. The last line above (which routes any thus-far-unrecognized packets to .19, our default external IP) works fine if I just leave it like that. However, any machine that I map as shown above (for example, 192.168.0.129) can't talk to the rest of the world... pings time out, for example.
It is my suspicion that the packet is being sent but the response is not being properly handled; however, I have yet to prove this. Does anyone have any suggestions as to how I can fix this?
Many thanks!
|
|
|
11-04-2005, 08:59 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Re: Multiple External IPs with iptables
Quote:
Originally posted by tvynr
those are the lines that are being executed with respect to the IP mapping scenario.
|
but what about your FORWARD rules??
Quote:
It is my suspicion that the packet is being sent but the response is not being properly handled
|
do you have a rule for ESTABLISHED,RELATED packets in your FORWARD chain??
|
|
|
11-04-2005, 09:12 PM
|
#3
|
Member
Registered: Apr 2004
Distribution: Debian
Posts: 143
Original Poster
Rep:
|
Ah, yes, silly me for not mentioning. I have the following as well:
Code:
iptables -A primary_chain -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A primary_chain -i ! eth0 -j ACCEPT
# and then, later...
iptables -A INPUT -j primary_chain
iptables -A OUTPUT -j primary_chain
iptables -A FORWARD -j primary_chain
It's been in the script so long that I've just taken it for granted. Thanks for pointing that out, though. 
|
|
|
11-04-2005, 10:14 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally posted by tvynr
Code:
iptables -A primary_chain -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A primary_chain -i ! eth0 -j ACCEPT
# and then, later...
iptables -A INPUT -j primary_chain
iptables -A OUTPUT -j primary_chain
iptables -A FORWARD -j primary_chain
|
what is the policy for the FORWARD chain?? i see you have a rule for ESTABLISHED,RELATED packets but i don't see anything for NEW packets... maybe it would be easier if you would just post your complete iptables script??
|
|
|
11-05-2005, 02:36 AM
|
#5
|
Member
Registered: Apr 2004
Distribution: Debian
Posts: 143
Original Poster
Rep:
|
I can do so if you *really* want, but the script is mildly complex, reasonably long (for a personal machine), and badly written ('cause I'm a newbie when it comes to bash scripting). It also runs out of a configuration file. So if you like, I can post it... but I'm hoping this will be enough for you to see what's happening. I ran the command
bash -x /etc/rc.d/rc.firewall | grep iptables
and, after removing the output that my firewall script uses to show progress, this is what we have: a list of all of the actual calls to iptables that my script makes.
Code:
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
/usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/usr/sbin/iptables -t mangle -P FORWARD ACCEPT
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t mangle -F
/usr/sbin/iptables -X
/usr/sbin/iptables -t nat -X
/usr/sbin/iptables -t mangle -X
/usr/sbin/iptables -N accpt
/usr/sbin/iptables -N default_chain
/usr/sbin/iptables -N DROP_BADFLAGS
/usr/sbin/iptables -A DROP_BADFLAGS -m limit --limit 15/minute -j LOG --log-level debug --log-prefix 'Packet Drop (bad flags): '
/usr/sbin/iptables -A DROP_BADFLAGS -j DROP
/usr/sbin/iptables -N DROP_BADICMPTYPE
/usr/sbin/iptables -A DROP_BADICMPTYPE -m limit --limit 15/minute -j LOG --log-level debug --log-prefix 'Packet Drop (bad ICMP type): '
/usr/sbin/iptables -A DROP_BADICMPTYPE -j DROP
/usr/sbin/iptables -A accpt -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A accpt -i '!' eth0 -j ACCEPT
/usr/sbin/iptables -A accpt -o eth1 -j ACCEPT
/usr/sbin/iptables -A accpt -o lo -j ACCEPT
/usr/sbin/iptables -A accpt -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP_BADFLAGS
/usr/sbin/iptables -A accpt -p tcp --tcp-flags ALL ALL -j DROP_BADFLAGS
/usr/sbin/iptables -A accpt -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP_BADFLAGS
/usr/sbin/iptables -A accpt -p tcp --tcp-flags ALL NONE -j DROP_BADFLAGS
/usr/sbin/iptables -A accpt -p tcp --tcp-flags SYN,RST SYN,RST -j DROP_BADFLAGS
/usr/sbin/iptables -A accpt -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP_BADFLAGS
/usr/sbin/iptables -A accpt -p icmp --icmp-type 0 -j ACCEPT
/usr/sbin/iptables -A accpt -p icmp --icmp-type 3 -j ACCEPT
/usr/sbin/iptables -A accpt -p icmp --icmp-type 11 -j ACCEPT
/usr/sbin/iptables -A accpt -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
/usr/sbin/iptables -A accpt -p icmp -i eth1 -j ACCEPT
/usr/sbin/iptables -A accpt -p icmp -i lo -j ACCEPT
/usr/sbin/iptables -A accpt -p icmp -j DROP_BADICMPTYPE
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.129 -o eth0 -j SNAT --to A.B.C.153
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.142 -o eth0 -j SNAT --to A.B.C.154
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.203 -o eth0 -j SNAT --to A.B.C.155
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p tcp --dport 16881 -j DNAT --to-destination 192.168.0.129:16881
/usr/sbin/iptables -A accpt -d A.B.C.153 -p tcp --dport 16881 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 16881 -j DNAT --to-destination 192.168.0.129:16881
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 16881 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p tcp --dport 6883 -j DNAT --to-destination 192.168.0.142:6883
/usr/sbin/iptables -A accpt -d A.B.C.154 -p tcp --dport 6883 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 6883 -j DNAT --to-destination 192.168.0.142:6883
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 6883 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 1200 -j DNAT --to-destination 192.168.0.129:1200
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 1200 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27000 -j DNAT --to-destination 192.168.0.129:27000
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27000 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27001 -j DNAT --to-destination 192.168.0.129:27001
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27001 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27002 -j DNAT --to-destination 192.168.0.129:27002
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27002 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27003 -j DNAT --to-destination 192.168.0.129:27003
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27003 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27004 -j DNAT --to-destination 192.168.0.129:27004
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27004 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27005 -j DNAT --to-destination 192.168.0.129:27005
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27005 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27006 -j DNAT --to-destination 192.168.0.129:27006
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27006 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27007 -j DNAT --to-destination 192.168.0.129:27007
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27007 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27008 -j DNAT --to-destination 192.168.0.129:27008
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27008 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27009 -j DNAT --to-destination 192.168.0.129:27009
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27009 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27010 -j DNAT --to-destination 192.168.0.129:27010
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27010 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27011 -j DNAT --to-destination 192.168.0.129:27011
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27011 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27012 -j DNAT --to-destination 192.168.0.129:27012
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27012 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27013 -j DNAT --to-destination 192.168.0.129:27013
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27013 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27014 -j DNAT --to-destination 192.168.0.129:27014
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27014 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p udp --dport 27015 -j DNAT --to-destination 192.168.0.129:27015
/usr/sbin/iptables -A accpt -d A.B.C.153 -p udp --dport 27015 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p tcp --dport 27030 -j DNAT --to-destination 192.168.0.129:27030
/usr/sbin/iptables -A accpt -d A.B.C.153 -p tcp --dport 27030 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p tcp --dport 27031 -j DNAT --to-destination 192.168.0.129:27031
/usr/sbin/iptables -A accpt -d A.B.C.153 -p tcp --dport 27031 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p tcp --dport 27032 -j DNAT --to-destination 192.168.0.129:27032
/usr/sbin/iptables -A accpt -d A.B.C.153 -p tcp --dport 27032 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p tcp --dport 27033 -j DNAT --to-destination 192.168.0.129:27033
/usr/sbin/iptables -A accpt -d A.B.C.153 -p tcp --dport 27033 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p tcp --dport 27034 -j DNAT --to-destination 192.168.0.129:27034
/usr/sbin/iptables -A accpt -d A.B.C.153 -p tcp --dport 27034 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p tcp --dport 27035 -j DNAT --to-destination 192.168.0.129:27035
/usr/sbin/iptables -A accpt -d A.B.C.153 -p tcp --dport 27035 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p tcp --dport 27036 -j DNAT --to-destination 192.168.0.129:27036
/usr/sbin/iptables -A accpt -d A.B.C.153 -p tcp --dport 27036 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p tcp --dport 27037 -j DNAT --to-destination 192.168.0.129:27037
/usr/sbin/iptables -A accpt -d A.B.C.153 -p tcp --dport 27037 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p tcp --dport 27038 -j DNAT --to-destination 192.168.0.129:27038
/usr/sbin/iptables -A accpt -d A.B.C.153 -p tcp --dport 27038 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.153 -p tcp --dport 27039 -j DNAT --to-destination 192.168.0.129:27039
/usr/sbin/iptables -A accpt -d A.B.C.153 -p tcp --dport 27039 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 1200 -j DNAT --to-destination 192.168.0.142:1200
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 1200 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27000 -j DNAT --to-destination 192.168.0.142:27000
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27000 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27001 -j DNAT --to-destination 192.168.0.142:27001
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27001 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27002 -j DNAT --to-destination 192.168.0.142:27002
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27002 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27003 -j DNAT --to-destination 192.168.0.142:27003
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27003 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27004 -j DNAT --to-destination 192.168.0.142:27004
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27004 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27005 -j DNAT --to-destination 192.168.0.142:27005
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27005 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27006 -j DNAT --to-destination 192.168.0.142:27006
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27006 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27007 -j DNAT --to-destination 192.168.0.142:27007
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27007 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27008 -j DNAT --to-destination 192.168.0.142:27008
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27008 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27009 -j DNAT --to-destination 192.168.0.142:27009
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27009 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27010 -j DNAT --to-destination 192.168.0.142:27010
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27010 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27011 -j DNAT --to-destination 192.168.0.142:27011
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27011 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27012 -j DNAT --to-destination 192.168.0.142:27012
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27012 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27013 -j DNAT --to-destination 192.168.0.142:27013
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27013 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27014 -j DNAT --to-destination 192.168.0.142:27014
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27014 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p udp --dport 27015 -j DNAT --to-destination 192.168.0.142:27015
/usr/sbin/iptables -A accpt -d A.B.C.154 -p udp --dport 27015 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p tcp --dport 27030 -j DNAT --to-destination 192.168.0.142:27030
/usr/sbin/iptables -A accpt -d A.B.C.154 -p tcp --dport 27030 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p tcp --dport 27031 -j DNAT --to-destination 192.168.0.142:27031
/usr/sbin/iptables -A accpt -d A.B.C.154 -p tcp --dport 27031 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p tcp --dport 27032 -j DNAT --to-destination 192.168.0.142:27032
/usr/sbin/iptables -A accpt -d A.B.C.154 -p tcp --dport 27032 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p tcp --dport 27033 -j DNAT --to-destination 192.168.0.142:27033
/usr/sbin/iptables -A accpt -d A.B.C.154 -p tcp --dport 27033 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p tcp --dport 27034 -j DNAT --to-destination 192.168.0.142:27034
/usr/sbin/iptables -A accpt -d A.B.C.154 -p tcp --dport 27034 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p tcp --dport 27035 -j DNAT --to-destination 192.168.0.142:27035
/usr/sbin/iptables -A accpt -d A.B.C.154 -p tcp --dport 27035 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p tcp --dport 27036 -j DNAT --to-destination 192.168.0.142:27036
/usr/sbin/iptables -A accpt -d A.B.C.154 -p tcp --dport 27036 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p tcp --dport 27037 -j DNAT --to-destination 192.168.0.142:27037
/usr/sbin/iptables -A accpt -d A.B.C.154 -p tcp --dport 27037 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p tcp --dport 27038 -j DNAT --to-destination 192.168.0.142:27038
/usr/sbin/iptables -A accpt -d A.B.C.154 -p tcp --dport 27038 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.154 -p tcp --dport 27039 -j DNAT --to-destination 192.168.0.142:27039
/usr/sbin/iptables -A accpt -d A.B.C.154 -p tcp --dport 27039 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 3724 -j DNAT --to-destination 192.168.0.203:3724
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 3724 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 6112 -j DNAT --to-destination 192.168.0.203:6112
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 6112 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 6881 -j DNAT --to-destination 192.168.0.203:6881
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 6881 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 6882 -j DNAT --to-destination 192.168.0.203:6882
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 6882 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 6883 -j DNAT --to-destination 192.168.0.203:6883
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 6883 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 6884 -j DNAT --to-destination 192.168.0.203:6884
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 6884 -j ACCEPT
*** More of the same ***
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 6993 -j DNAT --to-destination 192.168.0.203:6993
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 6993 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 6994 -j DNAT --to-destination 192.168.0.203:6994
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 6994 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 6995 -j DNAT --to-destination 192.168.0.203:6995
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 6995 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 6996 -j DNAT --to-destination 192.168.0.203:6996
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 6996 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 6997 -j DNAT --to-destination 192.168.0.203:6997
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 6997 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 6998 -j DNAT --to-destination 192.168.0.203:6998
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 6998 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d A.B.C.155 -p tcp --dport 6999 -j DNAT --to-destination 192.168.0.203:6999
/usr/sbin/iptables -A accpt -d A.B.C.155 -p tcp --dport 6999 -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to A.B.C.19
/usr/sbin/iptables -A accpt -p tcp --dport 22000 -j ACCEPT
/usr/sbin/iptables -A accpt -j default_chain
/usr/sbin/iptables -A default_chain -j DROP
/usr/sbin/iptables -A INPUT -j accpt
/usr/sbin/iptables -A OUTPUT -j accpt
/usr/sbin/iptables -A FORWARD -j accpt
The bit that isn't working properly is right under the last mention of "DROP_BADICMPTYPE". And forgive the fact this script involves so many port forwards... like I said, it's being run out of a configuration file and I'm not very good with bash, so when I wanted to forward 6881:6999 on one machine, that's what we got.
Is this helpful? Is there any more information you need? When it comes to iptables, I'm almost entirely self-taught. And this firewall script is something that resulted from two years of tinkering and a recent rewrite (to accomodate the config file). So my biggest question is this: is the approach that I'm using a sound one? Is just changing the source IP of the packet to the desired external IP as it leaves my network sufficient to effectively give that machine a presence on the IP address?
It is my eventual hope to be able to perform fairly complex mapping. For example, computer A uses IP X and computer B uses IP Y except that port 40030 on IP X is routed to computer B. Stuff like that.
Thanks again for your help; I really appreciate it! 
|
|
|
11-05-2005, 07:25 AM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
okay, let's take a step back and re-group... run this over-simplified script (made from the rules you posted) and test it out... AFAIK it should work since you got this working like this once before (in this test script you should be able to connect to the internet ONLY from those three LAN IPs)...
Code:
#!/bin/sh
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
/usr/sbin/iptables -F
/usr/sbin/iptables -F -t nat
/usr/sbin/iptables -F -t mangle
/usr/sbin/iptables -X
/usr/sbin/iptables -X -t nat
/usr/sbin/iptables -X -t mangle
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -m state \
--state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A INPUT -j LOG \
--log-prefix "INPUT DROP: "
/usr/sbin/iptables -A FORWARD -m state \
--state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.129 \
-m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.142 \
-m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.203 \
-m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -j LOG \
--log-prefix "FORWARD DROP: "
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.129 -o eth0 \
-j SNAT --to A.B.C.153
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.142 -o eth0 \
-j SNAT --to A.B.C.154
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.203 -o eth0 \
-j SNAT --to A.B.C.155
echo "1" > /proc/sys/net/ipv4/ip_forward
the FORWARD rules i posted assume the interface those LAN IPs are connected to is "eth1", but if it's not then make sure you change it accordingly...
in this test script, any packets that get dropped will be logged, so you can check your logfile (grep /var/log/syslog for "FORWARD DROP" and/or "INPUT DROP" or just "tail -f" it...) to see what's going on if the LAN hosts' internet access still doesn't work during this test...
good luck...
Last edited by win32sux; 11-05-2005 at 08:36 AM.
|
|
|
11-06-2005, 12:31 AM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
how did it go?? any luck??
|
|
|
11-06-2005, 01:29 AM
|
#8
|
Member
Registered: Apr 2004
Distribution: Debian
Posts: 143
Original Poster
Rep:
|
Hehe... been busy today so I haven't had time to try it. Thanks for your great response, though... I'll probably test it within the next two days. Thanks also for your help; it looks like you put a fair amount of work into understanding my question and I can appreciate the philanthropy of knowledge.
I'll post here as soon as I test it. 
|
|
|
11-06-2005, 06:35 PM
|
#9
|
Member
Registered: Apr 2004
Distribution: Debian
Posts: 143
Original Poster
Rep:
|
Strange...
I ran the script segment you sent me. It really looked like it should work. However, once it was run, none of the computers (not even 192.168.0.129 or 192.168.0.142) could reach the outside network. And I didn't get *anything* in /var/log/debug.
Interestingly enough, it looks as if the packet wasn't dropped. I ran tetherial while having one of my machines ping www.google.com. I got this among other things:
21.244141 A.B.C.153 -> 64.233.161.104 ICMP Echo (ping) request
But there was never an ICMP echo response. Thanks for the suggestion, though. Any guess as to why my machine has lost its mind?
Cheers, and thanks again for all the help!
|
|
|
11-06-2005, 06:40 PM
|
#10
|
Member
Registered: Apr 2004
Distribution: Debian
Posts: 143
Original Poster
Rep:
|
Oh... actually, I just noticed something. If I change my firewall script in such a way that it routes outward through A.B.C.153 instead of A.B.C.19... without any special cases... we get nothing. I'm beginning to wonder if my ISP is behaving properly or if they think that our six IP block is being spoofed. I'll give them a call tomorrow. 
|
|
|
11-08-2005, 02:12 PM
|
#11
|
Member
Registered: Apr 2004
Distribution: Debian
Posts: 143
Original Poster
Rep:
|
Yeah... my ISP apparently removed routing for that block a few days ago as a result of a mistake during maintenance. I called them and got it sorted; the script, just as I posted above, is working fine now.
Thanks again for all your help... tracing this back to the ISP would have taken me a lot longer without it. Cheers!
|
|
|
11-08-2005, 03:31 PM
|
#12
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
cool man. i'm glad you got it sorted out. 
|
|
|
All times are GMT -5. The time now is 05:42 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|