Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-22-2006, 02:24 PM
|
#1
|
Member
Registered: Aug 2006
Posts: 43
Rep:
|
Backups across firewall "doable" w/iptables?
All,
The scenario:
I have several machines behind a firewall that need to be accessed for backup by a HP Dataprotector (port 5555) cell manager and associated media agents (tape libraries.) Until now I have been able to back up machines just fine that live behind a Sonicwall using the built-in 1:1 NAT. The problem is I am getting into quantities of data that make backing up through the 100Mbit connection of the Sonicwall very time consuming. The upshot is that I would like to get the same Gbit backup speed across the firewall that I have existing on the outside. I would like to take a currently underutilized server having 2-Gbit NICs and use iptables to do the 1:1 NAT that the Sonicwall was doing previously, if possible.
The problem:
I've no clue on how to do this. I am in the dark as how to have the cell manager find its way to the multiple machines it needs to access for backup.
Any info would be appreciated!
|
|
|
09-22-2006, 03:12 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by landev
All,
The scenario:
I have several machines behind a firewall that need to be accessed for backup by a HP Dataprotector (port 5555) cell manager and associated media agents (tape libraries.) Until now I have been able to back up machines just fine that live behind a Sonicwall using the built-in 1:1 NAT. The problem is I am getting into quantities of data that make backing up through the 100Mbit connection of the Sonicwall very time consuming. The upshot is that I would like to get the same Gbit backup speed across the firewall that I have existing on the outside. I would like to take a currently underutilized server having 2-Gbit NICs and use iptables to do the 1:1 NAT that the Sonicwall was doing previously, if possible.
The problem:
I've no clue on how to do this. I am in the dark as how to have the cell manager find its way to the multiple machines it needs to access for backup.
Any info would be appreciated!
|
well, if you have to use port 5555 for each of them on the external side, then you're gonna need one external IP for each internal one... if, on the other hand, you can use different ports on the external side, then you'd only need one external IP to accomplish it...
for example (with one external IP for each internal one - and assuming eth0 is your WAN side and eth1 is your LAN side):
Code:
iptables -P FORWARD DROP
iptables -t nat -A PREROUTING -p TCP -i eth0 -d 10.1.1.1 \
--dport 5555 -j DNAT --to-destination 192.168.1.1
iptables -t nat -A PREROUTING -p TCP -i eth0 -d 10.1.1.2 \
--dport 5555 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -p TCP -i eth0 -d 10.1.1.3 \
--dport 5555 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.1 \
-j SNAT --to-source 10.1.1.1
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.2 \
-j SNAT --to-source 10.1.1.2
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.3 \
-j SNAT --to-source 10.1.1.3
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 5555 \
-d 192.168.1.1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 5555 \
-d 192.168.1.2 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 5555 \
-d 192.168.1.3 -m state --state NEW -j ACCEPT
and with only *one* external IP for all internal boxes (using a different port for each box):
Code:
iptables -P FORWARD DROP
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 1111 \
-j DNAT --to-destination 192.168.1.1:5555
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 2222 \
-j DNAT --to-destination 192.168.1.2:5555
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 3333 \
-j DNAT --to-destination 192.168.1.3:5555
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 5555 \
-d 192.168.1.1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 5555 \
-d 192.168.1.2 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 5555 \
-d 192.168.1.3 -m state --state NEW -j ACCEPT
in the first example, you'd be able to connect to a specific box by connecting to port 5555 on it's exclusively mapped external IP address (alias)...
in the second example, you'd be able to connect to a specific box by connecting to the mapped port of your preference on the (one) external IP address...
Last edited by win32sux; 09-22-2006 at 03:31 PM.
|
|
|
09-27-2006, 05:48 PM
|
#3
|
Member
Registered: Aug 2006
Posts: 43
Original Poster
Rep:
|
To be continued....
Gracias! This looks like what I'm after... only I won't be able to confirm for a bit. I'm currently up to the skivies in aligators so will follow up on this as soon as I get a chance and let you know how things turn out. Thanks for the input!
|
|
|
10-05-2006, 03:02 PM
|
#4
|
Member
Registered: Aug 2006
Posts: 43
Original Poster
Rep:
|
Well, I've had some time to devote to this puzzle, but haven't had much luck. I used the cookbook approach, using your 1:1 NAT example with addresses on both sides of the firewall. Seems like the firewall isn't routing the requests to the shielded machine. I suppose I may be doing something wrong, but have retried multiple times with no success. I remain mystified at this point.
|
|
|
10-06-2006, 02:12 AM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by landev
Well, I've had some time to devote to this puzzle, but haven't had much luck. I used the cookbook approach, using your 1:1 NAT example with addresses on both sides of the firewall. Seems like the firewall isn't routing the requests to the shielded machine. I suppose I may be doing something wrong, but have retried multiple times with no success. I remain mystified at this point.
|
check if you have forwarding enabled in your kernel:
Code:
cat /proc/sys/net/ipv4/ip_forward
if you get a zero as output of that, then it's disabled... enable it with a:
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward
to make the change "permanent", stick a line like this in your /etc/sysctl.conf file:
Code:
net/ipv4/ip_forward=1
|
|
|
10-10-2006, 06:23 PM
|
#6
|
Member
Registered: Aug 2006
Posts: 43
Original Poster
Rep:
|
The fowarding is enabled and remains so after boot, so I guess that part is in place. Still don't seem to be able to route to the inside address though.
|
|
|
10-10-2006, 07:22 PM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
make sure you're using the right interface names...
make sure you flushed all your rules before you applied these...
can't think of anything else right now... =/
BTW, which of the scripts are you using??
|
|
|
10-13-2006, 11:03 AM
|
#8
|
Member
Registered: Aug 2006
Posts: 43
Original Poster
Rep:
|
The interface names are correct and I've done the flushing. I imagine the problem is something small that I'm overlooking... just can't think what it is. Part of the problem is that I haven't had a great deal of time to sit down and muscle through this (spread too damned thin at this job!) I will continue to play with this when I get more time and will let you know once things are working.
Not sure which scripts you are referring to...
|
|
|
10-13-2006, 12:29 PM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by landev
The interface names are correct and I've done the flushing. I imagine the problem is something small that I'm overlooking... just can't think what it is. Part of the problem is that I haven't had a great deal of time to sit down and muscle through this (spread too damned thin at this job!) I will continue to play with this when I get more time and will let you know once things are working.
|
cool... if you can, post the output of: and:
Code:
iptables -t nat -L -v -n
Quote:
Not sure which scripts you are referring to...
|
i posted two, one for if you have several external IPs, and one for if you have only one external IP...
|
|
|
10-17-2006, 06:17 PM
|
#10
|
Member
Registered: Aug 2006
Posts: 43
Original Poster
Rep:
|
I used the script for multiple IPs.
The output of iptables -t nat -L -v -n is:
Chain PREROUTING (policy ACCEPT 82 packets, 12217 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 10.1.1.3 tcp dpt:5555 to:192.168.168.3
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 10.1.1.7 tcp dpt:5555 to:192.168.168.7
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all -- * eth0 192.168.168.3 0.0.0.0/0 to:10.1.1.3
0 0 SNAT all -- * eth0 192.168.168.7 0.0.0.0/0 to:10.1.1.7
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
The output of iptables -t nat -L -v -n is:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.1.1.4 0.0.0.0/0 tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 10.1.1.4 0.0.0.0/0
0 0 ACCEPT tcp -- * * 10.1.1.240 0.0.0.0/0 tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 10.1.1.240 0.0.0.0/0
0 0 ACCEPT tcp -- * * 10.1.1.36 0.0.0.0/0 tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 10.1.1.36 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
3 540 DROP all -- eth0 * 0.0.0.0/0 255.255.255.255
53 8913 DROP all -- * * 0.0.0.0/0 10.1.1.255
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
2 56 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LSI all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
0 0 INBOUND all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 INBOUND all -- eth1 * 0.0.0.0/0 192.168.168.3
0 0 INBOUND all -- eth1 * 0.0.0.0/0 10.1.1.3
0 0 INBOUND all -- eth1 * 0.0.0.0/0 192.168.168.255
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 OUTBOUND all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.168.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.168.0/24 state RELATED,ESTABLISHED
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 192.168.168.3 tcp dpt:5555 state NEW
0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 192.168.168.7 tcp dpt:5555 state NEW
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.1.1.3 10.1.1.4 tcp dpt:53
0 0 ACCEPT udp -- * * 10.1.1.3 10.1.1.4 udp dpt:53
0 0 ACCEPT tcp -- * * 10.1.1.3 10.1.1.240 tcp dpt:53
0 0 ACCEPT udp -- * * 10.1.1.3 10.1.1.240 udp dpt:53
0 0 ACCEPT tcp -- * * 10.1.1.3 10.1.1.36 tcp dpt:53
0 0 ACCEPT udp -- * * 10.1.1.3 10.1.1.36 udp dpt:53
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 OUTBOUND all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 OUTBOUND all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Output'
Chain INBOUND (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.1.1.0 0.0.0.0/0
0 0 ACCEPT all -- * * 10.1.2.0 0.0.0.0/0
0 0 ACCEPT all -- * * 10.1.3.0 0.0.0.0/0
0 0 ACCEPT all -- * * 10.1.4.0 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.168.0 0.0.0.0/0
0 0 ACCEPT all -- * * 10.1.1.28 0.0.0.0/0
0 0 ACCEPT tcp -- * * 10.1.1.0 0.0.0.0/0 tcp dpts:137:139
0 0 ACCEPT udp -- * * 10.1.1.0 0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 10.1.1.0 0.0.0.0/0 tcp dpt:445
0 0 ACCEPT udp -- * * 10.1.1.0 0.0.0.0/0 udp dpt:445
0 0 LSI all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG_FILTER (5 references)
pkts bytes target prot opt in out source destination
Chain LSI (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LSO (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTBOUND (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
|
|
|
All times are GMT -5. The time now is 03:48 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|