LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-25-2005, 11:38 AM   #1
matneyc
Member
 
Registered: Aug 2004
Posts: 31

Rep: Reputation: 15
Question IPTables - Multiple Public IP's to private IP's


i have an OLD ipchains server that is on its last leg and not sure if i shut it down, if it will come back.
so, to counter attack bad luck, i have built a new firewall that seems to be doing what i need it to do. only problem is, i do not know how to forward multiple public ip's to my private ip's.

i have 5 IP's that i need to map to servers that have multiple roles (mail, db's, websites, application hosting, pca, etc...) and i cannot find anything in the forum dealing with more than 1 ip address.

please - if you have any clues on doing this, drop me a hint. i would very much appreciate it.
 
Old 05-25-2005, 11:12 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Depending on what you're trying to do, you can just DNAT each external IP to the corresponding internal IP. So you'd just set up indivdual DNAT rules that rewrites the destination address to the internal one for each mapping pair. So if the mapping were like this:

1.1.1.1 -> 10.0.0.1 (port X)
2.2.2.2 -> 10.0.0.2 (port Y)

Then the iptables rules would be like:
iptables -t nat -A PREROUTING -i <external_interface> -d 1.1.1.1 -j DNAT --to-destination 10.0.0.1
iptables -t nat -A PREROUTING -i <external_interface> -d 2.2.2.2 -j DNAT --to-destination 10.0.0.2

Then forward the required ports through:
iptables -A FORWARD -d 10.0.0.1 -p tcp --dport X -j ACCEPT
iptables -A FORWARD -d 10.0.0.2 -p tcp --dport Y -j ACCEPT

So it's basically the same thing you'd do with one external -> internal mapping, just repeated for each pair.
 
Old 05-26-2005, 10:44 AM   #3
matneyc
Member
 
Registered: Aug 2004
Posts: 31

Original Poster
Rep: Reputation: 15
ok, i have input this on my test system and will launch it live here in a couple of minutes. I will report back the results. thanks for all yer help capn.
 
Old 05-26-2005, 02:44 PM   #4
matneyc
Member
 
Registered: Aug 2004
Posts: 31

Original Poster
Rep: Reputation: 15
i took your advice and ran those configs however, i have made a mistake. i stated ETH1 versus ETH0. How do I remove that from my config so that I can start over?
also, when i telnet into the server, it is as though I have no path statement. Each time i type in iptables, or service commands, it tells me:
bash: iptables: command not found
do you know a way to fix a path issue like that?
 
Old 05-26-2005, 04:37 PM   #5
matneyc
Member
 
Registered: Aug 2004
Posts: 31

Original Poster
Rep: Reputation: 15
Will I need to configure a range of IP aliases?
 
Old 05-26-2005, 08:25 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally posted by matneyc
i took your advice and ran those configs however, i have made a mistake. i stated ETH1 versus ETH0. How do I remove that from my config so that I can start over?
You can remove rules using -D, so if you added:
iptables -t nat -A PREROUTING ...blah...
just do:
iptables -t nat -D PREROUTING ...blah...

You can also delete by number like iptables -D 1, but you need to check the output of iptables -L to confirm what number the bad rules is.

when i telnet into the server, it is as though I have no path statement. Each time i type in iptables, or service commands, it tells me:
bash: iptables: command not found
do you know a way to fix a path issue like that?

Make sure you're root when you run the command. If it still doesn't work try doing 'locate iptables' or 'find / -name iptables' (this is a bit more noisy). Should normally be in /sbin or /usr/sbin.

Last edited by Capt_Caveman; 05-26-2005 at 08:28 PM.
 
Old 05-26-2005, 08:31 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally posted by matneyc
Will I need to configure a range of IP aliases?
It actually won't matter, because iptables doesn't support virtual interfaces. However, just for clarity could you explain your network topology and what you are trying to accomplish in more detail.
 
Old 05-27-2005, 09:45 AM   #8
matneyc
Member
 
Registered: Aug 2004
Posts: 31

Original Poster
Rep: Reputation: 15
My topology is as follows:

Internet-
|->T1 (Router from ISP)-
|->DMZ-
|->Firewall-
|->Network
I have a /28 public subnet and need to route several of those IP addresses over to servers inside of the building. Of course, they are M$ servers and will be hacked about 3 seconds after I put public IP's on them so, I wanted to keep my current set up, as with IPChains.
In IPChains, it is set up as follows:

Server01 192.168.1.2 mapped to 66.67.68.150
Server02 192.168.1.3 mapped to 66.67.68.151
Server03 192.168.1.4 mapped to 66.67.68.152
Server04 192.168.1.5 mapped to 66.67.68.153

And the list goes on. I only keep the following ports mapped as well:
21 FTP
23 Telnet
25 SMTP
53 DNS
80 HTTP
443 HTTPS
110 POP3
3389 Remote Desktop
5561-5562 PCAnywhere

Everything else, I like to have dropped.

Now I have the configuration cleared and restarted with what I already knew to use for NATing and then added the statements for you IP's and Ports.
Further, I have created the virtual public IP range (which I will remove now) and still have no go on the test.

I am just trying everything that I can and testing as I go to get it up.
Does this help in understanding what we are attempting to repeat?
If M$ wasnt so sloppy, we wouldnt be in this mess so, this is what I am stuck with, protecting their swiss cheese.
Thanks for everything...
Dan
 
Old 05-27-2005, 01:23 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Ok, so I would probably just create a bunch of aliases (virtual interfaces) for each of the public IPs so that you have general connectivity (though not necessary), then just write a DNAT rule for each mapping and forward the required ports to the LAN server. Just remember that iptables will treat each of the virtual interfaces as one interface, so eth0:1, eth0:2, and eth0:3 would all be just eth0 in your iptables rules (using aliases in the rules will cause an error). So your DNAT rules will look like:

iptables -t nat -A PREROUTING -i eth0 -d 65.66.67.150 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i eth0 -d 65.66.67.151 -j DNAT --to-destination 192.168.1.3

If you want to forward each of those ports to all of the internal servers, then your forwarding rules will be:
iptables -A FORWARD -p tcp -m multiport --dports 21,23,25,53,80,110,443,3389,5561,5562 - j ACCEPT

If you only want to forward certain ports to certain LAN servers, then just specify which ports and which internal IPs. For example say you only want port 80 and 443 going to 192.168.1.2 and ftp going to 192.168.1.3. Then your rules would be:
iptables -A FORWARD -p tcp -m multiport --dports 80,443 -d 192.168.1.2 -j ACCEPT
iptables -A FORWARD -m tcp --dport 21 -d 192.168.1.3 -j ACCEPT

Finally you'll need a rule to allow packets back out:
iptables -A FORWARD -i eth1 -j ACCEPT
(you can lock this down further depending on your needs)

Also make sure that you've turned on packet forwarding in the kernel:
echo 1 > /proc/sys/net/ipv4/ip_forward

If you're still having problems, post your iptables rules.

Last edited by Capt_Caveman; 05-27-2005 at 01:25 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Private Ip's on the net?? roopunix Linux - Networking 1 06-30-2005 11:01 AM
adding public ip's TurboChicken Linux - Networking 3 11-12-2004 07:58 AM
Multiple Apache Sites, on Multiple IP's, on Same Box?? RickyJ Linux - General 1 06-19-2003 11:55 AM
Multiple Apache Sites, on Multiple IP's, on Same Box?? RickyJ Linux - Software 0 06-19-2003 10:50 AM
Problem with Private IP's on webserver medamorg Linux - Networking 6 03-13-2002 04:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration