----- Original Message -----
From: Mike Wright
Sent: 02/14/12 12:22 AM
To: Community support for Fedora users
Subject: Re: iptables? issue
On 02/13/2012 11:34 AM, nullv@xxxxxxx wrote: > Hi, > I'm hoping that you can point out what i'm missing here. I have a server > (router0) with a public ip 41.123.234.74/29 that's using an internet > modem 41.123.234.73/29 as a gateway. the server (router0) also has a > second card used for lan comms where it has ip address 10.0.0.1/8. > addresses are broadcast via dhcp along with DNS and gateway settings and > everything works perfectly when i MASQUERADE the local ips to the wan > address with iptables. > The issue is this: i'm trying to set up another server (db0) behind > router0 on the lan side and want to have it's packets go the my router0 > gateway and be forwarded to the internet side and vice versa. db0 has an > address 41.123.234.75/29 with .74 set as the gateway. if i set up my > addressing on db0 using lan addresses and 10.0.0.1 my db0 server can > connect and everything but if i use the wan address i can't connect even > to the 41.123.234.74/29 router0 address. i had inserted the following > rule to my tables forward chain: > iptables -I FORWARD -s 41.123.234.72/29 -j ACCEPT > to allow public packets from either side to be forwarded to both sides > but i can't seem to get the boxes to through to each other. > Can anyone tell me were i'm getting it wrong? > Thanks in advance > > Hi nullv, I use this layout successfully. If you want more than one subnet a simple switch plugged into eth1 allows adding more than one box/subnet. # your /29 # 41.123.234.72/32 NETWORK # 41.123.234.73/32 GATEWAY # 41.123.234.74/32 WAN1 # 41.123.234.75/32 WAN2 # 41.123.234.76/32 WAN3 # 41.123.234.77/32 WAN4 # 41.123.234.78/32 WAN5 # 41.123.234.79/32 BROADCAST ### iptables rules # define custom chains and zero connection counts :WAN1 - [0:0] :WAN2 - [0:0] :WAN3 - [0:0] :WAN4 - [0:0] :WAN5 - [0:0] # inbound connections -A PREROUTING -d 41.123.234.74/32 -j WAN1 -A PREROUTING -d 41.123.234.75/32 -j WAN2 -A PREROUTING -d 41.123.234.76/32 -j WAN3 -A PREROUTING -d 41.123.234.77/32 -j WAN4 -A PREROUTING -d 41.123.234.78/32 -j WAN5 # pick one of your WAN IPs for outbound connections -A POSTROUTING -o eth0 -j SNAT --to-source 41.123.234.74 # this will map inbound WAN IP:PORT to various internal servers # NAT can point to different networks -A WAN1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.1 -A WAN1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.5.0.2 -A WAN2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.16.7.3 -A WAN2 -p tcp -m tcp --dport 8008 -j DNAT --to-destination 10.5.2.4 -A WAN2 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.1.2.5 -A WAN3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.44.2.6 -A WAN4 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.9.3.7 -A WAN5 -p tcp -m tcp --dport 3306 -j DNAT --to-destination 10.192.4.8 # add rules to allow access to services on the router -A INPUT ... # add rules to allow/deny access between subnets -A FORWARD ... Hope this applies to your situation, Mike Wright Hi Mike, it would seem like that would work it's just that i was trying to avoid using nat because of it's issues/limitations/complexity and also since it's mainly used to translate/reroute wan addresses to lan (non-routable) addresses? i really thought it would be as simple as forwarding packets through the gateway. i'm assuming that's how ISPs and modems etc do it??
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
