On Monday 06 January 2003 02:56 pm, Steve wrote:
> This is a second repost, the first one appears to have disapeared.
>
> Joel Newkirk wrote:
> > On Friday 03 January 2003 02:28 pm, Steve M Bibayoff wrote:
> >> Is it possible to use iptables with a device alias
> >> (ex.. eth0:1)? I tries to add a filter rule and got
> >> an error:
> >> % iptables -t filter -I INPUT -i eth0:1 -j ACCEPT
> >> Warning: wierd character in interface `eth0:1' (No
> >> aliases, :, ! or *).
> >
> > Solution #1:
> > Since this is the INPUT chain, then the local machine clearly is the
> > destination. (unless you are using the REDIRECT target in nat
> > PREROUTING) I suggest you try something like:
>
> Unfornately, I am doing redirect nat. More specifiacally MASQ
Within iptables semantics, REDIRECT is a specific form of NAT wherein you
are taking an incoming connection that would otherwise forward (IE, not
addressed to the local box) and DNATting it to the local box, so that it
comes in INPUT instead of forwarding to somewhere else. (for example,
running a transparent proxy server on the firewall box) If all you are
doing is MASQUERADE then you are NOT doing REDIRECT. Also, if your
public IP is static you should use "-j SNAT --to 1.2.3.4" instead of "-j
MASQUERADE", to avoid the overhead of netfilter constantly polling the
external interface to adapt to IP changes. This is another semantics
issue sometimes, where many people say 'masquerade' to mean hiding
several machines behind a single (or possibly more :^) public IP, but
the iptables target 'MASQUERADE' is a specific form of SNAT where
instead of specifying the source IP to use when NATting the packets, you
tell netfilter to use whatever the current IP of the interface is.
For emails I write, when these terms are capitalized I mean the actual
targets (or chains, like FORWARD and OUTPUT) used in iptables rules,
since the targets are all caps when used in rules. I usually try to
avoid using 'masquerade' and 'redirect' in their more general meaning if
there's any chance of confusion.
{snip}
> The box has only 2 network connections(internal/external). What I need
> to do is produce another real ip (1.2.3.5) that could be directly
> nat'ed to an internal windows(192.168.0.2) machine without any
> filtering. So
>
> the new network looks like this:
> |------|192.168.0.2 192.168.0.1|------|1.2.3.4/28
> |winows|---------------------eth1|RH 7.3|eth0----------------
> |------| / | |1.2.3.5/? /
>
> / |------|eth0:0-----/
> rest of network-/
You have two public IP's and want the machine to respond to both, but
forward connection coming in on one of them to a separate server in the
local network, right? If so, then set up your alias on the interface
(eth0:0) with:
ifconfig add eth0 1.2.3.5
and then add the following rule:
iptables -t nat -A PREROUTING -i eth0 -d 1.2.3.5 -j DNAT --to 192.168.0.2
and everything should work happily. Just make sure that any other
PREROUTING rules either appear after this one, or are written so as not
to interfere with this specific traffic. Also, make sure that you allow
this and replies through FORWARD, but netfilter will handle undoing the
DNAT when the packets come back through. Read through the section on
DNAT in Oskar Andreasson's iptables tutorial at:
http://iptables-tutorial.frozentux.net/chunkyhtml/targets.html#DNATTARGET
and you'll probably find that everything falls into place.
The key to this in your circumstance is specifying the destination IP (in
PREROUTING - in FORWARD you would test for "-d 192.168.0.2") as well as
the arriving interface, to separate this traffic from everything else
coming in that same physical interface. Also note that once you perform
the DNAT in PREROUTING then the destination IP will be that of the
internal machine when the packet hits any other chains in the firewall,
and reply traffic will have source IP of the internal machine up until
it reaches POSTROUTING, just before leaving the firewall and returning
back out eth0.
> Hopefully this makes some sense. From searching the archive, I've
> found the following ideas:
> ip addr add w.x.y.z/bits dev eth0 label eth00
> http://lists.netfilter.org/pipermail/netfilter/2002-October/038968.htm
>l This didn't work, kept getting errors after I tried to check the
> interface with 'ifconfig' and 'ip addr list'
>
> I've also tried to just foward the address with this
> iptables -A PREROUTING -a nat -d 1.2.3.5 -j DNAT --to 192.168.0.2
> iptables -A FORWARD -d 192.168.0.2 -j ACCEPT
> http://lists.netfilter.org/pipermail/netfilter/2002-September/038129.h
>tml This appears to be working when I try go from the internal machine
> to the outside, but I can't connect from the outside to inside (tried
> nmap, got the RH 7.3 sig).
Are you allowing return traffic back out through the FORWARD chain? The
DNAT you have above should have no effect at all on connections from
internal to outside, unless the destination is 1.2.3.5. (and those
would fail for a different reason... see link above for more) The only
things that should affect connections from internal to outside should be
FORWARD chain rules to let them through, and SNAT or MASQUERADE in nat
POSTROUTING chain to hide their actual source behind the public IP.
(unless you have some other DNAT or REDIRECT rule that affects them, and
the DNAT we're discussing normally would not)
j
> If someone knows the script I'm using and knows what hanging me up
> could you please point out my error, if not, I think I'll eventually
> get it.
>
> TIA
>
> Steve
>
> 1) Don't rememeber if was this list or not about search capacity, but
> I use advanced google (ie add "site:lists.netfilter.org" in the search
> field). hth.
