RE: Using IPTABLES, cannot go to External Interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You don't need to put the External IPs on the eth0 device for the internal machines to be DNATed. What's the reason you have eth0:0 0:1 and 0:2?

	-----Original Message----- 
	From: Deshwal Chand [mailto:CDD@xxxxxxxxxxxxx] 
	Sent: Mon 16-Jun-03 8:51 PM 
	To: 'Cedric Blancher' 
	Cc: Netfilter (E-mail) 
	Subject: RE: Using IPTABLES, cannot go to External Interface
	
	

	HI 


	The setup is like this 

	I have a RedHat linux with three LAN cards into it. 

	eth0 = Public IP 
	eth0:0 = Public IP 
	eth0:0 - eth0:3 = Public IPs 

	eth1 = Private IP (Internal Net) 
	eth2 = DMZ IPs (Private ones)(Here I have 4 machines with DMZ IPs) 

	DNAT    - Anything entering to eht0 (External Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips. 
	        - Anything entering to eth1 (Internal Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips 
	        - Anything entering to eth2 (DMZ Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips 

	SNAT - Anything going out from (Source eth1 (Internal Net) and (DMZ NET) Destination 0.0.0.0/0 and eth2) should be 

	     - Anything from DMZ to Internal should be SNATted to DMZ_IF 
	        

	SNATted --to-source eth0 

	All the traffice from External World is able to reach to my servers in the DMZ. I mean, if someone has to log on to the web server at eth0:0 port 80, he/she is able to do so.

	But, No one from INTERNAL NET is able to reach to the servers. If I have a mchine with Internal IP Address and want to log onto the web server from within my network, I cannot do so.

	If I access Yahoo.com or anyother site, I can do so from withing my network using Internal IP Address. 

	Hope this explains. 






	-----Original Message----- 
	From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] 
	Sent: Monday, June 16, 2003 3:46 PM 
	To: Deshwal Chand 
	Cc: Netfilter (E-mail) 
	Subject: Re: Using IPTABLES, cannot go to External Interface 


	Le lun 16/06/2003 Ã 09:51, Deshwal Chand a Ãcrit : 
	> I am running a script for IPTABLES. 
	> I have assigned 3 more IP addresses to my external interface. 
	> eth0 - x.y.z.1 
	> eth0:0 - x.y.z.2 
	> eth0:1 - x.y.z.3 
	> eth0:2 - x.y.z.4 
	> I have SNATed my internal network to eth0. I can do all the things. 
	> But, I cannot reach to any of IP addresses x.y.z.1 - 3. 

	Reach them from where ? SNAT is handled through FORWARD. Local trafic is 
	handled though INPUT and OUTPUT. Maybe there's something to look at 
	there. 

	> Though, I can go to any host in the world, but cannot go directly to 
	> eth0. 

	Can you be a little more explicit in your setup and what you exactly 
	want to do ? 
	      
	-- 
	CÃdric Blancher  <blancher@xxxxxxxxxxxxxxxxxx> 
	Consultant en sÃcurità des systÃmes et rÃseaux - Cartel SÃcurità 
	TÃl: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 
	PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE 



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux