I have service running on 2 machines.
One for DNS and SMTP, which is DNS for our domain. 2nd is a Web Server. External IPs are placed on eth0 for the externa traffic to be routed for these machines. The DNS server maintains the IP address of Web Server.
To enable the router to send traffic for eth0:1..., they have been put on eht0.
Regards,
Chand Deshwal (M.Tech CS&E, MCSE, CCNA)
-----Original Message-----
From: George Vieira [mailto:georgev@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Monday, June 16, 2003 7:16 PM
Cc: Netfilter (E-mail)
Subject: RE: Using IPTABLES, cannot go to External Interface
You don't need to put the External IPs on the eth0 device for the internal machines to be DNATed. What's the reason you have eth0:0 0:1 and 0:2?
-----Original Message-----
From: Deshwal Chand [mailto:CDD@xxxxxxxxxxxxx]
Sent: Mon 16-Jun-03 8:51 PM
To: 'Cedric Blancher'
Cc: Netfilter (E-mail)
Subject: RE: Using IPTABLES, cannot go to External Interface
HI
The setup is like this
I have a RedHat linux with three LAN cards into it.
eth0 = Public IP
eth0:0 = Public IP
eth0:0 - eth0:3 = Public IPs
eth1 = Private IP (Internal Net)
eth2 = DMZ IPs (Private ones)(Here I have 4 machines with DMZ IPs)
DNAT - Anything entering to eht0 (External Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips.
- Anything entering to eth1 (Internal Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips
- Anything entering to eth2 (DMZ Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips
SNAT - Anything going out from (Source eth1 (Internal Net) and (DMZ NET) Destination 0.0.0.0/0 and eth2) should be
- Anything from DMZ to Internal should be SNATted to DMZ_IF
SNATted --to-source eth0
All the traffice from External World is able to reach to my servers in the DMZ. I mean, if someone has to log on to the web server at eth0:0 port 80, he/she is able to do so.
But, No one from INTERNAL NET is able to reach to the servers. If I have a mchine with Internal IP Address and want to log onto the web server from within my network, I cannot do so.
If I access Yahoo.com or anyother site, I can do so from withing my network using Internal IP Address.
Hope this explains.
-----Original Message-----
From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx]
Sent: Monday, June 16, 2003 3:46 PM
To: Deshwal Chand
Cc: Netfilter (E-mail)
Subject: Re: Using IPTABLES, cannot go to External Interface
Le lun 16/06/2003 Ã 09:51, Deshwal Chand a Ãcrit :
> I am running a script for IPTABLES.
> I have assigned 3 more IP addresses to my external interface.
> eth0 - x.y.z.1
> eth0:0 - x.y.z.2
> eth0:1 - x.y.z.3
> eth0:2 - x.y.z.4
> I have SNATed my internal network to eth0. I can do all the things.
> But, I cannot reach to any of IP addresses x.y.z.1 - 3.
Reach them from where ? SNAT is handled through FORWARD. Local trafic is
handled though INPUT and OUTPUT. Maybe there's something to look at
there.
> Though, I can go to any host in the world, but cannot go directly to
> eth0.
Can you be a little more explicit in your setup and what you exactly
want to do ?
--
CÃdric Blancher <blancher@xxxxxxxxxxxxxxxxxx>
Consultant en sÃcurità des systÃmes et rÃseaux - Cartel SÃcuritÃ
TÃl: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
