RE: Using IPTABLES, cannot go to External Interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Title: RE: Using IPTABLES, cannot go to External Interface

I have service running on 2 machines.

One for DNS and SMTP, which is DNS for our domain. 2nd is a Web Server. External IPs are placed on eth0 for the externa traffic to be routed for these machines. The DNS server maintains the IP address of Web Server.

To enable the router to send traffic for eth0:1..., they have been put on eht0.

 

 

Regards,

Chand Deshwal (M.Tech CS&E, MCSE, CCNA)        

-----Original Message-----
From: George Vieira [mailto:georgev@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Monday, June 16, 2003 7:16 PM
Cc: Netfilter (E-mail)
Subject: RE: Using IPTABLES, cannot go to External Interface


You don't need to put the External IPs on the eth0 device for the internal machines to be DNATed. What's the reason you have eth0:0 0:1 and 0:2?

        -----Original Message-----
        From: Deshwal Chand [mailto:CDD@xxxxxxxxxxxxx]
        Sent: Mon 16-Jun-03 8:51 PM
        To: 'Cedric Blancher'
        Cc: Netfilter (E-mail)
        Subject: RE: Using IPTABLES, cannot go to External Interface
       
       

        HI


        The setup is like this

        I have a RedHat linux with three LAN cards into it.

        eth0 = Public IP
        eth0:0 = Public IP
        eth0:0 - eth0:3 = Public IPs

        eth1 = Private IP (Internal Net)
        eth2 = DMZ IPs (Private ones)(Here I have 4 machines with DMZ IPs)

        DNAT    - Anything entering to eht0 (External Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips.

                - Anything entering to eth1 (Internal Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips

                - Anything entering to eth2 (DMZ Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips

        SNAT - Anything going out from (Source eth1 (Internal Net) and (DMZ NET) Destination 0.0.0.0/0 and eth2) should be

             - Anything from DMZ to Internal should be SNATted to DMZ_IF
               

        SNATted --to-source eth0

        All the traffice from External World is able to reach to my servers in the DMZ. I mean, if someone has to log on to the web server at eth0:0 port 80, he/she is able to do so.

        But, No one from INTERNAL NET is able to reach to the servers. If I have a mchine with Internal IP Address and want to log onto the web server from within my network, I cannot do so.

        If I access Yahoo.com or anyother site, I can do so from withing my network using Internal IP Address.

        Hope this explains.






        -----Original Message-----
        From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx]
        Sent: Monday, June 16, 2003 3:46 PM
        To: Deshwal Chand
        Cc: Netfilter (E-mail)
        Subject: Re: Using IPTABLES, cannot go to External Interface


        Le lun 16/06/2003 Ã 09:51, Deshwal Chand a Ãcrit :
        > I am running a script for IPTABLES.
        > I have assigned 3 more IP addresses to my external interface.
        > eth0 - x.y.z.1
        > eth0:0 - x.y.z.2
        > eth0:1 - x.y.z.3
        > eth0:2 - x.y.z.4
        > I have SNATed my internal network to eth0. I can do all the things.
        > But, I cannot reach to any of IP addresses x.y.z.1 - 3.

        Reach them from where ? SNAT is handled through FORWARD. Local trafic is
        handled though INPUT and OUTPUT. Maybe there's something to look at
        there.

        > Though, I can go to any host in the world, but cannot go directly to
        > eth0.

        Can you be a little more explicit in your setup and what you exactly
        want to do ?
             
        --
        CÃdric Blancher  <blancher@xxxxxxxxxxxxxxxxxx>
        Consultant en sÃcurità des systÃmes et rÃseaux - Cartel SÃcuritÃ
        TÃl: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
        PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux