Re: Plz i need help.... or i ll be fired :(

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Its not on a different network.. eth1 is directly connected with this network

"John A. Sullivan III" <jsullivan@xxxxxxxxxxxxxxxxxxx> wrote:
What is the default gateway for the laptop? How does it get to
143.233.222.253 since that is on a different network? - John

On Tue, 2005-09-27 at 09:52 -0700, Alaios wrote:
> eth0 Link encap:Ethernet HWaddr
> 00:02:3F:6D:70:3E 
> inet addr:10.2.4.1 Bcast:10.255.255.255 
> Mask:255.0.0.0
> inet6 addr: fe80::202:3fff:fe6d:703e/64
> Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 
> Metric:1
> RX packets:3 errors:0 dropped:0 overruns:0
> frame:0
> TX packets:394 errors:0 dropped:0 overruns:0
> carrier:0
> collisions:0 txqueuelen:1000 
> RX bytes:218 (218.0 b) TX bytes:24983 (24.3
> Kb)
> Interrupt:11 Base address:0x6800 
> 
> eth1 Link encap:Ethernet HWaddr
> 00:02:2D:3B:1D:96 
> inet addr:143.233.222.77 
> Bcast:255.255.255.255 Mask:255.255.255.192
> inet6 addr: fe80::202:2dff:fe3b:1d96/64
> Scope:Link
> UP BROADCAST NOTRAILERS RUNNING MULTICAST 
> MTU:1500 Metric:1
> RX packets:293209 errors:0 dropped:0
> overruns:0 frame:0
> TX packets:74 errors:0 dropped:0 overruns:0
> carrier:0
> collisions:0 txqueuelen:1000 
> RX bytes:364527709 (347.6 Mb) TX
> bytes:19400 (18.9 Kb)
> Interrupt:3 Base address:0x100 
> 
> lo Link encap:Local Loopback 
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:54 errors:0 dropped:0 overruns:0
> frame:0
> TX packets:54 errors:0 dropped:0 overruns:0
> carrier:0
> collisions:0 txqueuelen:0 
> RX bytes:3528 (3.4 Kb) TX bytes:3528 (3.4
> Kb)
> 
> Kernel IP routing table
> Destination Gateway Genmask Flags
> Metric Ref Use Iface
> 143.233.222.64 0.0.0.0 255.255.255.192 U 
> 0 0 0 eth1
> 10.0.0.0 0.0.0.0 255.0.0.0 U 
> 0 0 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 
> 0 0 0 lo
> 
> 
> 
> --- Edmundo Carmona wrote:
> 
> > Remove the UDP/port from the rule, that will allow
> > you to PING the
> > box, and the inner box should respond.
> > 
> > Anyway, let's go to the basics... what is the output
> > of
> > 
> > ifconfig
> > route -n
> > 
> > ??
> > 
> > On 9/27/05, Alaios wrote:
> > > I have done absolutely what u have said.. I have
> > > rechecked the source port and destination and are
> > the
> > > same.... The programme is a packet generator that
> > > creates bulk data. We use it to test oure
> > network....
> > > I have applied your commands but with a little
> > changes
> > > iptables -nat -A PREROUTING -i eth1 -d
> > 143.233.222.77
> > > -p udp --destination-port 22453 -j DNAT
> > > --to-destination 10.2.4.1:22453
> > > My problem is that still i cant see any packages
> > in
> > > the eth0 interface.. What know what else should i
> > do
> > > now
> > >
> > > --- "John A. Sullivan III"
> > > wrote:
> > >
> > > > It sounds like you really need to learn the
> > basics.
> > > > I would suggest you
> > > > go through the links I mentioned below. What
> > > > exactly do you want to do?
> > > >
> > > > It sounds like you want traffic coming in from
> > > > 143.233.222.253 on tcp
> > > > destination port 22453 (are you sure this is the
> > > > destination port and
> > > > not the source port?????) on the laptop
> > interface
> > > > eth1 with IP address
> > > > 143.233.222.77 to be sent to 10.2.4.1 on the
> > eth0
> > > > interface. I am
> > > > assuming that 143.233.222.77 and 143.233.222.253
> > are
> > > > on the same
> > > > network, i.e., the subnet mask is 255.255.255.0
> > or
> > > > less. I also
> > > > assuming that you have enabled forwarding as you
> > > > said you did.
> > > >
> > > > Then you would do something like:
> > > >
> > > > iptables -F
> > > > iptables -t nat -F
> > > > iptables -P FORWARD DROP
> > > > iptables -t nat -P ACCEPT
> > > > iptables -t nat -A PREROUTING -i eth1 -d
> > > > 143.233.222.77 --dport 22453 -j
> > > > DNAT --to-destination 10.2.4.1:22453
> > > > iptables -A FORWARD -m state --state
> > > > ESTABLISHED,RELATED -j ACCEPT
> > > > iptables -A FORWARD -s 143.233.222.253 -d
> > 10.2.4.1
> > > > -p 6 --dport 22453 -j
> > > > ACCEPT
> > > >
> > > > I have a sneaking suspicion that 22453 is not
> > the
> > > > destination port.
> > > > What service is 10.2.4.1 providing to
> > > > 143.233.222.253?
> > > >
> > > > I'm afraid I'm running out of time today. I
> > > > probably cannot help much
> > > > more. I'm sure someone else can jump in. Take
> > care
> > > > - John
> > > >
> > > > On Tue, 2005-09-27 at 08:40 -0700, Alaios wrote:
> > > > > My complete rule set??? Hm... there is nothing
> > > > like
> > > > > that... I work to a solution for 4-5 hours and
> > > > still
> > > > > havent finded any iptable rule to work.. in my
> > pc
> > > > i
> > > > > dont have any ip rules loaded at all nor a
> > > > firewall
> > > > > applied.. I just want to do only this to
> > work.. Do
> > > > u
> > > > > have anything else in mind plz?
> > > > >
> > > > > --- "John A. Sullivan III"
> > > > > wrote:
> > > > >
> > > > > > I made some assumptions about other rules
> > you
> > > > would
> > > > > > have had in place.
> > > > > > I believe someone else posted a much more
> > > > thorough
> > > > > > answer. Did you
> > > > > > create an ESTABLISHED,RELATED rule as that
> > other
> > > > > > post suggested?
> > > > > >
> > > > > > Would you mind posting your complete rule
> > set
> > > > (with
> > > > > > any sensitive
> > > > > > information edited, of course)? - John
> > > > > >
> > > > > > On Tue, 2005-09-27 at 08:30 -0700, Alaios
> > wrote:
> > > > > > > Thx for your quick reply..... i have just
> > > > tested
> > > > > > but
> > > > > > > it didnt work... I think that i cant
> > explain
> > > > what
> > > > > > i
> > > > > > > need or i am doing sth wrong..
> > > > > > > i have enabled the packets loging
> > > > > > > so executing dmesg prints the following
> > > > > > > IN=eth1 OUT= MAC=(the mac addresses)
> > > > > > > As u can see the OUT is null which means
> > thats
> > > > > > perhaps
> > > > > > > the problem... What do u have in mind?
> > > > > > >
> > > > > > > --- "John A. Sullivan III"
> > > > > > > wrote:
> > > > > > >
> > > > > > > > On Tue, 2005-09-27 at 11:14 -0400, John
> > A.
> > > > > > Sullivan
> > > > > > > > III wrote:
> > > > > > > > > On Tue, 2005-09-27 at 07:57 -0700,
> > Alaios
> > > > > > wrote:
> > > > > > > > > > Hi plz take a look at the following
> > > > example
> > > > > > > > > >
> > > > > > > > > > The laptop has 2 ethernet interfaces
> > > > > > > > > > To eth1 comes traffic from src
> > > > > > 143.233.222.253
> > > > > > > > > > The eth0 has ip address 10.2.4.2 and
> > it
> > > > is
> > > > > > > > connected
> > > > > > > > > > back to back with eth1 of other pc
> > with
> > > > ip
> > > > > > > > address
> > > > > > > > > > 10.2.4.1
> > > > > > > > > > I want to forward the traffic with
> > src
> > > > > > > > 143.233.222.253
> > > > > > > > > > to the 10.2.4.1 pc and if it works i
> > > > will
> > > > > > redo
> > > > > > > > this
> > > > > > > > > > for a second pc so as to l send the
> > > > traffic
> > > > > > to a
> > > > > > > > third
> > > > > > > > > > on.
> > > > > > > > > > Can u help me plz?
> > > > > > > > > >
> > > > > > > > > > I have tried this one
> > > > > > > > > > iptables -t nat -A PREROUTING -i
> > eth1 -s
> > > > > > > > > > 143.233.222.253 -j DNAT
> > --to-destination
> > > > > > > > 10.2.4.1
> > > > > > > > > > i have also set the
> > > > > > > > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > > > > > > > but still i cant see any trafiic to
> > eth0
> > > > > > > > interface (ip
> > > > > > > > > > 10.2.4.2)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > I have also tested this one
> > > > > > > > > > iptables -t nat -A PREROUTING -p tcp
> > -d
> > > > > > > > 143.233.222.77
> > > > > > > > > > (laptop eth1 card) --dport 22453 (i
> > have
> > > > > > cheched
> > > > > > > > dst
> > > > > > > > > > port with tcpdump) 00 -j DNAT
> > > > > > --to-destination
> > > > > > > > > > 10.2.4.1
> > > > > > > > > > this still doesnt work
> > > > > > > > > > Every time i try to apply a new rule
> > i
> > > > use
> > > > > > first
> > > > > > > > > > the iptables -F
> > > > > > > > > > iptables -t nat -F command
> > > > > > > > > 
> > > > > > > > >
> > > > > > > > > I'm a little confused about what you
> > are
> > > > > > doing. I
> > > > > > > > would normally refer
> > > > > > > > > you to Oskar Andreasson's excellent
> > > > tutorial
> > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > > > > > > > or the
> > > > > > > > > training slides on the ISCS web site
> > > > > > > > (http://iscs.sourceforge.net) but,
> > > > > > > > > since it appears that you have an
> > > > emergency,
> > > > > > here
> > > > > > > > goes:
> > > > > > > > >
> > > > > > > > > First, if the source is
> > 143.233.222.253,
> > > > you
> > > > > > would
> > > > > > > > not want to DNAT it.
> > > > > > > > > DNAT changes the destination. Thus,
> > your
> > > > > > second
> > > > > > > > attempt is the correct
> > > > > > > > > one. You might want to lock the
> > > > destination
> > > > > > port
> > > > > > > > - it's not likely to
> > > > > > > > > be a problem but, if it ever is, it
> > will
> > > > be
> > > > > > one of
> > > > > > > > those really hard to
> > > > > > > > > diagnose, sporadic problems:
> > > > > > > > > -j DNAT --to-destination
> > 10.2.4.1:22453
> > > > > > > > >
> > > > > > > > > Second, this only takes care of the
> > > > > > addressing.
> > > > > > > > You must still allow
> > > > > > > > > the traffic in the FORWARD chain of
> > the
> > > > filter
> > > > > > > > table, e.g.,
> > > > > > > > >
> > > > > > > > > iptables -A FORWARD -d 10.2.4.1 -p 6
> > > > --dport
> > > > > > 22453
> > > > > > > > -j ACCEPT
> > > > > > > > >
> > > > > > > > > Hope this helps - John
> > > > > > > >
> > > > > > > > Oh, yes, you wanted to restrict the
> > source
> > > > > > address.
> > > > > > > > Add that to your
> > > > > > > > filter table rule:
> > > > > > > > iptables -A FORWARD -s 143.233.222.253
> > -d
> > > > > > 10.2.4.1
> > > > > > > > -p 6 --dport 22453 -j
> > > > > > > > ACCEPT
> > > > > > > > --
> > > > > > > > John A. Sullivan III
> > > > > > > > Open Source Development Corporation
> > > > > > > > +1 207-985-7880
> > > > > > > > jsullivan@xxxxxxxxxxxxxxxxxxx
> > > > > > > >
> > > > > > > > If you would like to participate in the
> > > > > > development
> > > > > > > > of an open source
> > > > > > > > enterprise class network security
> > management
> > > > > > system,
> > > > > > > > please visit
> > > > > > > > http://iscs.sourceforge.net
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > >
> > __________________________________________________
> > > > > > > Do You Yahoo!?
> > > > > > > Tired of spam? Yahoo! Mail has the best
> > spam
> > > > > > protection around
> > > > > > > http://mail.yahoo.com
> > > > > > --
> > > > > > John A. Sullivan III
> > > > > > Open Source Development Corporation
> > > > > > +1 207-985-7880
> > > > > > jsullivan@xxxxxxxxxxxxxxxxxxx
> > > > > >
> > > > > > Financially sustainable open source
> > development
> > > > > > http://www.opensourcedevel.com
> > > > > >
> > > > > >
> > > > >
> > > > >
> > __________________________________________________
> > > > > Do You Yahoo!?
> > > > > Tired of spam? Yahoo! Mail has the best spam
> > > > protection around
> > > > > http://mail.yahoo.com
> > > > --
> > > > John A. Sullivan III
> > > > Open Source Development Corporation
> > > > +1 207-985-7880
> > > > jsullivan@xxxxxxxxxxxxxxxxxxx
> > > >
> > > > Financially sustainable open source development
> > > > http://www.opensourcedevel.com
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > http://mail.yahoo.com
> > >
> > >
> > 
> > 
> 
> 
> 
> 
> __________________________________ 
> Yahoo! Mail - PC Magazine Editors' Choice 2005 
> http://mail.yahoo.com
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@xxxxxxxxxxxxxxxxxxx

Financially sustainable open source development
http://www.opensourcedevel.com



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux