'Re: a few questions'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: a few questions
From:       Jeremy Hansen <jeremy () xxedgexx ! com>
Date:       1999-11-29 4:50:02
[Download RAW message or body]


Hi!  Thank you very much for the reply.

Really hit didn't seem to work for me.  Let me give you an example of my
routing info and perhaps this will help:

Firewall machine:

fire:~# ip route
10.0.0.254 dev eth1  scope link 
1.2.3.64/27 dev eth0  proto kernel  scope link  src 1.2.3.94 
10.0.0.0/24 dev eth1  proto kernel  scope link  src 1.2.3.94 
127.0.0.0/8 dev lo  scope link 
default via 1.2.3.65 dev eth0

Client machine:

[root@web /root]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         10.0.0.254      0.0.0.0         UG    0      0        0 eth0

Also, the other example:

ipnatctl -I -d 10.0.0.4 -s 10.0.0.0/24 -i eth1 -p tcp --dport 80 -b source -m masquerade

didn't seem to work because of an incompatibility using -b and -i
together, but this *did* seem to work:

ipnatctl -I -d 1.2.3.66 -s 10.0.0.0/24 -p tcp --dport 80 -b source -m masquerade

It does what I want on all the client hosts.  It doesn't work when I'm
actually *on* the firewall.  

Thanks for your help!
-jeremy

> What to you want to happen when 10.0.0.4 tries to go to 1.2.3.6:25?
> Do you want it to really hit 1.2.3.6's port, or come back to itself? 
> 
> [Note: untested examples ahead.]
> 
> Really hit: (tell it not to map those connections).
> 
> 	ipnatctl -I -d 10.0.0.0/24 -s 10.0.0.0/24 -b dest -m null
> OR
> 	Specify -i eth0 in your ipnatctl -b dest rules.
> 
> Come back: (need to masquerade those packets coming from inside which
> 	have destination altered as above):
> 
> 	ipnatctl -I -d 10.0.0.4 -s 10.0.0.0/24 -i eth1 -p tcp --dport 80 -b source -m masquerade
> 	ipnatctl -I -d 10.0.0.10 -s 10.0.0.0/24 -i eth1 -p tcp --dport 25 -b source -m masquerade
> 	ipnatctl -I -d 10.0.0.10 -s 10.0.0.0/24 -i eth1 -p tcp --dport 110 -b source -m masquerade
> 	ipnatctl -I -d 10.0.0.4 -s 10.0.0.0/24 -i eth1 -p tcp --dport 25 -b source -m masquerade
> 
> > Thanks.  SOrry for this is beginner material.  The docs seem incomplete in
> > the examples area.
> 
> You're right, they are.  This is a classic case which should be
> well documented...
> 
> Rusty.
> --
> Hacking time.
> 
> 


http://www.xxedgexx.com | jeremy@xxedgexx.com
---------------------------------------------
Y2K.  We're all gonna die.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic