[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: a few questions
From: Jeremy Hansen <jeremy () xxedgexx ! com>
Date: 1999-11-29 4:50:02
[Download RAW message or body]
Hi! Thank you very much for the reply.
Really hit didn't seem to work for me. Let me give you an example of my
routing info and perhaps this will help:
Firewall machine:
fire:~# ip route
10.0.0.254 dev eth1 scope link
1.2.3.64/27 dev eth0 proto kernel scope link src 1.2.3.94
10.0.0.0/24 dev eth1 proto kernel scope link src 1.2.3.94
127.0.0.0/8 dev lo scope link
default via 1.2.3.65 dev eth0
Client machine:
[root@web /root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.0.0.254 0.0.0.0 UG 0 0 0 eth0
Also, the other example:
ipnatctl -I -d 10.0.0.4 -s 10.0.0.0/24 -i eth1 -p tcp --dport 80 -b source -m masquerade
didn't seem to work because of an incompatibility using -b and -i
together, but this *did* seem to work:
ipnatctl -I -d 1.2.3.66 -s 10.0.0.0/24 -p tcp --dport 80 -b source -m masquerade
It does what I want on all the client hosts. It doesn't work when I'm
actually *on* the firewall.
Thanks for your help!
-jeremy
> What to you want to happen when 10.0.0.4 tries to go to 1.2.3.6:25?
> Do you want it to really hit 1.2.3.6's port, or come back to itself?
>
> [Note: untested examples ahead.]
>
> Really hit: (tell it not to map those connections).
>
> ipnatctl -I -d 10.0.0.0/24 -s 10.0.0.0/24 -b dest -m null
> OR
> Specify -i eth0 in your ipnatctl -b dest rules.
>
> Come back: (need to masquerade those packets coming from inside which
> have destination altered as above):
>
> ipnatctl -I -d 10.0.0.4 -s 10.0.0.0/24 -i eth1 -p tcp --dport 80 -b source -m masquerade
> ipnatctl -I -d 10.0.0.10 -s 10.0.0.0/24 -i eth1 -p tcp --dport 25 -b source -m masquerade
> ipnatctl -I -d 10.0.0.10 -s 10.0.0.0/24 -i eth1 -p tcp --dport 110 -b source -m masquerade
> ipnatctl -I -d 10.0.0.4 -s 10.0.0.0/24 -i eth1 -p tcp --dport 25 -b source -m masquerade
>
> > Thanks. SOrry for this is beginner material. The docs seem incomplete in
> > the examples area.
>
> You're right, they are. This is a classic case which should be
> well documented...
>
> Rusty.
> --
> Hacking time.
>
>
http://www.xxedgexx.com | jeremy@xxedgexx.com
---------------------------------------------
Y2K. We're all gonna die.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic