FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-13-2012, 07:33 PM
Joe Zeff
 
Default iptables? issue

On 02/13/2012 11:34 AM, nullv@gmx.com wrote:

I'm hoping that you can point out what i'm missing here. I have a server
(router0) with a public ip 41.123.234.74/29 that's using an internet
modem 41.123.234.73/29 as a gateway.


If I'm not mistaken, an IP address with a /XX at the end is used to
define a *range* of addresses, not a single address. You'd use it to
give the range of addresses on your LAN, or that your DHCP server is set
to give out. It's not appropriate when giving a specific machine's IP
address unless my understanding of the terminology is worse than I think
it is. I don't *think* this is part of the issue, here, but it may be
obscuring what's going on. If nothing else, leaving off where it
doesn't apply may help avoid confusion.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 02-13-2012, 08:12 PM
Bruno Wolff III
 
Default iptables? issue

On Mon, Feb 13, 2012 at 12:33:14 -0800,
Joe Zeff <joe@zeff.us> wrote:
> On 02/13/2012 11:34 AM, nullv@gmx.com wrote:
> >I'm hoping that you can point out what i'm missing here. I have a server
> >(router0) with a public ip 41.123.234.74/29 that's using an internet
> >modem 41.123.234.73/29 as a gateway.
>
> If I'm not mistaken, an IP address with a /XX at the end is used to
> define a *range* of addresses, not a single address. You'd use it
> to give the range of addresses on your LAN, or that your DHCP server
> is set to give out. It's not appropriate when giving a specific
> machine's IP address unless my understanding of the terminology is
> worse than I think it is. I don't *think* this is part of the
> issue, here, but it may be obscuring what's going on. If nothing
> else, leaving off where it doesn't apply may help avoid confusion.

That notation can be used to define both the local IP address and the
network segment's IP address range at the same time. If you use the ip
command to set up an address on an interface, this is the notation used.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 02-13-2012, 09:22 PM
Mike Wright
 
Default iptables? issue

On 02/13/2012 11:34 AM, nullv@gmx.com wrote:

Hi,
I'm hoping that you can point out what i'm missing here. I have a server
(router0) with a public ip 41.123.234.74/29 that's using an internet
modem 41.123.234.73/29 as a gateway. the server (router0) also has a
second card used for lan comms where it has ip address 10.0.0.1/8.
addresses are broadcast via dhcp along with DNS and gateway settings and
everything works perfectly when i MASQUERADE the local ips to the wan
address with iptables.
The issue is this: i'm trying to set up another server (db0) behind
router0 on the lan side and want to have it's packets go the my router0
gateway and be forwarded to the internet side and vice versa. db0 has an
address 41.123.234.75/29 with .74 set as the gateway. if i set up my
addressing on db0 using lan addresses and 10.0.0.1 my db0 server can
connect and everything but if i use the wan address i can't connect even
to the 41.123.234.74/29 router0 address. i had inserted the following
rule to my tables forward chain:
iptables -I FORWARD -s 41.123.234.72/29 -j ACCEPT
to allow public packets from either side to be forwarded to both sides
but i can't seem to get the boxes to through to each other.
Can anyone tell me were i'm getting it wrong?
Thanks in advance




Hi nullv,

I use this layout successfully. If you want more than one subnet a
simple switch plugged into eth1 allows adding more than one box/subnet.


# your /29
# 41.123.234.72/32 NETWORK
# 41.123.234.73/32 GATEWAY
# 41.123.234.74/32 WAN1
# 41.123.234.75/32 WAN2
# 41.123.234.76/32 WAN3
# 41.123.234.77/32 WAN4
# 41.123.234.78/32 WAN5
# 41.123.234.79/32 BROADCAST

### iptables rules

# define custom chains and zero connection counts
:WAN1 - [0:0]
:WAN2 - [0:0]
:WAN3 - [0:0]
:WAN4 - [0:0]
:WAN5 - [0:0]

# inbound connections
-A PREROUTING -d 41.123.234.74/32 -j WAN1
-A PREROUTING -d 41.123.234.75/32 -j WAN2
-A PREROUTING -d 41.123.234.76/32 -j WAN3
-A PREROUTING -d 41.123.234.77/32 -j WAN4
-A PREROUTING -d 41.123.234.78/32 -j WAN5

# pick one of your WAN IPs for outbound connections
-A POSTROUTING -o eth0 -j SNAT --to-source 41.123.234.74

# this will map inbound WAN IP:PORT to various internal servers
# NAT can point to different networks
-A WAN1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.1
-A WAN1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.5.0.2
-A WAN2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.16.7.3
-A WAN2 -p tcp -m tcp --dport 8008 -j DNAT --to-destination 10.5.2.4
-A WAN2 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.1.2.5
-A WAN3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.44.2.6
-A WAN4 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.9.3.7
-A WAN5 -p tcp -m tcp --dport 3306 -j DNAT --to-destination 10.192.4.8

# add rules to allow access to services on the router
-A INPUT ...

# add rules to allow/deny access between subnets
-A FORWARD ...

Hope this applies to your situation,
Mike Wright
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 02-13-2012, 09:45 PM
Mike Wright
 
Default iptables? issue

On 02/13/2012 02:22 PM, Mike Wright wrote:

On 02/13/2012 11:34 AM, nullv@gmx.com wrote:

Hi,
I'm hoping that you can point out what i'm missing here. I have a server
(router0) with a public ip 41.123.234.74/29 that's using an internet
modem 41.123.234.73/29 as a gateway. the server (router0) also has a
second card used for lan comms where it has ip address 10.0.0.1/8.
addresses are broadcast via dhcp along with DNS and gateway settings and
everything works perfectly when i MASQUERADE the local ips to the wan
address with iptables.
The issue is this: i'm trying to set up another server (db0) behind
router0 on the lan side and want to have it's packets go the my router0
gateway and be forwarded to the internet side and vice versa. db0 has an
address 41.123.234.75/29 with .74 set as the gateway. if i set up my
addressing on db0 using lan addresses and 10.0.0.1 my db0 server can
connect and everything but if i use the wan address i can't connect even
to the 41.123.234.74/29 router0 address. i had inserted the following
rule to my tables forward chain:
iptables -I FORWARD -s 41.123.234.72/29 -j ACCEPT
to allow public packets from either side to be forwarded to both sides
but i can't seem to get the boxes to through to each other.
Can anyone tell me were i'm getting it wrong?
Thanks in advance




Hi nullv,

I use this layout successfully. If you want more than one subnet a
simple switch plugged into eth1 allows adding more than one box/subnet.

# your /29
# 41.123.234.72/32 NETWORK
# 41.123.234.73/32 GATEWAY
# 41.123.234.74/32 WAN1
# 41.123.234.75/32 WAN2
# 41.123.234.76/32 WAN3
# 41.123.234.77/32 WAN4
# 41.123.234.78/32 WAN5
# 41.123.234.79/32 BROADCAST

### iptables rules

# define custom chains and zero connection counts
:WAN1 - [0:0]
:WAN2 - [0:0]
:WAN3 - [0:0]
:WAN4 - [0:0]
:WAN5 - [0:0]

# inbound connections
-A PREROUTING -d 41.123.234.74/32 -j WAN1
-A PREROUTING -d 41.123.234.75/32 -j WAN2
-A PREROUTING -d 41.123.234.76/32 -j WAN3
-A PREROUTING -d 41.123.234.77/32 -j WAN4
-A PREROUTING -d 41.123.234.78/32 -j WAN5

# pick one of your WAN IPs for outbound connections
-A POSTROUTING -o eth0 -j SNAT --to-source 41.123.234.74

# this will map inbound WAN IP:PORT to various internal servers
# NAT can point to different networks
-A WAN1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.1
-A WAN1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.5.0.2
-A WAN2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.16.7.3
-A WAN2 -p tcp -m tcp --dport 8008 -j DNAT --to-destination 10.5.2.4
-A WAN2 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.1.2.5
-A WAN3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.44.2.6
-A WAN4 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.9.3.7
-A WAN5 -p tcp -m tcp --dport 3306 -j DNAT --to-destination 10.192.4.8

# add rules to allow access to services on the router
-A INPUT ...

# add rules to allow/deny access between subnets
-A FORWARD ...


Follow up.

Remember to add the GATEWAY IP for each of the inside subnets to eth1
(and to make sure each of your hosts points to the appropriate GATEWAY).
iproute2 is your friend here.


e.g. where x.x.x.254 are the GATEWAYs
ip address add 10.0.0.254/8 dev eth1
ip address add 192.168.7.254/24 dev eth1
...



Hope this applies to your situation,
Mike Wright


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 02-14-2012, 07:13 AM
 
Default iptables? issue

*----- Original Message -----
*From: Joe Zeff
*Sent: 02/13/12 10:33 PM
*To: Community support for Fedora users
*Subject: Re: iptables? issue

*
On 02/13/2012 11:34 AM, nullv@gmx.com wrote:
> I'm hoping that you can point out what i'm missing here. I have a server
> (router0) with a public ip 41.123.234.74/29 that's using an internet
> modem 41.123.234.73/29 as a gateway.

If I'm not mistaken, an IP address with a /XX at the end is used to
define a *range* of addresses, not a single address. You'd use it to
give the range of addresses on your LAN, or that your DHCP server is set
to give out. It's not appropriate when giving a specific machine's IP
address unless my understanding of the terminology is worse than I think
it is. I don't *think* this is part of the issue, here, but it may be
obscuring what's going on. If nothing else, leaving off where it
doesn't apply may help avoid confusion.


Hi Joe,

I was just doing that for completeness so that you would knwo that they are in the same subnet, ie, the same /29 cidr.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 02-14-2012, 07:28 AM
 
Default iptables? issue

*



----- Original Message -----


From: Mike Wright


Sent: 02/14/12 12:22 AM


To: Community support for Fedora users


Subject: Re: iptables? issue





On 02/13/2012 11:34 AM, nullv@gmx.com wrote:
> Hi,
> I'm hoping that you can point out what i'm missing here. I have a server
> (router0) with a public ip 41.123.234.74/29 that's using an internet
> modem 41.123.234.73/29 as a gateway. the server (router0) also has a
> second card used for lan comms where it has ip address 10.0.0.1/8.
> addresses are broadcast via dhcp along with DNS and gateway settings and
> everything works perfectly when i MASQUERADE the local ips to the wan
> address with iptables.
> The issue is this: i'm trying to set up another server (db0) behind
> router0 on the lan side and want to have it's packets go the my router0
> gateway and be forwarded to the internet side and vice versa. db0 has an
> address 41.123.234.75/29 with .74 set as the gateway. if i set up my
> addressing on db0 using lan addresses and 10.0.0.1 my db0 server can
> connect and everything but if i use the wan address i can't connect even
> to the 41.123.234.74/29 router0 address. i had inserted the following
> rule to my tables forward chain:
> iptables -I FORWARD -s 41.123.234.72/29 -j ACCEPT
> to allow public packets from either side to be forwarded to both sides
> but i can't seem to get the boxes to through to each other.
> Can anyone tell me were i'm getting it wrong?
> Thanks in advance
>
>

Hi nullv,

I use this layout successfully. If you want more than one subnet a
simple switch plugged into eth1 allows adding more than one box/subnet.

# your /29
# 41.123.234.72/32 NETWORK
# 41.123.234.73/32 GATEWAY
# 41.123.234.74/32 WAN1
# 41.123.234.75/32 WAN2
# 41.123.234.76/32 WAN3
# 41.123.234.77/32 WAN4
# 41.123.234.78/32 WAN5
# 41.123.234.79/32 BROADCAST

### iptables rules

# define custom chains and zero connection counts
:WAN1 - [0:0]
:WAN2 - [0:0]
:WAN3 - [0:0]
:WAN4 - [0:0]
:WAN5 - [0:0]

# inbound connections
-A PREROUTING -d 41.123.234.74/32 -j WAN1
-A PREROUTING -d 41.123.234.75/32 -j WAN2
-A PREROUTING -d 41.123.234.76/32 -j WAN3
-A PREROUTING -d 41.123.234.77/32 -j WAN4
-A PREROUTING -d 41.123.234.78/32 -j WAN5

# pick one of your WAN IPs for outbound connections
-A POSTROUTING -o eth0 -j SNAT --to-source 41.123.234.74

# this will map inbound WAN IP:PORT to various internal servers
# NAT can point to different networks
-A WAN1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.1
-A WAN1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.5.0.2
-A WAN2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.16.7.3
-A WAN2 -p tcp -m tcp --dport 8008 -j DNAT --to-destination 10.5.2.4
-A WAN2 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.1.2.5
-A WAN3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.44.2.6
-A WAN4 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.9.3.7
-A WAN5 -p tcp -m tcp --dport 3306 -j DNAT --to-destination 10.192.4.8

# add rules to allow access to services on the router
-A INPUT ...

# add rules to allow/deny access between subnets
-A FORWARD ...

Hope this applies to your situation,
Mike Wright



Hi Mike,

it would seem like that would work it's just that i was trying to avoid using nat because of it's issues/limitations/complexity and also since it's mainly used to translate/reroute wan addresses to lan (non-routable) addresses? i really thought it would be as simple as forwarding packets through the gateway. i'm assuming that's how ISPs and modems etc do it??



*


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 02-14-2012, 01:27 PM
 
Default iptables? issue

*



----- Original Message -----


From: gary artim


Sent: 02/13/12 10:14 PM


To: Community support for Fedora users


Subject: Re: iptables? issue






if you own both address you need to alias your nic with the other address.

ifcfg-eth0:0

add in /etc/sysconfig/network-scripts



Hi Gary,

It still wouldn't explain why i can't ping the gateway's address.


On Mon, Feb 13, 2012 at 11:34 AM, <nullv@gmx.com> wrote:
> Hi,
>
> I'm hoping that you can point out what i'm missing here. I have a server
> (router0) with a public ip 41.123.234.74/29 that's using an internet modem
> 41.123.234.73/29 as a gateway. the server (router0) also has a second card
> used for lan comms where it has ip address 10.0.0.1/8. addresses are
> broadcast via dhcp along with DNS and gateway settings and everything works
> perfectly when i MASQUERADE the local ips to the wan address with iptables.
>
> The issue is this: i'm trying to set up another server (db0) behind router0
> on the lan side and want to have it's packets go the my router0 gateway and
> be forwarded to the internet side and vice versa. db0 has an address
> 41.123.234.75/29 with .74 set as the gateway. if i set up my addressing on
> db0 using lan addresses and 10.0.0.1 my db0 server can connect and
> everything but if i use the wan address i can't connect even to the
> 41.123.234.74/29 router0 address. i had inserted the following rule to my
> tables forward chain:
> iptables -I FORWARD -s 41.123.234.72/29 -j ACCEPT
> to allow public packets from either side to be forwarded to both sides but i
> can't seem to get the boxes to through to each other.
>
> Can anyone tell me were i'm getting it wrong?
>
> Thanks in advance
>
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org




*


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 02-14-2012, 05:53 PM
Joe Zeff
 
Default iptables? issue

On 02/14/2012 12:13 AM, nullv@gmx.com wrote:

I was just doing that for completeness so that you would knwo that they are in the same subnet, ie, the same /29 cidr.


I would have thought that just stating that they're on the same LAN,
served by the same router would have implied that, especially when the
addresses are in sequence.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 02-14-2012, 07:30 PM
jdow
 
Default iptables? issue

On 2012/02/14 10:53, Joe Zeff wrote:

On 02/14/2012 12:13 AM, nullv@gmx.com wrote:

I was just doing that for completeness so that you would knwo that they are in
the same subnet, ie, the same /29 cidr.


I would have thought that just stating that they're on the same LAN, served by
the same router would have implied that, especially when the addresses are in
sequence.


Hm, would you not want to run a router daemon if you want to use a machine
as a router/gateway?

{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 02-14-2012, 07:40 PM
Joe Zeff
 
Default iptables? issue

On 02/14/2012 12:30 PM, jdow wrote:

Hm, would you not want to run a router daemon if you want to use a machine
as a router/gateway?


I'd expect so. In that case, of course, you'd say that it was acting as
the router for W.X.Y.Z/NN, but most of the time you wouldn't express its
own IP that way. See the distinction I'm making?

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 03:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org