iptables newbie question

iptables newbie question

Post by David Laroch » Wed, 26 Dec 2001 09:49:11



hi there,

i've just took a look to the iptables and as i changed my whole network
structure here i thought i could be a good time to move over to iptables ...
no problems with ip masq everything works fine

explication:
i've got 3 linux machines (servers) running in a lan
- 172.16.0.1 helium.nobug.lu (RH 7.1) eth0
   172.16.0.6 brom.nobug.lu (RH 7.1) eth1 (adsl)
          Gateway/Firewall
- 172.16.0.7 radon.nobug.lu (RH 7.1) eth0
          Webserver & Database & NS1
- 172.16.0.4 argon.nobug.lu (RH 7.1) eth0
           Secondary DNS & Proxy

Now I've got a dynamic domain (dyndns: nobug.no-ip.com) that means that
people should access the webserver via this domain

ADSL (nobug.no-ip.com) ----172.16.0.6
(srv1)----172.16.0.1(srv1)---->172.16.0.7

How can I forward all incoming connections for port 80,3306 etc. to
172.16.0.7 (with iptables)?

Can someone give me an example?

And when I install squid as proxy now on "argon" does it work immediatly if
I tell that machine that the default gateway is 172.16.0.6?

If i'm completly wrong, just tell my how that everything works (with whiche
apps and so on).

Thank you all very much in advance!

Nice x-mas & happy new year everybody!

David

 
 
 

iptables newbie question

Post by Dean Thompso » Thu, 27 Dec 2001 11:24:40


Hi!,

Quote:> hi there,

> i've just took a look to the iptables and as i changed my whole network
> structure here i thought i could be a good time to move over to iptables ...
> no problems with ip masq everything works fine

> explication:
> i've got 3 linux machines (servers) running in a lan
> - 172.16.0.1 helium.nobug.lu (RH 7.1) eth0
>    172.16.0.6 brom.nobug.lu (RH 7.1) eth1 (adsl)
>           Gateway/Firewall
> - 172.16.0.7 radon.nobug.lu (RH 7.1) eth0
>           Webserver & Database & NS1
> - 172.16.0.4 argon.nobug.lu (RH 7.1) eth0
>            Secondary DNS & Proxy

> Now I've got a dynamic domain (dyndns: nobug.no-ip.com) that means that
> people should access the webserver via this domain

> ADSL (nobug.no-ip.com) ----172.16.0.6
> (srv1)----172.16.0.1(srv1)---->172.16.0.7

Could I suggest that putting everythig onto the same subnet isn't a good
idea.  You either want to break up your subnet so that the machines using the
ADSL connection are on a different subnet or you want to subnet your subnet so
that the network comms IP's are in one subnet and the machines sharing the
connection are located in the other.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

1. iptables newbie question

hi

two questions about iptables:

1/

i read the packet-filtering howto (http://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html)
the first example uses the ip_conntrack module, which allows the state match rule, as in the following rules :

iptables -A block -m state --state NEW -j REJECT

on the other hand, my red hat 9 was automatically configured by lokkit with something that looks similar but without using ip_conntrack:

iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT

what are the exact differences between these two ways of doing the same thing ?

2/

about fragments (see http://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html)

in the paragraph "specifying fragments", it says:
"If you are doing connection tracking or NAT, then all fragments will get merged back together before they reach the packet filtering code, so you need never worry about fragments."

but 5 lines below, it also says that we can only filter the first fragment, because further fragments don't have their tcp header.

so, are fragments merged or not ?

thanks in advance

2. ipchains

3. iptables & newbie firewall question

4. 3rd drive on an i386

5. Newbie - routing, iptables question

6. HOWTO XFree86 4 for Nvidia on RH 6.2 for a Novice

7. Newbie question: iptables & RH 7.1

8. two scsi questions

9. Newbie iptables question on port 10000

10. iptables question (newbie)

11. newbie iptables firewall question

12. Newbie Question -- iptables flow of control

13. Another newbie iptables question...