IPTables with Virtual Interfaces and Multiple Public IPs

IPTables with Virtual Interfaces and Multiple Public IPs

Post by martin.fow.. » Wed, 08 Aug 2007 01:04:40

Hello everyone, I am not new to linux, but I am by no stretch an
expert. I have looked at all the other forums for my solution but I
cant seem to get it to work. Here is my situation.

Multiple Public IP addresses feed into a single ubuntu 7.04 server
linux box runing an iptables firewall. The server has 2 nics, 1
external 207.xxx.xxx.xxx and the other nic is for the internal network
192.168.yyy.yyy with multiple servers that need all the same ports.
For instance, there is a windows media server (among the ports is 80),
a server for web hosting (again port 80), and a development web server
(another on port 80) so you can see the need for the multiple public
ips. I want 207.xxx.xxx.42 to point to one, .43 to point to another,
and .44 to point to the last.

.42 -------|         |------------------- |         |  server 1 .50
.43 -------|---------| gateway       |---------|  server 2 .51
.44 -------|         |------------------- |         |  server 3 .52

The external interface on the gateway is set up for eth0, and I have
setup virtual interfaces to handle the different ip addresses

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 207.xxx.xxx.42
    netmask 255.255.nnn.nnn
    gateway 207.xxx.xxx.41

auto eth0:0
iface eth0:0 inet static
    address 207.xxx.xxx.43
    netmask 255.255.nnn.nnn

auto eth0:1
iface eth0:1 inet static
    address 207.xxx.xxx.44
    netmask 255.255.nnn.nnn

auto eth1
iface eth1 inet static
    address 192.168.yyy.yyy

The virtual interfaces work, i can connect to the ip address, ping
them, and so forth.

But when I try to access port 80, only the .42 address works
correctly. Here is how I have iptables set up.



echo 1 > /proc/sys/net/ipv4/ip_forward

modprobe ip_conntrack
#modprobe ip_conntrack_pptp
#modprobe ip_nat_pptp

# Clear the iptables configuration
$IPT --flush
$IPT -t nat --flush
$IPT -t nat -X

# Setup the default IPTABLES config for internet access


####  MEDIA ####
$IPT -t nat -A PREROUTING -p tcp -m multiport -i $EXTIF1 -d
207.xxx.xxx.42 --dport $MEDIA -j DNAT --to 192.168.yyy.50
$IPT -t nat -A POSTROUTING -p tcp -m multiport --sport $MEDIA -o
$EXTIF1 -s 192.168.yyy.50 -j SNAT --to-source 207.xxx.xxx.42
$IPT -A FORWARD -p tcp -m multiport -d 192.168.yyy.50 -o $INTIF --
dport $MEDIA -j ACCEPT

..... same lines only for udp instead of tcp. Then I have a definition
for all the other hosts with their respective ip addresses for
external and internal. Then at the end of the script I have

# Enable Traffic Logging on everything except ssh or web
$IPT -A INPUT -p TCP -m multiport --dport ! $IGNORE -j LOG --log-
prefix "[IN][dst]: " --log-level 4


$IPT -A FORWARD -p TCP -m multiport --dport ! $IGNORE -j LOG --log-
prefix "[FORWARD][dst]: " --log-level 4

so that is basically what I have. Yet only web on the .42 address
works. When I hit .43 or .44 all I get is a page not found error. Can
someone debug the script and tell me what I am doing wrong? Its
basically cobbled together from other scripts that I have found on the
internet. If you dont know whats wrong with my script, could you
provide an example script of what should work with my configuration?

Thank you in advanced to all who reply

Martin Fowler


IPTables with Virtual Interfaces and Multiple Public IPs

Post by martin.fow.. » Fri, 10 Aug 2007 03:28:58

Anyone have any ideas on this?


1. Routing multiple public IPs to multiple internal networks

Here is the situation:

We are going to be getting an internet connection with a /28 block of
public IPs. What I would like to do is be able to filter all of the
traffic through one Router/Firewall box so I can do filtering, QoS,
bandwidth monitoring, etc. and give a public IP to a series of Linksys
routers for different tenants in the building. I am not quite sure how
to setup the IPs since I have only had experience with 1 public IP and
NAT in the past. I have tentatively come up with this setup but I
wanted to run it by someone more knowledgable than myself before
ordering the equipment and deploying everything. Here is a diagram to
help clarify:

     |   ISP Router   |
     |  x.y.z.225/28  |
    |   x.y.z.226/28  |
    | Router/Firewall |
    |   x.y.z.227/28  |
    |      Switch      |
      |              |
      |              |
      |              |
+------------+ +------------+
|x.y.z.228/28| |x.y.z.229/28|
|  Linksys   | |  Linksys   |
+------------+ +------------+
 | | | | | |    | | | | | |
 | | | | | |    | | | | | |
   Private        Private
   Network        Network

Would this addressing scheme work? I thought about subdividing the
subnet but I don't want to lose IPs in the process and it seems like it
would unnecessarily complicate things.

Thanks in advance!

2. unresolve external 'noautodma' in siimage 2.4.21-rc8

3. Iptables: How do I forwarding public IPs into a router inside a private IP network?

4. CSC 2003MB drive, OK?

5. How can I protect an entire subnet of public servers with public ips?

6. Error for command: write(10)

7. Iptables multiple IPs

8. Forcing parity with cu and uucp?

9. Need help with setting up multiple external IPs with NAT/IPTABLES.

10. Virtual IPs on one Interface?..

11. firewall on a virtual web server with multiple IPs

12. Multiple IPs per interface

13. Binding multiple IPs for Virtual Hosting on Solaris