tough (interesting) iptables problem

tough (interesting) iptables problem

Post by jaso » Sun, 11 May 2003 05:35:36



Hi I've got an iptables problem that I can't get my head around.  I have
an nt4 box that currently does proxy for a private network.  I want to
put it behind an iptables firewall.  Unfortuantely I can't get rid of
the nt4 box as much as I'd like to, and the addition of the filtering
linux box has to be transparent to the users (the filter is to protect
the nt box).  The nt4 proxy coughs up a furball if both sides of the
proxy are private networks and refuses to start.  Here how it was:

original setup:

inet => eth0 ntbox eth1 =>private net
x.x.x.3   linux box
x.x.x.4   msproxy  10.0.x.x

what I tried:

inet  => eth0 linux fw eth1 =>eth0 ntbox eth1=> private net
x.x.x.3 >     iptables>192.168.0.1>proxy>10.0.x.x  users
Proxy service on nt refused to start with this setup

What I think I need to do is forward and filter the real ip of the ntbox
on my internet connection through the firewall to the ntbox and it
continues happily on its way like so:

inet => eth0  linux fw eth1 =>eth0 ntbox eth1=> private net
x.x.x.3&4 >   iptables    >x.x.x.4>proxy>10.0.0.x.x users
^with a possible virutal ethernet interface on eth0 for x.x.x.4

Am I barking up the wrong tree - is this possible?

thanks jason

 
 
 

tough (interesting) iptables problem

Post by Horst Knobloc » Sun, 11 May 2003 07:00:40



Quote:> Hi I've got an iptables problem that I can't get my head around.  I have
> an nt4 box that currently does proxy for a private network.  I want to
> put it behind an iptables firewall.  Unfortuantely I can't get rid of
> the nt4 box as much as I'd like to, and the addition of the filtering
> linux box has to be transparent to the users (the filter is to protect
> the nt box).  The nt4 proxy coughs up a furball if both sides of the
> proxy are private networks and refuses to start.

[original setup and two private net setup]

Quote:> What I think I need to do is forward and filter the real ip of the ntbox
> on my internet connection through the firewall to the ntbox and it
> continues happily on its way like so:

> inet => eth0  linux fw eth1 =>eth0 ntbox eth1=> private net
> x.x.x.3&4 >   iptables    >x.x.x.4>proxy>10.0.0.x.x users
> ^with a possible virutal ethernet interface on eth0 for x.x.x.4

> Am I barking up the wrong tree - is this possible?

If you are in control of the upstream router you could
add another network which is used between Linux eth1 and
NT eth0. For this the upstream router needs to be configured
to also forward traffic for this new network towards the
Linux box. This is the straight forward approach.

If you are not in control of the upstream router and you
only have one public IP address, you could configure
the Linux box as a bridge and assign the public IP address
to NT's eth0. Even when working as an ethernet bridge,
iptables should be able to filter properly.

If you don't like any of these two approaches, you could
also use a public network which you do _not_ own between
the Linux and NT box, and have the Linux box masquerade
this to its public IP address. Yuck!

HTH

Ciao, Horst
--
?When pings go wrong (It hurts me too)? E.Clapton/E.James/P.Tscharn

 
 
 

tough (interesting) iptables problem

Post by jaso » Thu, 15 May 2003 20:13:53




>>Hi I've got an iptables problem that I can't get my head around.  I have
>>an nt4 box that currently does proxy for a private network.  I want to
>>put it behind an iptables firewall.  Unfortuantely I can't get rid of
>>the nt4 box as much as I'd like to, and the addition of the filtering
>>linux box has to be transparent to the users (the filter is to protect
>>the nt box).  The nt4 proxy coughs up a furball if both sides of the
>>proxy are private networks and refuses to start.

> [original setup and two private net setup]

>>What I think I need to do is forward and filter the real ip of the ntbox
>>on my internet connection through the firewall to the ntbox and it
>>continues happily on its way like so:

>>inet => eth0  linux fw eth1 =>eth0 ntbox eth1=> private net
>>x.x.x.3&4 >   iptables    >x.x.x.4>proxy>10.0.0.x.x users
>>^with a possible virutal ethernet interface on eth0 for x.x.x.4

>>Am I barking up the wrong tree - is this possible?

> If you are in control of the upstream router you could
> add another network which is used between Linux eth1 and
> NT eth0. For this the upstream router needs to be configured
> to also forward traffic for this new network towards the
> Linux box. This is the straight forward approach.

> If you are not in control of the upstream router and you
> only have one public IP address, you could configure
> the Linux box as a bridge and assign the public IP address
> to NT's eth0. Even when working as an ethernet bridge,
> iptables should be able to filter properly.

> If you don't like any of these two approaches, you could
> also use a public network which you do _not_ own between
> the Linux and NT box, and have the Linux box masquerade
> this to its public IP address. Yuck!

> HTH

> Ciao, Horst

Thanks so much for your help Horst!

I solved the problem....the problem was in the NT proxy, a setting which
defined all the private networks in use (eg 10.x.x.x,172.16.x.x.
192.168x.x).  If all of these are selected (defaul setting) the external
ethernet card will not accept one of those net ranges and will fail to
start (stupid defaults).  I just needed to remove the networks not being
used by the current lan and set the appropriate ip address to go to the
iptables firewall.  Everything works like it should :)

jason

 
 
 

1. Tough interview question. Interested in answer.

I was told that a given process is listening on a port (program is bound
to that port). Given just the PID of that process how can you figure out
what port that program is bound to?

Sent via Deja.com http://www.deja.com/
Before you buy.

2. Fdisk Questions

3. Interesting iptables problem

4. NE2000 problems

5. IPTABLES problem with iptables: Index of insertion too big

6. AST CC-832 4 Ser Port Board

7. tough networking problem

8. Help, my Xwindows works only as root!

9. Tough problem! TCP reset issue

10. another tough sed problem: sed dependency

11. Telnet problem (tough one)

12. Very tough PPP problem (LCP timeouts)

13. Groups,permissions, and FTP: Tough Problem