Problems using Netfilter to NAT secondary IPs (ip addr add IP dev DEV)

Problems using Netfilter to NAT secondary IPs (ip addr add IP dev DEV)

Post by Mathew Johnsto » Fri, 07 Sep 2001 06:07:23



I wanted to post this to the netfilter mailing list, but I can't seem to
join it.

I have firewall with three networks attatched. One is a DMZ (eth0), one is
a workstation LAN (eth1) and the other is an internet connection (eth2).
The internet connection has two IP addresses available to it. In the DMZ
are two hosts, 192.168.0.2 and 192.168.0.3. 192.168.0.2 is to handle http
and smtp for all connections made to 24.114.20.59, and 192.168.0.3 is to
handle smtp for 24.114.20.5. Using the following configuration:

# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8
    scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:60:08:bd:11:da brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24
    brd 192.168.0.255 scope global eth0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:bf:39:86:76 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24
    brd 192.168.1.255 scope global eth1
5: eth2: <BROADCAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:bf:39:6d:75 brd ff:ff:ff:ff:ff:ff inet
    24.114.20.59/25 brd 24.114.20.127 scope global eth2 inet
    24.114.20.5/25 scope global secondary eth2

# iptables NAT script... assume all other chains are # empty with
# an ACCEPT policy

iptables -t nat -F
# PREROUTING
  # DNAT
    # redirect 24.114.20.59:25 to 192.168.0.2 iptables -t nat -A
    PREROUTING \
    -p tcp -d 24.114.20.59 --dport 25 \
    -j DNAT --to-destination 192.168.0.2:25

    # redirect 24.114.20.59:80 to 192.168.0.2:80 iptables -t nat -A
    PREROUTING \
    -p tcp -d 24.114.20.59 --dport 80 \
    -j DNAT --to-destination 192.168.0.2:80

    # redirect 24.114.20.5:25 to 192.168.0.3 iptables -t nat -A PREROUTING
    \
    -p tcp -d 24.114.20.5 --dport 25 \
    -j DNAT --to-destination 192.168.0.3:25

# POSTROUTING
  # SNAT
    # snat anything going out eth2
    iptables -t nat -A POSTROUTING -o eth2 \ -j SNAT --to-source
    24.114.20.59

Under this configuration, the following conditions are true:
o192.168.0.0/24 and 192.168.1.0/24 have internet access
o from 192.168.0.0/24, connections to 24.114.20.59:25,  
  24.114.20.59:80 and 24.114.20.5:25 fail
o from the internet, connections to 24.114.20.5:25 fail
o from the internet, 24.114.20.59 is pingable
o from the internet, 24.114.20.5 is not pingable
o from 192.168.0.0/24 24.114.20.59 and 24.114.20.5 are pingable
o from 192.168.1.0/24, connections to 24.114.20.59:80
  24.114.20.59:25 and 24.114.20.5:25 are successful
o from the internet, connections to 24.114.20.59:25 and
  24.114.20.59:80 are successful

The daemons have not been configured with any src/dst access controls.

Does anyone know why this is happening, and how to fix it?

Mathew Johnston

 
 
 

Problems using Netfilter to NAT secondary IPs (ip addr add IP dev DEV)

Post by Axel Hinrich » Fri, 07 Sep 2001 08:31:25



> I wanted to post this to the netfilter mailing list, but I can't seem to
> join it.

> I have firewall with three networks attatched. One is a DMZ (eth0), one is
> a workstation LAN (eth1) and the other is an internet connection (eth2).
> The internet connection has two IP addresses available to it. In the DMZ
> are two hosts, 192.168.0.2 and 192.168.0.3. 192.168.0.2 is to handle http
> and smtp for all connections made to 24.114.20.59, and 192.168.0.3 is to
> handle smtp for 24.114.20.5. Using the following configuration:

> # ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8
>     scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:60:08:bd:11:da brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24
>     brd 192.168.0.255 scope global eth0
> 3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
>     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
> 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:50:bf:39:86:76 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24
>     brd 192.168.1.255 scope global eth1
> 5: eth2: <BROADCAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:50:bf:39:6d:75 brd ff:ff:ff:ff:ff:ff inet
>     24.114.20.59/25 brd 24.114.20.127 scope global eth2 inet
>     24.114.20.5/25 scope global secondary eth2

> # iptables NAT script... assume all other chains are # empty with
> # an ACCEPT policy

> iptables -t nat -F
> # PREROUTING
>   # DNAT
>     # redirect 24.114.20.59:25 to 192.168.0.2 iptables -t nat -A
>     PREROUTING \
>     -p tcp -d 24.114.20.59 --dport 25 \
>     -j DNAT --to-destination 192.168.0.2:25

>     # redirect 24.114.20.59:80 to 192.168.0.2:80 iptables -t nat -A
>     PREROUTING \
>     -p tcp -d 24.114.20.59 --dport 80 \
>     -j DNAT --to-destination 192.168.0.2:80

>     # redirect 24.114.20.5:25 to 192.168.0.3 iptables -t nat -A PREROUTING
>     \
>     -p tcp -d 24.114.20.5 --dport 25 \
>     -j DNAT --to-destination 192.168.0.3:25

> # POSTROUTING
>   # SNAT
>     # snat anything going out eth2
>     iptables -t nat -A POSTROUTING -o eth2 \ -j SNAT --to-source
>     24.114.20.59

This sounds to general to me. Try:

iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.2 --sport 25 \
        -j SNAT --to-source 24.114.20.59:25
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.2 --sport 80 \
        -j SNAT --to-source 24.114.20.59:80
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.3 --sport 25 \
        -j SNAT --to-source 24.114.20.5:25
iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 \
        -j SNAT --to-source 24.114.20.59

and report again.

- Show quoted text -

Quote:

> Under this configuration, the following conditions are true:
> o192.168.0.0/24 and 192.168.1.0/24 have internet access
> o from 192.168.0.0/24, connections to 24.114.20.59:25,
>   24.114.20.59:80 and 24.114.20.5:25 fail
> o from the internet, connections to 24.114.20.5:25 fail
> o from the internet, 24.114.20.59 is pingable
> o from the internet, 24.114.20.5 is not pingable
> o from 192.168.0.0/24 24.114.20.59 and 24.114.20.5 are pingable
> o from 192.168.1.0/24, connections to 24.114.20.59:80
>   24.114.20.59:25 and 24.114.20.5:25 are successful
> o from the internet, connections to 24.114.20.59:25 and
>   24.114.20.59:80 are successful

> The daemons have not been configured with any src/dst access controls.

> Does anyone know why this is happening, and how to fix it?

> Mathew Johnston

Greetings,
Axel

--
hinrichs at xbits dot de

 
 
 

Problems using Netfilter to NAT secondary IPs (ip addr add IP dev DEV)

Post by Axel Hinrich » Fri, 07 Sep 2001 08:44:19




>> I wanted to post this to the netfilter mailing list, but I can't seem to
>> join it.

>> I have firewall with three networks attatched. One is a DMZ (eth0), one
>> is a workstation LAN (eth1) and the other is an internet connection
>> (eth2). The internet connection has two IP addresses available to it. In
>> the DMZ are two hosts, 192.168.0.2 and 192.168.0.3. 192.168.0.2 is to
>> handle http and smtp for all connections made to 24.114.20.59, and
>> 192.168.0.3 is to handle smtp for 24.114.20.5. Using the following
>> configuration:

>> # ip addr show
>> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet
>>     127.0.0.1/8 scope host lo
>> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>>     link/ether 00:60:08:bd:11:da brd ff:ff:ff:ff:ff:ff inet
>>     192.168.0.1/24 brd 192.168.0.255 scope global eth0
>> 3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
>>     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
>> 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>>     link/ether 00:50:bf:39:86:76 brd ff:ff:ff:ff:ff:ff inet
>>     192.168.1.1/24 brd 192.168.1.255 scope global eth1
>> 5: eth2: <BROADCAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>>     link/ether 00:50:bf:39:6d:75 brd ff:ff:ff:ff:ff:ff inet
>>     24.114.20.59/25 brd 24.114.20.127 scope global eth2 inet
>>     24.114.20.5/25 scope global secondary eth2

>> # iptables NAT script... assume all other chains are # empty with
>> # an ACCEPT policy

>> iptables -t nat -F
>> # PREROUTING
>>   # DNAT
>>     # redirect 24.114.20.59:25 to 192.168.0.2 iptables -t nat -A
>>     PREROUTING \
>>     -p tcp -d 24.114.20.59 --dport 25 \
>>     -j DNAT --to-destination 192.168.0.2:25

>>     # redirect 24.114.20.59:80 to 192.168.0.2:80 iptables -t nat -A
>>     PREROUTING \
>>     -p tcp -d 24.114.20.59 --dport 80 \
>>     -j DNAT --to-destination 192.168.0.2:80

>>     # redirect 24.114.20.5:25 to 192.168.0.3 iptables -t nat -A
>>     # PREROUTING
>>     \
>>     -p tcp -d 24.114.20.5 --dport 25 \
>>     -j DNAT --to-destination 192.168.0.3:25

>> # POSTROUTING
>>   # SNAT
>>     # snat anything going out eth2
>>     iptables -t nat -A POSTROUTING -o eth2 \ -j SNAT --to-source
>>     24.114.20.59

> This sounds to general to me. Try:

> iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.2 --sport 25 \
>         -j SNAT --to-source 24.114.20.59:25
> iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.2 --sport 80 \
>         -j SNAT --to-source 24.114.20.59:80
> iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.3 --sport 25 \
>         -j SNAT --to-source 24.114.20.5:25
> iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 \
>         -j SNAT --to-source 24.114.20.59

> and report again.

Ah, and the pings are not fully meaningful as test here, as you haven't set
up NAT for -p icmp!

So you should add:

iptables -t nat -A PREROUTING -p icmp -d 24.114.20.59 \
        -j DNAT --to-destination 192.168.0.2
iptables -t nat -A POSTROUTING -p icmp -s 192.168.0.2 \
        -j SNAT --to-source 24.114.20.59
iptables -t nat -A PREROUTING -p icmp -d 24.114.20.5 \
        -j DNAT --to-destination 192.168.0.3
iptables -t nat -A POSTROUTING -p icmp -s 192.168.0.3 \
        -j SNAT --to-source 24.114.20.5

as this should make the two DMZ hosts world-pingable.

- Show quoted text -

Quote:

>> Under this configuration, the following conditions are true:
>> o192.168.0.0/24 and 192.168.1.0/24 have internet access
>> o from 192.168.0.0/24, connections to 24.114.20.59:25,
>>   24.114.20.59:80 and 24.114.20.5:25 fail
>> o from the internet, connections to 24.114.20.5:25 fail
>> o from the internet, 24.114.20.59 is pingable
>> o from the internet, 24.114.20.5 is not pingable
>> o from 192.168.0.0/24 24.114.20.59 and 24.114.20.5 are pingable
>> o from 192.168.1.0/24, connections to 24.114.20.59:80
>>   24.114.20.59:25 and 24.114.20.5:25 are successful
>> o from the internet, connections to 24.114.20.59:25 and
>>   24.114.20.59:80 are successful

>> The daemons have not been configured with any src/dst access controls.

>> Does anyone know why this is happening, and how to fix it?

>> Mathew Johnston

> Greetings,
> Axel

--
hinrichs at xbits dot de
 
 
 

Problems using Netfilter to NAT secondary IPs (ip addr add IP dev DEV)

Post by Mathew Johnsto » Fri, 07 Sep 2001 09:01:32


I realized that the postrouting and the prerouting rules are conflicting
- the postrouting rule is making eveything come from 24.114.20.59, which
means that stuff that should be comming from 24.114.20.5 is now comming
from 24.114.20.59.

Mat.

 
 
 

1. Secondary Gateway for Secondary Network Card using Secondary IP's

Hello,
    Currently I have a Freebsd 4.3-RELEASE using 2 network cards.
I have both network cards installed and working locally.  The main network
card which can be seen by the public works fine using the default router.
However, the secondary network card working on a secondary ip block for
internal use
is not working.  How can I add a secondary router/gateway into the rc.conf
file in such
a way that the IP's on the internal block can see the secondary network
card?

Thank you for your help

2. alsamixer doesn't work

3. true or false/security and csh

4. /dev/tcp vs. /dev/ip and ip_forwarding

5. : Problems with early ES40's & DS20's? (Joel Gallun)

6. M_PROT info for /dev/ip or /dev/udp stream access

7. nslookup hangs

8. What is the difference between /dev/sg0, /dev/scd0 /dev/hdd and /dev/cdrom ?

9. /dev/dsp, /dev/audio, /dev/midi., /dev/sndsta

10. /dev/fd0 /dev/fd1 /dev/scd0 problems

11. Configuring net (IP-tunnel, IP-Alias, Proxy-ARP, NAT, IP-Masq?)

12. >/dev/msglog 2<>/dev/msglog </dev/console