iptables & virtual interfaces/domains NOT WORKING ??

iptables & virtual interfaces/domains NOT WORKING ??

Post by WA Suppo » Wed, 12 Jun 2002 01:47:44



Hello,

I have iptables-1.2.6a running on a Redhat Linux 7.2 system with
2.4.9-31 kernel.

I setup virtual interfaces on eth0 and assign IPs to each interface
for domains that I host.  For example I have entries in rc.local like
so,

# sendacookie.com
/sbin/ifconfig eth0:14 209.145.220.14 netmask 255.255.255.0
/sbin/route add -host 209.145.220.14 dev eth0:14

My entries in Apache web server are correct and my nameserver is
correct.  However, when I try to access 209.145.220.14 in anyway
(ping, traceroute, thru browser) I get errors.

With ping, I get 'Operation not permitted'

My firewall rules for ICMP are like so,

...
$IPTABLES -N icmp_packets
...
$IPTABLES -A icmp_packets -p ICMP -s 0/0 -d 0/0 -j ACCEPT

I can ping the IP on eth0 (i.e., 209.145.220.2), no problem, but I can
not ping any of the virtual interfaces.

If I stop the firewall, then I can ping all virtual IPs okay.

Now, I have the same basically the same setup on another machine
running ipchains on a Redhat Linux 7.1 system.  I have never had any
problems with virtual interfaces with an ipchains firewall.  I setup
the same rules for ICMP packets under ipchains and it works fine.

I have had someone tell me that I should use iproute2, but I have
never had to use this before and do not have any experience with
iproute2.

Does anyone know what is going on here and how I can correct this?

Thanks,
Murrah Boswell
Systems Administrator
Wild Apache Internet Services

 
 
 

iptables & virtual interfaces/domains NOT WORKING ??

Post by OTR Co » Wed, 12 Jun 2002 11:10:16


I figured it out.

I added a variable:

INET_IP_RANGE="209.145.220.0/24"

and then added the rules"

#
# Rules for INPUT chain for virtual interfaces
#

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -s $INET_IP_RANGE -d \
$INET_IP_RANGE -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP_RANGE -d \
$INET_IP_RANGE -j ACCEPT

#
# Rules for OUTPUT chain for virtual interfaces
#

$IPTABLES -A OUTPUT -p ALL -s $INET_IP_RANGE -j ACCEPT

I had previously defined the variables:

INET_IFACE and LO_IFACE

Now everything works okay.

Again, thanks for your help,
Murrah

 
 
 

1. iptables: NAT not working behind firewall

I installed a Linux 2.4.7 on an old P2 box to use as a firewall.  I'm
using iptables  and set up port forwarding for a web server inside a
192.168 DMZ.  Problem is, NAT works only if you're outside the
firewall.  Trying to access the web server by its pre-NAT IP either
inside the firewall or from the NAT box hangs.

I thought this might have been a firewall problem so I reduced the
ruleset to the following but the problem remains:

[clear iptables chains and indexes, set I/O/F for ACCEPT]

IPADDR          ="1.2.3.114"
WEB_SERVER      ="192.168.1.10"
INT_INT         ="eth0"               # outside world interface
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o $INT_INT  -j MASQUERADE
iptables -A PREROUTING -t nat -p tcp -d $IPADDR --dport 80  -j DNAT
     --to $WEB_SERVER:80
iptables -A OUTPUT -t nat -p tcp -d $IPADDR --dport 80  -j DNAT
    --to $WEB_SERVER:80

http://192.168.1.10 works fine on the internal machines.
http://1.2.3.114 works for machines outside the network.  It doesn't
for machines inside the network.  The connection hangs until it
eventually times out.  If it's relevant, the 1.10 test web server I'm
using is a Win98 Apache server.

According to Rusty's Unreliable Guides
(http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linu...),
the last rule (iptables -A OUTPUT...) should take care of altering
local connections for NAT translation.  But it doesn't seem to have
any effect.

Am I missing a rule or could this be a routing problem?  Here's the
output of 'route':

Destination     Gateway         GenMask Flags   Metric  Ref     Use
Iface
1.2.3.112               *               255.255.255.240         U
0       0       0       eth0
192.168.1.0     *               255.255.255.0   U       0       0
0       eth1
127.0.0.0               *               255.0.0.0               U
0       0       0       lo
default         1.2.3.113               0.0.0.0         UG      0
0       0       eth0

2. FrontPage98 for beginner

3. iptables blocking not working like ipchains

4. 100base-TX vs 10Base-T is it worth it?

5. &&&&&&&test&&&&&&&&

6. FIXRANGE

7. workstations not on the domain can access domain resources

8. Book Wanted: Complete Guide To Synthesizers by Devarahi

9. Gauntlet 4.1 and virtual interfaces

10. Anyone setup Sun SecureNet NAT using virtual interface

11. ZAP 3.5.166- Ad Blocking Not Working & Reboots When Starting?

12. Wingate 4.0.1 & ICQ not working!!

13. Virtual Private Network (VPN) and Public Domain Software