Re: IP Forwarding - Need a guru.
You do not need a guru. Otherwise I couldn't answer this question:)
Since you've got on the inside are reserved IP's (for private networks)
you need a iptables rule which masquerades your inside IP's. The
following should do:
iptables -t nat -A POSTROUTING -o <outgoing interface> -j MASQUERADE
<outgoing interface> is probably eth0 or eth1. This hides all your ...
There is some HOWTO to read for you (probably Firewall-HOWTO).
Michael.
On Wed, 2002-08-07 at 16:50, Ryan McAlister wrote:
> I'm trying to setup a firewall machine that will forward packets only. I
> will not be running any services (DNS/Squid/SSHD/NAMED/etc..) on this
> box. I have even #'ed out the services in /etc/inetd.conf.
>
>
>
> All I want this box to do is forward packets.
>
>
>
> I have ip forwarding enabled.
>
> I can ping inside and outside from the firewall box.
>
> I can ping the router (216.29.167.1) and internet ip's from the firewall
> box.
>
> I can ping the internal (192.168.100.49) AND external (216.29.167.225)
> nic's from my pc.
>
> I CANNOT ping the router (216.29.167.1) or internet ip's from my pc.
>
>
>
> What am I missing? Do I have to use IPTABLES to accomplish this?
>
>
>
> You will have to forgive me but I'm an old netware guy and I can set
> this up in like 10 minutes with a novell box. *opens self up to
> ridicule*
>
>
>
> A little info about my setup:
>
>
>
>
>
> ------------------------------------------------------------------------
> --------------------------------------------
>
>
>
> fw6:~# cat /proc/version
>
> Linux version 2.4.19 (root@fw6) (gcc version 2.95.4 20011002 (Debian
> prerelease)) #1 Tue Aug 6 14:50:25 EDT 2002
>
> fw6:~#
>
>
>
> ------------------------------------------------------------------------
> --------------------------------------------
>
>
>
> fw6:~# cat /etc/network/options
>
> ip_forward=yes
>
> spoofprotect=yes
>
> syncookies=no
>
>
>
> ------------------------------------------------------------------------
> --------------------------------------------
>
>
>
> fw6:~# cat /proc/sys/net/ipv4/ip_forward
>
> 1
>
> fw6:~#
>
>
>
> ------------------------------------------------------------------------
> ---------------------------------------------
>
>
>
> fw6:~# route
>
> Kernel IP routing table
>
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
>
> localnet * 255.255.255.0 U 0
> 0 0 eth0
>
> 216.29.167.0 * 255.255.255.0 U 0 0
> 0 eth1
>
> default 216.29.167.1 0.0.0.0 UG 0 0
> 0 eth1
>
>
>
> ------------------------------------------------------------------------
> ---------------------------------------------
>
>
>
> fw6:~# cat /etc/network/interfaces
>
> # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
>
>
>
> # The loopback interface
>
> auto lo
>
> iface lo inet loopback
>
>
>
> # The first network card - this entry was created during the Debian
> installation
>
> # (network, broadcast and gateway are optional)
>
> auto eth0
>
> iface eth0 inet static
>
> address 192.168.100.49
>
> netmask 255.255.255.0
>
> network 192.168.100.0
>
> broadcast 192.168.100.255
>
>
>
> auto eth1
>
> iface eth1 inet static
>
> address 216.29.167.225
>
> netmask 255.255.255.0
>
> network 216.29.167.0
>
> broadcast 216.29.167.255
>
> gateway 216.29.167.1
>
>
>
> fw6:~#
>
>
>
> ------------------------------------------------------------------------
> ---------------------------------------------
>
>
>
>
>
> fw6:/# cat /etc/inetd.conf
>
> # /etc/inetd.conf: see inetd(8) for further informations.
>
> #
>
> # Internet server configuration database
>
> #
>
> #
>
> # Lines starting with "#:LABEL:" or "#<off>#" should not
>
> # be changed unless you know what you are doing!
>
> #
>
> # If you want to disable an entry so it isn't touched during
>
> # package updates just comment it out with a single '#' character.
>
> #
>
> # Packages should modify this file by using update-inetd(8)
>
> #
>
> # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
>
> #
>
> #:INTERNAL: Internal services
>
> #echo stream tcp nowait root internal
>
> #echo dgram udp wait root internal
>
> #chargen stream tcp nowait root internal
>
> #chargen dgram udp wait root internal
>
> ## discard stream tcp nowait root internal
>
> ## discard dgram udp wait root internal
>
> ## daytime stream tcp nowait root internal
>
> #daytime dgram udp wait root internal
>
> ## time stream tcp nowait root internal
>
> #time dgram udp wait root internal
>
>
>
> #:STANDARD: These are standard services.
>
>
>
> #:BSD: Shell, login, exec and talk are BSD protocols.
>
>
>
> #:MAIL: Mail, news and uucp services.
>
> #disabled#smtp stream tcp nowait mail /usr/sbin/exim
> exim -bs
>
>
>
> #:INFO: Info services
>
>
>
> #:BOOT: Tftp service is provided primarily for booting. Most sites
>
> # run this only on machines acting as "boot servers."
>
>
>
> #:RPC: RPC based services
>
>
>
> #:HAM-RADIO: amateur-radio services
>
>
>
> #:OTHER: Other services
>
>
>
> fw6:/#
>
>
>
> ------------------------------------------------------------------------
> ---------------------------------------------
>
>
>
>
>
> >From Windows:
>
> H:\>ipconfig /all
>
>
>
> Windows IP Configuration
>
>
>
> Host Name . . . . . . . . . . . . : hostname
>
> Primary Dns Suffix . . . . . . . : mydomain.com
>
> Node Type . . . . . . . . . . . . : Hybrid
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
> DNS Suffix Search List. . . . . . : mydomain.com
>
>
>
> Ethernet adapter Local Area Connection:
>
>
>
> Connection-specific DNS Suffix . :
>
> Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network
> Connection
>
> Physical Address. . . . . . . . . : 00-00-39-E0-61-E7
>
> Dhcp Enabled. . . . . . . . . . . : No
>
> IP Address. . . . . . . . . . . . : 192.168.100.50
>
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
> Default Gateway . . . . . . . . . : 192.168.100.49
>
> DNS Servers . . . . . . . . . . . : 192.168.100.11
>
>
>
>
>
> H:\>ping 192.168.100.49
>
>
>
> Pinging 192.168.100.49 with 32 bytes of data:
>
>
>
> Reply from 192.168.100.49: bytes=32 time<1ms TTL=64
>
> Reply from 192.168.100.49: bytes=32 time<1ms TTL=64
>
> Reply from 192.168.100.49: bytes=32 time<1ms TTL=64
>
> Reply from 192.168.100.49: bytes=32 time<1ms TTL=64
>
>
>
> Ping statistics for 192.168.100.49:
>
> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
>
> Approximate round trip times in milli-seconds:
>
> Minimum = 0ms, Maximum = 0ms, Average = 0ms
>
>
>
> H:\>ping 216.29.167.225
>
>
>
> Pinging 216.29.167.225 with 32 bytes of data:
>
>
>
> Reply from 216.29.167.225: bytes=32 time<1ms TTL=64
>
> Reply from 216.29.167.225: bytes=32 time<1ms TTL=64
>
> Reply from 216.29.167.225: bytes=32 time<1ms TTL=64
>
> Reply from 216.29.167.225: bytes=32 time<1ms TTL=64
>
>
>
> Ping statistics for 216.29.167.225:
>
> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
>
> Approximate round trip times in milli-seconds:
>
> Minimum = 0ms, Maximum = 0ms, Average = 0ms
>
>
>
> H:\>ping 216.29.167.1
>
>
>
> Pinging 216.29.167.1 with 32 bytes of data:
>
>
>
> Request timed out.
>
> Request timed out.
>
> Request timed out.
>
> Request timed out.
>
>
>
> Ping statistics for 216.29.167.1:
>
> Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
>
>
>
> H:\>
>
>
>
>
>
>
>
> Thanks,
>
>
>
> Ryan McAlister
>
>
>
Reply to: