[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP Forwarding - Need a guru.



You do not need a guru. Otherwise I couldn't answer this question:)

Since you've got on the inside are reserved IP's (for private networks)
you need a iptables rule which masquerades your inside IP's. The
following should do:

iptables -t nat -A POSTROUTING -o <outgoing interface> -j MASQUERADE

<outgoing interface> is probably eth0 or eth1. This hides all your ...

There is some HOWTO to read for you (probably Firewall-HOWTO).

Michael.


On Wed, 2002-08-07 at 16:50, Ryan McAlister wrote:
> I'm trying to setup a firewall machine that will forward packets only. I
> will not be running any services (DNS/Squid/SSHD/NAMED/etc..) on this
> box. I have even #'ed out the services in /etc/inetd.conf. 
> 
>  
> 
> All I want this box to do is forward packets.
> 
>  
> 
> I have ip forwarding enabled.
> 
> I can ping inside and outside from the firewall box.
> 
> I can ping the router (216.29.167.1) and internet ip's from the firewall
> box.
> 
> I can ping the internal (192.168.100.49) AND external (216.29.167.225)
> nic's from my pc.
> 
> I CANNOT ping the router (216.29.167.1) or internet ip's from my pc.
> 
>  
> 
> What am I missing? Do I have to use IPTABLES to accomplish this?
> 
>  
> 
> You will have to forgive me but I'm an old netware guy and I can set
> this up in like 10 minutes with a novell box. *opens self up to
> ridicule*
> 
>  
> 
> A little info about my setup:
> 
>  
> 
>  
> 
> ------------------------------------------------------------------------
> --------------------------------------------
> 
>  
> 
> fw6:~# cat /proc/version
> 
> Linux version 2.4.19 (root@fw6) (gcc version 2.95.4 20011002 (Debian
> prerelease)) #1 Tue Aug 6 14:50:25 EDT 2002
> 
> fw6:~#
> 
>  
> 
> ------------------------------------------------------------------------
> --------------------------------------------
> 
>  
> 
> fw6:~# cat /etc/network/options
> 
> ip_forward=yes
> 
> spoofprotect=yes
> 
> syncookies=no
> 
>  
> 
> ------------------------------------------------------------------------
> --------------------------------------------
> 
>  
> 
> fw6:~# cat /proc/sys/net/ipv4/ip_forward
> 
> 1
> 
> fw6:~#
> 
>  
> 
> ------------------------------------------------------------------------
> ---------------------------------------------
> 
>  
> 
> fw6:~# route
> 
> Kernel IP routing table
> 
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 
> localnet            *               255.255.255.0           U     0
> 0        0   eth0
> 
> 216.29.167.0     *               255.255.255.0          U     0      0
> 0   eth1
> 
> default         216.29.167.1    0.0.0.0                  UG    0      0
> 0   eth1
> 
>  
> 
> ------------------------------------------------------------------------
> ---------------------------------------------
> 
>  
> 
> fw6:~# cat /etc/network/interfaces
> 
> # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
> 
>  
> 
> # The loopback interface
> 
> auto lo
> 
> iface lo inet loopback
> 
>  
> 
> # The first network card - this entry was created during the Debian
> installation
> 
> # (network, broadcast and gateway are optional)
> 
> auto eth0
> 
> iface eth0 inet static
> 
>         address 192.168.100.49
> 
>         netmask 255.255.255.0
> 
>         network 192.168.100.0
> 
>         broadcast 192.168.100.255
> 
>  
> 
> auto eth1
> 
> iface eth1 inet static
> 
>         address 216.29.167.225
> 
>         netmask 255.255.255.0
> 
>         network 216.29.167.0
> 
>         broadcast 216.29.167.255
> 
>         gateway 216.29.167.1
> 
>  
> 
> fw6:~#
> 
>  
> 
> ------------------------------------------------------------------------
> ---------------------------------------------
> 
>  
> 
>  
> 
> fw6:/# cat /etc/inetd.conf
> 
> # /etc/inetd.conf:  see inetd(8) for further informations.
> 
> #
> 
> # Internet server configuration database
> 
> #
> 
> #
> 
> # Lines starting with "#:LABEL:" or "#<off>#" should not
> 
> # be changed unless you know what you are doing!
> 
> #
> 
> # If you want to disable an entry so it isn't touched during
> 
> # package updates just comment it out with a single '#' character.
> 
> #
> 
> # Packages should modify this file by using update-inetd(8)
> 
> #
> 
> # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
> 
> #
> 
> #:INTERNAL: Internal services
> 
> #echo           stream  tcp     nowait  root    internal
> 
> #echo           dgram   udp     wait    root    internal
> 
> #chargen        stream  tcp     nowait  root    internal
> 
> #chargen        dgram   udp     wait    root    internal
> 
> ## discard              stream  tcp     nowait  root    internal
> 
> ## discard              dgram   udp     wait    root    internal
> 
> ## daytime              stream  tcp     nowait  root    internal
> 
> #daytime        dgram   udp     wait    root    internal
> 
> ## time         stream  tcp     nowait  root    internal
> 
> #time           dgram   udp     wait    root    internal
> 
>  
> 
> #:STANDARD: These are standard services.
> 
>  
> 
> #:BSD: Shell, login, exec and talk are BSD protocols.
> 
>  
> 
> #:MAIL: Mail, news and uucp services.
> 
> #disabled#smtp          stream  tcp     nowait  mail    /usr/sbin/exim
> exim -bs
> 
>  
> 
> #:INFO: Info services
> 
>  
> 
> #:BOOT: Tftp service is provided primarily for booting.  Most sites
> 
> # run this only on machines acting as "boot servers."
> 
>  
> 
> #:RPC: RPC based services
> 
>  
> 
> #:HAM-RADIO: amateur-radio services
> 
>  
> 
> #:OTHER: Other services
> 
>  
> 
> fw6:/#
> 
>  
> 
> ------------------------------------------------------------------------
> ---------------------------------------------
> 
>  
> 
>  
> 
> >From Windows:
> 
> H:\>ipconfig /all
> 
>  
> 
> Windows IP Configuration
> 
>  
> 
>         Host Name . . . . . . . . . . . . : hostname
> 
>         Primary Dns Suffix  . . . . . . . : mydomain.com
> 
>         Node Type . . . . . . . . . . . . : Hybrid
> 
>         IP Routing Enabled. . . . . . . . : No
> 
>         WINS Proxy Enabled. . . . . . . . : No
> 
>         DNS Suffix Search List. . . . . . : mydomain.com
> 
>  
> 
> Ethernet adapter Local Area Connection:
> 
>  
> 
>         Connection-specific DNS Suffix  . :
> 
>         Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network
> Connection
> 
>         Physical Address. . . . . . . . . : 00-00-39-E0-61-E7
> 
>         Dhcp Enabled. . . . . . . . . . . : No
> 
>         IP Address. . . . . . . . . . . . : 192.168.100.50
> 
>         Subnet Mask . . . . . . . . . . . : 255.255.255.0
> 
>         Default Gateway . . . . . . . . . : 192.168.100.49
> 
>         DNS Servers . . . . . . . . . . . : 192.168.100.11
> 
>  
> 
>  
> 
> H:\>ping 192.168.100.49
> 
>  
> 
> Pinging 192.168.100.49 with 32 bytes of data:
> 
>  
> 
> Reply from 192.168.100.49: bytes=32 time<1ms TTL=64
> 
> Reply from 192.168.100.49: bytes=32 time<1ms TTL=64
> 
> Reply from 192.168.100.49: bytes=32 time<1ms TTL=64
> 
> Reply from 192.168.100.49: bytes=32 time<1ms TTL=64
> 
>  
> 
> Ping statistics for 192.168.100.49:
> 
>     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
> 
> Approximate round trip times in milli-seconds:
> 
>     Minimum = 0ms, Maximum = 0ms, Average = 0ms
> 
>  
> 
> H:\>ping 216.29.167.225
> 
>  
> 
> Pinging 216.29.167.225 with 32 bytes of data:
> 
>  
> 
> Reply from 216.29.167.225: bytes=32 time<1ms TTL=64
> 
> Reply from 216.29.167.225: bytes=32 time<1ms TTL=64
> 
> Reply from 216.29.167.225: bytes=32 time<1ms TTL=64
> 
> Reply from 216.29.167.225: bytes=32 time<1ms TTL=64
> 
>  
> 
> Ping statistics for 216.29.167.225:
> 
>     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
> 
> Approximate round trip times in milli-seconds:
> 
>     Minimum = 0ms, Maximum = 0ms, Average = 0ms
> 
>  
> 
> H:\>ping 216.29.167.1
> 
>  
> 
> Pinging 216.29.167.1 with 32 bytes of data:
> 
>  
> 
> Request timed out.
> 
> Request timed out.
> 
> Request timed out.
> 
> Request timed out.
> 
>  
> 
> Ping statistics for 216.29.167.1:
> 
>     Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
> 
>  
> 
> H:\>
> 
>  
> 
>  
> 
>  
> 
> Thanks,
> 
>  
> 
> Ryan McAlister
> 
>  
> 




Reply to: