iptables and multiple ip-addresses? - Networking

This is a discussion on iptables and multiple ip-addresses? - Networking ; hello, im trying to get my firewall working on my gentoo-box with kernel 2.6.19: external addresses = x.x.x.2-16 internal addresses = 192.168.50.10 (192.168.50/24) Webserver = 192.168.50.15:80 Tomcat=192.168.50.15:8080 and here my script: ----------------Start--------------------- EXT_IF=eth0 INT_IF=eth1 EXT_DNS=x.x.x.2 EXT_WEB=x.x.x.2 EXT_TOM=x.x.x.6 INT_WEB=192.168.50.15 INT_DNS=192.168.50.15 iptables ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: iptables and multiple ip-addresses?

  1. iptables and multiple ip-addresses?

    hello,

    im trying to get my firewall working on my gentoo-box with kernel 2.6.19:

    external addresses = x.x.x.2-16
    internal addresses = 192.168.50.10 (192.168.50/24)
    Webserver = 192.168.50.15:80
    Tomcat=192.168.50.15:8080

    and here my script:

    ----------------Start---------------------
    EXT_IF=eth0
    INT_IF=eth1

    EXT_DNS=x.x.x.2
    EXT_WEB=x.x.x.2
    EXT_TOM=x.x.x.6

    INT_WEB=192.168.50.15
    INT_DNS=192.168.50.15

    iptables -F INPUT
    iptables -F FORWARD
    iptables -F OUTPUT

    iptables -t nat -F

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    # allow some internal traffic
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i $INT_IF -j ACCEPT
    iptables -A FORWARD -i lo -j ACCEPT
    iptables -A FORWARD -i $INT_IF -j ACCEPT

    # Enable NAT
    iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

    # Allow active connections
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    # DNS Server
    iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_DNS --dport 53 -j ACCEPT
    iptables -A FORWARD -i $EXT_IF -p udp -d $INT_DNS --dport 53 -j ACCEPT
    iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_DNS --dport 53 -j
    DNAT --to $INT_DNS
    iptables -t nat -A PREROUTING -i $EXT_IF -p udp -d $EXT_DNS --dport 53 -j
    DNAT --to $INT_DNS

    # Webserver, Tomcat
    iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_WEB --dport 80 -j
    DNAT --to $INT_WEB
    iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_TOM --dport 80 -j
    DNAT --to $INT_WEB:8080
    iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 80 -j ACCEPT
    iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 8080 -j ACCEPT

    ----------------End---------------------

    NAT, DNS and the 192.168.50.15:80 webserver are working, what im missing to
    get the tomcat working?

    it seems that only the external address x.x.x.2 is working, if i do an
    ifconfig i see all external IF from eth0 up to eth0:14

    any idea or help would be appreciated




  2. Re: iptables and multiple ip-addresses?

    On Sun, 07 Jan 2007 20:18:42 +0100, Manuel Garcia wrote:

    > external addresses = x.x.x.2-16


    Is this possible, using iptables?

    --
    Regards/mvh Joachim Mæland

    If everything seems under control, you're just not going fast enough.
    -Mario Andretti.


  3. Re: iptables and multiple ip-addresses?

    >
    >> external addresses = x.x.x.2-16

    >
    > Is this possible, using iptables?
    >


    can iptables handle only 1 external ip-address?

    thx



  4. Re: iptables and multiple ip-addresses?


    >>> external addresses = x.x.x.2-16

    >>
    >> Is this possible, using iptables?
    >>

    >
    > can iptables handle only 1 external ip-address?
    >


    well tested with ip range x.x.x.16-20 and it works !
    if i use the range x.x.x.2-20 and i publish the servers with x.x.x.2 or
    x.x.x.16-18 it works too !
    the rules does not work if i use x.x.x.3-16 ! <= why? i dont really
    understand this

    did some tests with:

    tcpdump (listen on the external IF on address x.x.x.3): i can see incoming
    packets
    tcpdump (listen on the internal IF dst to Webserver): i can't see any
    packets

    some test with:

    iptables -t nat -nvL PREROUTING
    => the publish rule for the webserver shows 0 pkts and 0 bytes ! <= again i
    cant understand this
    the default policy for all nat-chains is ACCEPT

    here again the rules:
    # Werserver, Tomcat
    iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_WEB --dport 80 -j
    DNAT --to $INT_WEB
    iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_TOM --dport 80 -j
    DNAT --to $INT_WEB:8080
    iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 80 -j ACCEPT
    iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 8080 -j ACCEPT

    added a new rule:
    iptables -A INPUT -i $EXT_IF -p tcp -d x.x.x.3 -j ACCEPT

    got same result, still no chance

    any ideas?



  5. Re: iptables and multiple ip-addresses?


    >>> external addresses = x.x.x.2-16

    >>
    >> Is this possible, using iptables?
    >>

    >
    > can iptables handle only 1 external ip-address?
    >


    well tested with ip range x.x.x.16-20 and it works !
    if i use the range x.x.x.2-20 and i publish the servers with x.x.x.2 or
    x.x.x.16-18 it works too !
    the rules does not work if i use x.x.x.3-16 ! <= why? i dont really
    understand this

    did some tests with:

    tcpdump (listen on the external IF on address x.x.x.3): i can see incoming
    packets
    tcpdump (listen on the internal IF dst to Webserver): i can't see any
    packets

    some test with:

    iptables -t nat -nvL PREROUTING
    => the publish rule for the webserver shows 0 pkts and 0 bytes ! <= again i
    cant understand this
    the default policy for all nat-chains is ACCEPT

    here again the rules:
    # Werserver, Tomcat
    iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_WEB --dport 80 -j
    DNAT --to $INT_WEB
    iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_TOM --dport 80 -j
    DNAT --to $INT_WEB:8080
    iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 80 -j ACCEPT
    iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 8080 -j ACCEPT

    added a new rule:
    iptables -A INPUT -i $EXT_IF -p tcp -d x.x.x.3 -j ACCEPT

    got same result, still no chance

    any ideas?




+ Reply to Thread