Weblog entry #2 for mektroid
See all weblog entries made by mektroid.
Now I'm stuck. Configurating iptables to NAT with one interface was a piece of cake but with a new one, it jammed. So I left it empty.
Also took a look on the routing table and it looks fine.
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.0 0.0.0.0 255.255.255.192 U 0 0 0 eth1 10.0.0.64 0.0.0.0 255.255.255.192 U 0 0 0 eth2 74.56.59.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 10.0.0.65 0.0.0.0 UG 0 0 0 eth2 0.0.0.0 74.56.59.1 0.0.0.0 UG 0 0 0 eth0 0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth1
Network interfaces configuration:
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 10.0.0.1
gateway 10.0.0.1
netmask 255.255.255.192
network 10.0.0.0
broadcast 10.0.0.63
auto eth2
iface eth2 inet static
address 10.0.0.65
gateway 10.0.0.65
netmask 255.255.255.192
network 10.0.0.64
broadcast 10.0.0.127I have no idea with rules that I should apply for iptables and what are the other things that I'm missing?
Comments on this Entry
Not quite sure I understand your comment about NAT'ing not working with more than one NIC -- if you run NAT, you only (really) want to run it on your single external interface: eth0 in your case.
Anyway, we might be able to give you more of a hint if you post the output of:
iptables -vL
which will describe what you currently have setup.
Cheers:wq
[ Parent | Reply to this comment ]
Also, your routing table looks a bit messed up -- if I understand what you want to do correctly, you only really want to have one default route, so you could drop the "gateway" sections from your interfaces file and restart your networking. Your routing table should then look more like:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.0 0.0.0.0 255.255.255.192 U 0 0 0 eth1 10.0.0.64 0.0.0.0 255.255.255.192 U 0 0 0 eth2 74.56.59.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 74.56.59.1 0.0.0.0 UG 0 0 0 eth0
Which will confuse the kernel a little less when it tries to send packets to unknown/non-local addresses.
Cheers:wq
[ Parent | Reply to this comment ]
You are going to only want to nat from the outside in, not nating from both interfaces...
My routing table:
10/05/07 21:38 ~
root@edge # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
24.249.174.0 0.0.0.0 255.255.255.192 U 0 0 0 eth0
10.0.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1.40
10.0.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1.50
10.0.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1.60
10.0.7.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1.70
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1.6
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1.10
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1.20
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1.30
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 24.249.174.1 0.0.0.0 UG 0 0 0 eth0
And for my iptables, i have a generic rule for all my 10.0.0.0/8 to allow routing... it isn't the best, but it is for a home net, so I am not worried.
:FORWARD DROP [0:0]
-A FORWARD -s 10.0.0.0/255.0.0.0 -j ACCEPT
-A FORWARD -d 10.0.0.0/255.0.0.0 -j ACCEPT
this would be:
iptables -P FORWARD DROP
iptables -A FORWARD -s 10.0.0.0/255.0.0.0 -j ACCEPT
iptables -A FORWARD -d 10.0.0.0/255.0.0.0 -j ACCEPT
[ Parent | Reply to this comment ]
I use it with a 3 subnets configuration (LAN / DMZ / External) and configuration is really simple and logical.
Cheers,
Julien
[ Parent | Reply to this comment ]
http://ebox-platform.com/installation-guide
PJ
[ Parent | Reply to this comment ]
*filter :INPUT ACCEPT [4201978:5228975614] :FORWARD ACCEPT [135193:155095340] :OUTPUT ACCEPT [1213774:281063048] -A FORWARD -i eth1 -j ACCEPT -A FORWARD -i eth2 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [58307:4308749] :POSTROUTING ACCEPT [19196:1189024] :OUTPUT ACCEPT [21275:1332826] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT
[ Parent | Reply to this comment ]