binding multiple IP addresses and IP masquerading

I must not have explained myself correctly.

When I mention the word 'bind' it is referring to a NIC
that has more than 1 IP
address assigned to it. This is what I want to accomplish.
The IP address that I
have is on the same subnet, not a totally different network
(eg 10.10.10.1 and
10.10.10.2 versus 192.168.1.100 and 10.10.10.1)

I know this can be done, although I haven't implemented it.
I then want my
firewall rules set to take any traffic sent to the second
address and masquerade
this to an IP address on my intranet. I would appreciate an
example of the
iptables syntax that would accomplish this.

I appreciate the input.

Thanks,

James
RHCE
CCNA

"Red Hat Enterprise Linux 4 (Nahant) Discussion
List" <nahant-listredhat.com>
wrote: 
> James Marcinek wrote:
> > Hello Everyone,
> > 
> > I have a RHEL 4 server acting as my
router/firewall using IPtables. I am
> > currently only using 1 static IP address which is
used to NAT to my internal
> > network. I would like to setup my firewall to
accept requests from this
'new'
> > static address and forward them to another system.
I would also want only
> > certain ports available going into the server.
> > 
> > Can anyone help me out with this?
> 
> I'm not completely sure what you mean.
> 
> Assuming your server is 192.168.1.1, and your new
server is 10.0.1.1 and 
> that all your clients see your server as their gateway,
then if you just 
> add a new NIC and give it the address 10.0.1.254 then
it will just work 
> (without NAT).
> 
> If you want the existing and new server on the same
physical wire, then 
> you can't really obstruct traffic.
> 
> I'd not use NAT unless I needed to, for example
because I only have one 
> IP address (typical home/small office) or for part of
my security 
> implementation. If I control (or trust) the whole
network, I'd rather 
> not throw away information (client IP) that might be
useful for problem 
> determination or for security.
> 
> With the setup I suggest, you can block/allow ports as
you wish using 
> iptables: directly, if you wish, but I prefer to use
shorewall, which 
> uses a set of tables in simple text files to build the
rules.
> 
> Note, if there is some arbitrary network between your
old and new 
> servers, you _can_ set explicit routes to direct
traffic to the new 
> server through one interface whilst all other traffic
goes through the 
> other. See your network configuration tool for how to
do it.
> 
> 
> 
> 
> -- 
> 
> Cheers
> John
> 
> -- spambait
> 1aaaaaaacomputerdatasafe.com.au  Z1aaaaaaacomputerdatasafe.com.au
> Tourist pics http://portgeographe.environmentaldisasters.cds.mers
eine.nu/
> 
> do not reply off-list
> 
> --
> nahant-list mailing list
> nahant-listredhat.com
> h
ttps://www.redhat.com/mailman/listinfo/nahant-list



--
nahant-list mailing list
nahant-listredhat.com
h
ttps://www.redhat.com/mailman/listinfo/nahant-list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James Marcinek wrote:
> I must not have explained myself correctly.
> 
> When I mention the word 'bind' it is referring to a
NIC that has more than 1 IP
> address assigned to it. This is what I want to
accomplish. The IP address that I
> have is on the same subnet, not a totally different
network (eg 10.10.10.1 and
> 10.10.10.2 versus 192.168.1.100 and 10.10.10.1)
> I know this can be done, although I haven't
implemented it. I then want my
> firewall rules set to take any traffic sent to the
second address and masquerade
> this to an IP address on my intranet.

I have to say that the way you describe this is mildly
confusing to me.
It feels like there is some information missing.

let me see if I follow:
How many physical interfaces does this machine have?
My assumption here, although you don't actually say this,
is 2.
Otherwise forwarding makes no sense.
I now am going to assume that you have added an additional
'virtual' IP
address to one of these interfaces (the external one) and
you want to
redirect traffic hitting this new IP to an internal host.

so (with a certain amount of artistic license here) your
RHEL4 box is a
bit like this... (?)

  OUTSIDE
          eth0    10.10.10.1
          eth0:0  10.10.10.2
          ------
         |      |
         |      |
         |      |
          ------
          eth1   192.168.0.1

  INSIDE|INTRANET

Is that close enough?
you want traffic hitting your new eth0:0 IP to be forwarded
onto a
specific internal host/subnet?

> I would appreciate an example of the
> iptables syntax that would accomplish this.

Destination NAT example:
iptables -t nat -A PREROUTING -d 10.10.10.2 -j DNAT
--to-dest 192.168.0.25

to ensure traffic flows both ways (assuming that hosts on
10.10.10.0/24
cannot see 192.168.0.0/24) you might want to masquerade on
the way out.

Source NAT example:
iptables -t nat -A POSTROUTING -s 192.168.0.25 -j SNAT
--to-source
10.10.10.1


so, if this looks totally wrong to you, please explain *in
more detail*
*with concrete examples* precisely what you are trying to
achieve.

Kind Regards


Stuart
- --
Stuart Sears RHCA RHCX
Quit worrying about your health.  It'll go away.
		-- Robert Orben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


iD8DBQFEnRQKamPtx1brPQ4RAoEVAJ9JdFojYyRw6ssjahTVoVI0218F+ACc
Cwlj
jErLfApoJrxLgQ7eWoa0xRA=
=Vlqe
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
nahant-list mailing list
nahant-listredhat.com
h
ttps://www.redhat.com/mailman/listinfo/nahant-list

Stuart Sears wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> James Marcinek wrote:
> 
>>I must not have explained myself correctly.
>>
>>When I mention the word 'bind' it is referring to
a NIC that has more than 1 IP
>>address assigned to it. This is what I want to
accomplish. The IP address that I
>>have is on the same subnet, not a totally different
network (eg 10.10.10.1 and
>>10.10.10.2 versus 192.168.1.100 and 10.10.10.1)
>>I know this can be done, although I haven't
implemented it. I then want my
>>firewall rules set to take any traffic sent to the
second address and masquerade
>>this to an IP address on my intranet.
> 
> 
> I have to say that the way you describe this is mildly
confusing to me.
> It feels like there is some information missing.
> 
> let me see if I follow:
> How many physical interfaces does this machine have?
> My assumption here, although you don't actually say
this, is 2.
> Otherwise forwarding makes no sense.

That's actually not true; we have 192.168.1.x and
192.168.2.x on the 
same wire.

Out DHCP server issues 1.x addresses and gives 1.252 as the
router. It 
then use iptables to force http into squid, and routs other
traffic via 
another router on 2.x. It _could_ (but does not at presemt)
equally well 
route all traffic via a router on 4.x (which is differemt
wire).


I realise it's imperfect, but in our environment it's
adequate.
fwiw eth0 is 1.252, and eth0:0 is 2.252.



-- 

Cheers
John

-- spambait
1aaaaaaacomputerdatasafe.com.au  Z1aaaaaaacomputerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.mers
eine.nu/

do not reply off-list

--
nahant-list mailing list
nahant-listredhat.com
h
ttps://www.redhat.com/mailman/listinfo/nahant-list