Networking :: Forward Multiple Public Addresses With Iptables?
Jun 3, 2011
iptables and multiple public-facing IP addresses. With the current setup I have a public-facing firewall with iptables which will then forward traffic to a LAN IP. I will hopefully be allotted 1 private IP per public IP, which I hope will make this much more simple. For example, I have server A with the LAN IP of 10.0.0.1 which I would like to have traffic forwarded from 5.0.0.1, the public IP. I also have server B with LAN IP of 10.0.0.2 which I would like to have forwarded from 5.0.0.2, the second public IP. From what I have read and understood, this should be a simple task, however I would just like to double check to make sure that it is in fact possible, and if so, how would it be recommended that I go about doing so. Essentially, I need to forward each public IP to a corresponding LAN IP with all ports.
We have a new Bussiness DSL line with 16 public addresses.What we want is to setup a DMZ to run some services and internet to the LAN. Here's a schematic of what we want:
Code:
Backup Internet Main Internet connection connection | | | | SDSL Modem BDSL Modem
How can I forward all traffic from a public IP to another public IP. Let's say I have a first debian box named box1 with eth0 = 1.1.1.1 and eth0:1 = 1.1.1.2 and I want to forward all traffic from 1.1.1.2 to "box2" located somewhere else over the internet and having for eth0 2.2.2.2 Both 1.1.1.0/24 and 3.3.3.0/24 are public IP ranges.
I have two nagging problems on one network which I do not have on another elsewhere, both using uptodate Debian servers. The server is on the private subnet behind a router/adsl modem. The symptoms of the one which does not work
1) Users cannot access their web site from lan. If they try, they get to the router web interface, same as if they entered http:10.0.0.138 which is the router's lan address.
2) Users cannot access smtp or pop3 service using the domain name, they can access it only using the servers LAN address.
I fear that I might have not set up the router properly because appart from that the two servers are almost identical but I do not know where I might have made an error.
So here is my issue in a nutshell. I need to take FTP requests that hit Server_A and forward them to Server_B. Server_B is not natted...Server_B is another public server in a completely different location in the world. One thing to note is that I only have one NIC hence why you will see both in and out being eth0. This is what I have in my iptables on SERVER_A:iptables -A FORWARD -p tcp -i eth0 --sport 21 -o eth0 -d SERVER_B --dport 21 -m state --state NEW -j ACCEPTiptables -A FORWARD -p tcp -i eth0 --sport 20 -o eth0 -d SERVER_B --dport 20 -m state --state NEW -j ACCEPTI've also tried both of the above without the --sport option. When I FTP to SERVER_A (where the above iptables rule are) it connects to SERVER_A instead of forwarding them to SERVER_B.
I need to forward a port to use dtella. I'm using Fedora 10, using iptables for my firewall.
I'm currently trying to forward it from terminal with this command:
Code: sudo iptables -t nat -A PREROUTING -p udp -i eth0 -d [ip address] --dport 11823 -j DNAT --to 192.168.0.2:80 this is what I get from iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
I have three machines on three networks192.x.x.x10.x.x.x172.x.x.xThe routers are set to forward communication between 192. network and 10. network, and between the 10. network and the 172. network.However, there's not routing between 192. and 172.I want to fix that by using a machine on the 10. network to forward communication between the other two networks.The machine has one etherent connection eth0 whose address is 10.1.1.11I set up an aliased ip address eth0:0 to be 10.1.1.12 using Quote:ifconfig eth0:0 10.1.1.12Then I tried to set forwarding rules the 10. machine such that 10.1.1.12 address will provide access to the machine 172.1.1.55 as followsQuote:# iptables -t nat -A PREROUTING -d 10.1.1.12 -j DNAT --to-destination 172.1.1.55The default policies for all chains is ACCEPT.I then try to access 10.1.1.12 from 192.1.1.20 expecting it to actually access 172.1.1.55 ; it does not work
Lets say i have two machines on public ips. If i get incoming traffic on machine #1 on port 55242 i would just like to forward it to machine #2 on port 35000.I would just like to use machine #1 same way as a dns server works. It just redirects the traffic and tells the client where to go.
The goal is to make connection calls (ssh, ping, ...) possible from one LAN (LAN-1) to a number of (at the moment two) separate smaller LANs.These smaller LANs (LAN-2a, LAN-2b, ...) have exact same specifications (same IP range, same number of nodes, ...)!The idea is to use a Fedora box (release 14 with 2.6.35.6-45.fc14.i686) and implement an appropriate iptables routing/forwarding.The Fedora box has three network interfaces:
- eth0 (aaa.bbb.ccc.m) on LAN-1 (aaa.bbb.ccc.0/24) - eth1 (ddd.eee.fff.n) on LAN-2a (ddd.eee.fff.0/27) - eth2 (ddd.eee.fff.p) on LAN-2b (ddd.eee.fff.0/27)
I'm using Fedora Core5.0 I have using Iptables for forward port 80 to port 3128(Squid) in the same of server.I need to forward using Iptables to use the other proxy server because this server i am use for vpn and mail tranfer.What a Commnand for i use?ase 1. Server 1 >Ip 192.168.0.4 SQUID WITH PORT(3128)2. Server 2 IP 192.168.0.254 PF SENSE (3128) I will use server 2 for using internet connect only.
My Linux gateway has multiple address to internet: eth0 = 76.148.200.3 eth0:0 = 76.148.200.4 eth0:1 = 76.148.200.5 and it's own gateway which is 76.148.200.2 (probably not relevant) and I also have which is not internet, but local: eth0:2 = 192.168.0.1 netmask 255.255.255.0
They all work fine and tested. Now I am sharing the internet through eth0 (76.148.200.3) to 192.168.0.1/24 and that's working fine. The script I use to do that is here...
Code: #!/bin/sh echo 1 >/proc/sys/net/ipv4/ip_forward echo 1 >/proc/sys/net/ipv4/ip_dynaddr iptables -t nat --flush iptables -A FORWARD -i eth0 -d 192.168.0.1/24 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s 192.168.0.1/24 -o eth0 -j ACCEPT iptables -A FORWARD -j LOG iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Now all I want to change in the script is to share it through 76.148.200.4 (eth0:1) instead of what is already sharing through 76.148.200.3 (eth0). I am sure this is easy but can't work it out and iptables doesn't accept 'aliases'. How I can do this by modifying this script?
I have run into a problem that I've tracked down to being a conflict between the "Upstart" init system, and how it handles multiple (alias) IP addresses per physical interface. The summary of the problem is that the interfaces are being configured in the background in parallel with the starting of daemons. One "feature" of this (apparently intended for pluggable devices that would add or remove an interface) is that the network daemons are restarted each time an interface is added (and presumably deleted). But this is a disaster when applied to alias IP addresses.
I first saw the effects of this when during booting Ubuntu Server, the screen showed a message about OpenSSH daemon being restarted ... several times a few seconds apart each. At the time I didn't know what was causing that, but didn't worry because it ultimately was running when I needed it.
But now that I am deploying these servers for specific duty with many IP addresses per system (per network interface), the symptoms are becoming serious, and I need a solution.
1. The IP addresses are coming online too slowly. Apparently the time it takes to restart each daemon is being added to each address being configured.
2. It appears to be disrupting some daemons sometimes. Occaisionally, some daemon just ends up being hung somewhere, or dies. Too many restarts.
3. Sometimes few or even no alias addresses get configured. This might be due to a daemon getting hung, and the whole sequence just not finishing.
4. The "nsd" name server as packaged by Ubuntu doesn't deal well with this at all. It needs all its IP addresses to be up when it starts, or else it won't start. The Ubuntu package of it doesn't including any if-up script at all, although I'm not sure that would do any good.
What I need is a way to configure all these alias IP addresses so they are all configured immediately when the point in time is reached to bring up network interfaces for the first time. These are all static, and all are aliases on ethernet NIC cards plugged into PCIe cards, or integrated in the mainboard. None of them are pluggables. I did run a manual test of "ifconfig" in a loop configuring 2540 alias IP address on eth0 and it only took 2 seconds (no if-up triggers or daemon restarts here). So I know it's fast if nothing else is done between these steps.
Even for pluggable physical interfaces, I see no reason to even try to step through every alias (if it has aliases) with a daemon restart. If an alias IP address is added on later, then I can understand doing it. But if you have a list of 100 aliases for a physical interface, they really should all be done ... or at least attempted ... at once, and do any triggers needed after that.
So, how can I configure or modify Ubuntu Server 9.10 to do that?
I have each alias listed in the "/etc/network/interfaces" file with a separate "auto" and "iface" section for each one, with sequential sub-interface numbers appended to the interface name. I tried it without those sections (e.g. just "address" and other items in sequence) and that prevents the system from even coming up (bootable CD to the rescue to undo that). At least cntrl-alt-del did reboot it.
I tried to attach the /etc/network/interfaces file, but I don't know if it worked because I see no confirmations about it. if it didn't attach and you need to see it, say so, and I'll just paste it in a followup.
I recently purchased a block of 5 IPs from Comcast. I have a computer running Arch Linux connected to the Comcast gateway they gave me. On my connected computer I have 2 Windows XP virtual machines running. Now I was wondering how can I make each of those virtual machines have a different public IP, because currently the only thing I can get working is have the computer and both virtual machines sharing the same public IP.
i am working at a place that has 2 physical web servers yadayada1 and yadayada2 but only one public ip address i can use dyndns to register 2 dynamic domains on the same ip address how can i get yadayadayada1.dyndns.org to route to yadayada1 and yadayadayada2.dyndns.org to route to yadayada2 ?
This works perfectly, however when I try to add a second client this way it doesnt. I tried to add the above code multiple times as a whole (2 times the above code) but that doesnt work. I also tried to just add more lines under host apex but this also doesnt work.
So my question is: How do I add more of this mac related IP adress assignments in the dhcp.conf?
Fedora 12 running under VirtualBox 3.2.8 w/ Bridged networking Host OS Windows 7
I have 3 IP addresses set up in on my Fedora 12 installation: Directory: /etc/sysconfig/network-scripts/ ifcfg-eth0 -> 192.168.0.170 ifcfg-eth0:0 -> 192.168.0.171 ifcfg-eth0:1 -> 192.168.0.172
Hostname is configured to host associated with 192.168.0.170 in /etc/hosts
When I reboot and execute # ifconfig
eth0 is associated with the 172 address and the other addresses are not active. After I run # service network restart
All of the addresses are active and associated with the correct interfaces. Content of my ifcfg files below:
i have a commercial ISP connection with 5 IP addresses available and i want the following configuration note when i say domain group i am refering to a group of top level domains (not subdomains) owned by the same entity (company) with their A records pointed at the same public IP for a single server
I have a CentOS5 server with dual ethernet adapters + Webmin installed as my Router / Firewall / DHCP server working successfully with 1 static IP from my ISP. I also have 7 additional static IP addresses from my ISP needing to configure to individual servers inside my network. I have configured the additional virtual interfaces, but am lost on how to route data specifically from additional ISP address to specific internal network address.
Below is my desired configuration. 98.173.159.xx1 = eth0 physical interface ==> eth1 192.168.1.1 98.173.159.xx2 = eth0:1 virtual interface ==> 192.168.1.10 ==> CentOS Server 2 98.173.159.xx3 = eth0:2 virtual interface ==> 192.168.1.20 ==> CentOS Server 3 98.173.159.xx4 = eth0:3 virtual interface ==> 192.168.1.30 ==> CentOS Server 4 98.173.159.xx5 = eth0:4 virtual interface ==> 192.168.1.40 ==> Mac OS X Server 1 98.173.159.xx6 = eth0:5 virtual interface ==> 192.168.1.50 ==> Mac OS X Server 1 98.173.159.xx7 = eth0:6 virtual interface ==> 192.168.1.60 ==> Network Attached Storage Server 1 98.173.159.xx8 = eth0:7 virtual interface ==> 192.168.1.70 ==> Windows 2008 Server 1
I recently installed Ubuntu Server 9.10 with the intent of using it as a platform for running a couple of Windows XP virtual machines along with Linux/Ubuntu.
I had no problems getting the server installed. Had no problems getting the network up and running so that I had access to both my internal network as well as external connectivity to the internet. Had no problems getting a VM installed and putting Windows XP inside of it. Had no problems setting up a bridge between the WinXP virtual machine and the physical ethernet card (eth0).
What Im having trouble with is figuring out how to bridge from multiple VMs AND Ubuntu natively through one physical ethernet card.
When I set up the bridge, it knocks out the static IP address of the ethernet card that was set up initially with Ubuntu when first installed before the VM was created and installed. Therefore, connectivity within Ubuntu natively is lost.
Similarly, am having trouble figuring out how the second VM (also going to be running WinXP) is going to get its connectivity since it doesnt seem to like me setting up 2 bridges to the same physical ethernet interface card.
I need all 3 machines to have static IP addresses and be visible/accessible from the external network for either web/mail/dns/etc servers on the Ubuntu side and for remote PC control functionality on the VM side.
I have tried setting up alias ethernet interfaces (eth0:1, eth0:2, eth0:3) with static addresses which work fine from native Ubuntu in presenting multiple IP addressees, but it seems that Im not permitted to bridge to these alias interfaces.
I'm using a Debian servers, as router/firwall.. I've two ethernet interfaces into the server, one for wan and one for lan. The i use SNAT so my LAN clients can access the internet throgh the debian router. That is working... Now i want to be able to access servers on the LAN site from the WAN site, and i wanna use port address translation (PAT). I have a FTP server running on a lan server, so i'm trying to portward port 21.
When people try to access my FTP from the WAN site, they are redirected to the local FTP server, and they are promted for crendentials, but when the credentials are typed, and the local ftp server should answer the wan request, the connections dies.
The wan clients are being promted for credentials, so they are redirected to the local lan server, but after that the connections dies, so i think there is some kind of nat problem, when the local lan server is trying to respond to the wan request..
I am trying to do a NAT forward in iptables but get the following error:Quote:[root@server88-xxx-xxx-198 openvpn]# iptables -t nat -I POSTROUTING -i tun0 -o eiptables v1.3.5: Can't use -i with POSTROUTINGAny ideas on what to do?I have an OpenVON server running and I need the client to use the ports on the OpenVPN server
my company is a small company!and it only have one public ip,but my company have a lot of websites to access!now i use Reverse Proxy Server -- apahce to solve temporary!it is not convenience for me !So i think out whether iptables can not be used to forward according to the domain!!it is the test as follows:
public ip :10.0.0.1 privite ip1 :192.168.1.1 matching website domain:www1.test.com privite ip2:192.168.1.2 matching website domain:www2.test.com
and if someone access [URL] the iptables will know they want to access 192.168.1.1 and it will forward to the server 192.168.1.1!!
I just upgraded my fedora 13 to fedora 14. I changed the cpu and the motherboard so i had to install from scratch...but I saved my iptables. The problem is that I do all the suff service iptables save And apparently it works... But everytime I reboot I have to re run the script to forward Internet...Everything else works just fine...I mean I can ssh, vnc, etc but wont forward intel :S dont know why?
whether iptables logs can be set to automatically resolve IP addresses? I am running the firewall on a network with DDNS/DHCP, and this ability would really help quickly identify hosts with suspect traffic.Failing this, I guess the simplest solution will be to simply set static addresses!
