[TriLUG] Iptables help
Aaron S. Joyner
aaron at joyner.ws
Wed Mar 24 12:49:59 EST 2004
Okay, I'll give the original question a shot. Feel free to correct me
if I flub something, I'm going to type this out mostly from memory.
First, a brief network description is in order...
Box1 | eth0 | 10.0.0.2 | eth0 -> Box2's eth0
Box2 | eth0 | 10.0.0.1 | eth0 -> Box1's eth0
Box2 | eth1 | 22.214.171.124 | eth1 -> Box3's eth0
Box3 | eth0 | 126.96.36.199 | eth0 -> Box2's eth1
To setup what you describe, first, you'll need to ensure all 3 machines
can ping each other:
1) Ensure Box1 can ping 10.0.0.1
2) Ensure Box2 can ping 10.0.0.2 and 188.8.131.52
3) Ensure Box3 can ping 184.108.40.206
Next, if this setup is not quite so simplified (if Box2 and Box3 aren't
on the same physical network), you'll need to ensure that Box2 has a
default gateway. This is sort of implied by Step 3 of the previous
statement, but I'm making it explicit in case you ignored my ping steps
and brazenly continued. :p
Box2# ip route show dev eth1
220.127.116.11/24 proto kernel scope link src 18.104.22.168
default via x.x.x.x (some machine that can route to 22.214.171.124)
Then you'll need to configure Box2 to do three things:
1) Route packets between interfaces
2) Log the packets you want it to
3) Masquerade packets from eth0 to eth1
----- Sample configuration session on Box2 -----
Box2# echo 1> /proc/sys/net/ipv4/ip_forward
Box2# iptables -A INPUT -p icmp -s 10.0.0.0/24 -j LOG
Box2# iptables -A PREROUTING -t nat -i eth0 -s 10.0.0.0/24 -j MASQUERADE
----- End sample session -----
You should then be able to ping Box3 from Box1, and Box2 will masquerade
the packets, and log them to syslog. Note: a malicious user could then
do a relatively light ping flood and possibly bring that box to it's
knees (depending on it's hardware, as logging is a lot more intensive
than just masquerading), so you should explore the --limit options for
the LOG target before getting this anywhere near a production setup.
Potential gotcha's: If things don't go as you expect, ensure that:
- the iptables default rules are all set to ACCEPT.
- do you actually have routes for each of the interfaces?
(ala: 'ip route show dev eth0' on Box0 should return something like...
10.0.0.0/24 scope link
- Your testing method of "is it getting a ping" is valid...
- All of the original ping tests _really_ work...
That should be enough to get the basics across. If your instructor
can't get it working from that description, I hate to say it, but they
need to find a new instructor. This is truly basic stuff - heck I've
been doing masquerading since the mid 90s when it was just two or three
machines sharing a dialup connection. 16yr olds figure it out every day
I hope this all turns out to be helpful, for this much typing. :p
Maybe someone on Google will benefit from it one of these days. :)
Aaron S. Joyner
Greg Kuhn wrote:
>First off, I apologize for the inconvenience, didn't know that everybody was going to get the email. I thought all email for the mailing list was routed through the trilug at trilug.rog address. I have lowered my spam blocker to medium which should taker of the problem.
>Secondly, if I had the rules that I was trying I would post them, the machines we use are blocked from the internet because we have root access and therefore I can't get the rules tried. From my point of view nobodies doing my homework for me or us. We were all working independently. No one was successful. End of assignment, I'm just trying to get the rules sets needed so that we can all see what we should have done. I will try the suggestions provided and maybe i will figure it out. If someone can provide the solution easily and wants to great, if not thats fine to. Just thought I would ask.
>From: Jon Carnes <jonc at nc.rr.com>
>Sent: Mar 24, 2004 6:36 AM
>To: Triangle Linux Users Group <trilug at trilug.org>
>Subject: Re: Re: [TriLUG] Iptables help
>Dear List maintainers (that's the Steering committee),
>Can we VERP the list and have this individual kicked off?
>Many thanks - Jon Carnes
>On Wed, 2004-03-24 at 09:33, automated-response at earthlink.net wrote:
>>This is an automatic reply to your email message to
>>thetruthisoutthere at earthlink.net
>>This email address is protected by EarthLink spamBlocker. Your email
>>message has been redirected to a "suspect email" folder for
>>thetruthisoutthere at earthlink.net. In order for your message to be
>>moved to this recipient's Inbox, he or she must add your email address
>>to a list of allowed senders.
>>Click the link below to request that thetruthisoutthere at earthlink.net
>>add you to this list.
More information about the TriLUG