[Fwbuilder-discussion] Re: Fwbuilder-discussion digest, Vol 1 #93 - 5 msgs
Brought to you by:
mikehorn
Menu
▾
▴
[Fwbuilder-discussion] Re: Fwbuilder-discussion digest, Vol 1 #93 - 5 msgs
|
From: Stanley W. <sta...@re...> - 2002-12-02 03:41:55
|
Dear Sir, I used to config the iptables with fwbuilder 10.6 to allow internal computer access internet through the firewall (internet-internal gateway). I set it to masq (NAT) a group of internal ip to be the internet ip of the gateway. I success to connect to the internet. However , when i try to allow a specific ip or all with a incoming port, i fail to masq the ip outside to be the internal address through the firewall. So how can i config the fwbuilder in order to use some programs , like MS netmeeting.. with incoming traffic on the internal pcs ----- Original Message ----- From: <fwb...@li...> To: <fwb...@li...> Sent: Sunday, December 01, 2002 4:13 AM Subject: Fwbuilder-discussion digest, Vol 1 #93 - 5 msgs > Send Fwbuilder-discussion mailing list submissions to > fwb...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > or, via email, send a message with subject or body 'help' to > fwb...@li... > > You can reach the person managing the list at > fwb...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Fwbuilder-discussion digest..." > > > Today's Topics: > > 1. Is there a limit to the number of NAT rules? (Keith Morse) > 2. Re: Is there a limit to the number of NAT rules? (Vadim Kurland) > 3. Re: Is there a limit to the number of NAT > rules? (Keith Morse) > 4. Re: Is there a limit to the number of NAT rules? (Vadim Kurland) > > --__--__-- > > Message: 1 > Date: Fri, 29 Nov 2002 15:18:18 -0800 (PST) > From: Keith Morse <kg...@mp...> > To: fwb...@li... > Subject: [Fwbuilder-discussion] Is there a limit to the number of NAT rules? > > > A firewall i manage has seven interfaces. eth0 is the internet facing one > and the rest are internal. I just lit the seventh this morning, eth6, and > I'm seeing an odd behaviour. The NAT rule I applied for this using > fwbuilder is not being implemented. From "iptables -nL" and just listing > the ptmp001. > > Chain ptmp001 (2 references) > target prot opt source destination > RETURN all -- 206.135.172.195 0.0.0.0/0 > RETURN all -- 10.1.1.254 0.0.0.0/0 > RETURN all -- 192.168.1.1 0.0.0.0/0 > RETURN all -- 10.10.1.254 0.0.0.0/0 > RETURN all -- 10.20.1.254 0.0.0.0/0 > RETURN all -- 10.30.1.254 0.0.0.0/0 > RETURN all -- 10.40.1.254 0.0.0.0/0 > RETURN all -- 10.1.1.0/24 0.0.0.0/0 > RETURN all -- 192.168.1.0/24 0.0.0.0/0 > RETURN all -- 192.168.2.0/24 0.0.0.0/0 > RETURN all -- 10.10.1.0/24 0.0.0.0/0 > RETURN all -- 10.20.1.0/24 0.0.0.0/0 > RETURN all -- 10.30.1.0/24 0.0.0.0/0 > eth0_Out_RULE_5_3 all -- 0.0.0.0/0 0.0.0.0/0 > > > The subnet I want to include is 10.40.1.0/24. I've even run the iptables > command by hand with no success. Example > > iptables -t nat -A POSTROUTING -o eth0 -s 10.40.1.0/24 -j SNAT > --to-source 206.135.172.195 > > > Ideas anybody? > > > > --__--__-- > > Message: 2 > Date: Fri, 29 Nov 2002 18:02:07 -0800 > Subject: Re: [Fwbuilder-discussion] Is there a limit to the number of NAT rules? > Cc: fwb...@li... > To: Keith Morse <kg...@mp...> > From: Vadim Kurland <va...@vk...> > > > I do not know what is the limit and even if there is a limit. I saw > this question asked on netfilter mailing list but never saw an answer. > > Can you see your new rule when you do "iptables -t nat -L -n" ? You > need to add "-t nat" to see chains in the table 'nat'. > > --vk > > > On Friday, November 29, 2002, at 03:18 PM, Keith Morse wrote: > > > > > A firewall i manage has seven interfaces. eth0 is the internet facing > > one > > and the rest are internal. I just lit the seventh this morning, eth6, > > and > > I'm seeing an odd behaviour. The NAT rule I applied for this using > > fwbuilder is not being implemented. From "iptables -nL" and just > > listing > > the ptmp001. > > > > Chain ptmp001 (2 references) > > target prot opt source destination > > RETURN all -- 206.135.172.195 0.0.0.0/0 > > RETURN all -- 10.1.1.254 0.0.0.0/0 > > RETURN all -- 192.168.1.1 0.0.0.0/0 > > RETURN all -- 10.10.1.254 0.0.0.0/0 > > RETURN all -- 10.20.1.254 0.0.0.0/0 > > RETURN all -- 10.30.1.254 0.0.0.0/0 > > RETURN all -- 10.40.1.254 0.0.0.0/0 > > RETURN all -- 10.1.1.0/24 0.0.0.0/0 > > RETURN all -- 192.168.1.0/24 0.0.0.0/0 > > RETURN all -- 192.168.2.0/24 0.0.0.0/0 > > RETURN all -- 10.10.1.0/24 0.0.0.0/0 > > RETURN all -- 10.20.1.0/24 0.0.0.0/0 > > RETURN all -- 10.30.1.0/24 0.0.0.0/0 > > eth0_Out_RULE_5_3 all -- 0.0.0.0/0 0.0.0.0/0 > > > > > > The subnet I want to include is 10.40.1.0/24. I've even run the > > iptables > > command by hand with no success. Example > > > > iptables -t nat -A POSTROUTING -o eth0 -s 10.40.1.0/24 -j SNAT > > --to-source 206.135.172.195 > > > > > > Ideas anybody? > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: Get the new Palm Tungsten T > > handheld. Power & Color in a compact size! > > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en > > _______________________________________________ > > Fwbuilder-discussion mailing list > > Fwb...@li... > > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > > > > --__--__-- > > Message: 3 > Date: Sat, 30 Nov 2002 00:35:43 -0800 (PST) > From: Keith Morse <kg...@mp...> > To: Vadim Kurland <va...@vk...> > Cc: fwb...@li... > Subject: Re: [Fwbuilder-discussion] Is there a limit to the number of NAT > rules? > > On Fri, 29 Nov 2002, Vadim Kurland wrote: > > > > > I do not know what is the limit and even if there is a limit. I saw > > this question asked on netfilter mailing list but never saw an answer. > > > > Can you see your new rule when you do "iptables -t nat -L -n" ? You > > need to add "-t nat" to see chains in the table 'nat'. > > > > --vk > > > As follows: > > [root@fw root]# iptables -t nat -L -n > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT all -- 204.201.230.6 206.135.172.218 to:192.168.2.100 > DNAT all -- 204.201.230.6 206.135.172.219 to:192.168.2.102 > DNAT all -- 204.201.230.6 206.135.172.217 to:192.168.2.105 > DNAT all -- 204.201.230.6 206.135.172.220 to:192.168.2.106 > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > SNAT all -- 192.168.2.100 204.201.230.6 to:206.135.172.218 > SNAT all -- 192.168.2.102 204.201.230.6 to:206.135.172.219 > SNAT all -- 192.168.2.105 204.201.230.6 to:206.135.172.220 > SNAT all -- 192.168.2.106 204.201.230.6 to:206.135.172.220 > SNAT all -- 10.1.1.0/24 0.0.0.0/0 to:206.135.172.195 > SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:206.135.172.195 > SNAT all -- 192.168.2.0/24 0.0.0.0/0 to:206.135.172.195 > SNAT all -- 10.30.1.0/24 0.0.0.0/0 to:206.135.172.195 > SNAT all -- 10.20.1.0/24 0.0.0.0/0 to:206.135.172.195 > SNAT all -- 10.10.1.0/24 0.0.0.0/0 to:206.135.172.195 > SNAT all -- 10.40.1.0/24 0.0.0.0/0 to:206.135.172.195 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > > > So the NAT rule is being created for 10.40.1.0/24, but packets don't make > it out. I'm still looking at the output of "iptables -nL". The other 3 > subnets are working as expected. > > > > --__--__-- > > Message: 4 > Date: Sat, 30 Nov 2002 01:37:41 -0800 > Subject: Re: [Fwbuilder-discussion] Is there a limit to the number of NAT rules? > Cc: fwb...@li... > To: Keith Morse <kg...@mp...> > From: Vadim Kurland <va...@vk...> > > > On Saturday, November 30, 2002, at 12:35 AM, Keith Morse wrote: > > > [root@fw root]# iptables -t nat -L -n > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > DNAT all -- 204.201.230.6 206.135.172.218 to:192.168.2.100 > > DNAT all -- 204.201.230.6 206.135.172.219 to:192.168.2.102 > > DNAT all -- 204.201.230.6 206.135.172.217 to:192.168.2.105 > > DNAT all -- 204.201.230.6 206.135.172.220 to:192.168.2.106 > > > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > SNAT all -- 192.168.2.100 204.201.230.6 to:206.135.172.218 > > SNAT all -- 192.168.2.102 204.201.230.6 to:206.135.172.219 > > SNAT all -- 192.168.2.105 204.201.230.6 to:206.135.172.220 > > SNAT all -- 192.168.2.106 204.201.230.6 to:206.135.172.220 > > SNAT all -- 10.1.1.0/24 0.0.0.0/0 to:206.135.172.195 > > SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:206.135.172.195 > > SNAT all -- 192.168.2.0/24 0.0.0.0/0 to:206.135.172.195 > > SNAT all -- 10.30.1.0/24 0.0.0.0/0 to:206.135.172.195 > > SNAT all -- 10.20.1.0/24 0.0.0.0/0 to:206.135.172.195 > > SNAT all -- 10.10.1.0/24 0.0.0.0/0 to:206.135.172.195 > > SNAT all -- 10.40.1.0/24 0.0.0.0/0 to:206.135.172.195 > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > > > > > So the NAT rule is being created for 10.40.1.0/24, but packets don't > > make > > it out. I'm still looking at the output of "iptables -nL". The other > > 3 > > subnets are working as expected. > > > > > > well, just to make sure, you can try "iptables -L -n -v", it will show > you packet counters for each rule. See if counter stays at zero for > 10.40.1.0/24. This command also shows "in" and "out" interfaces for > each rule, this may be useful to catch misconfigurations, too. > > Are you sure your firewall isn't dropping these packets? Check the log > and may be use "Log all packets" option for debugging. > > Try to run tcpdump on ingress interface to see if packets you expect > really enter the firewall at all. > > What kind of hardware is this ? Seven interfaces is quite unusual for > PC; do you use quad ethernet cards ? Are you sure all of your > interfaces and especially the sevenths work fine? How about IRQ > collisions? > > --vk > > > > > --__--__-- > > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > > > End of Fwbuilder-discussion Digest |