/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
Phil N wrote:
> This should be an easy one..... but I am having the worst
> time with it! I want
> to forward any port 80 requests received on my eth0
> (10.87.240.30) interface to
> port 80 on 10.255.239.30. I also want to MASQ the packets so
> that the request
> is returned the same way it was sent (I have two paths in
> this instance).
1. As far as I know, Ipchains deals with packets as they cross interfaces.
The packet has already gotten to the interface before ipchains can do any
thing to it. Where the packet goes afterwards is based entirely on the
addresses on the packets and the routing commands in place. I often see
people assume that ipchains will determine the path of the packet then get
confused when it does.
2. As far as I know, the first packet that is approved against the input
then the portforward command is the only packet that is actually managed by
ipchains. Thereafter it's the portfw module that's handling the packets (it
grabs control of the port interface from ipchains).
> Here is my ruleset, which I thought would do it but obviously
> not.... I have a
> sniffer on the 10.255.239.0 segment and see the packets
> coming onto the segment
> with their actual originating address, not the address of
> eth0 on the masq'ing machine.
3. Was eth0 a typo there? Unless I'm completely lost, a masq'd packet will
have the address of the exiting interface. If the packet leaves by eth1
then it would be masq'd to 10.255.239.2 not the address for eth0.
4. Pure guesswork, since the portfw module is doing the packet mangling
rather than ipchains, the packet won't be masq'd.
5. Just to verify that things are being routed the way you expect, is other
traffic going to 10.255.239.30 being masq'd?
>Input on this problem would be appreciated! TIA, Phil
6. Grabbing at straws, if you change the default policy for the forward
chain to deny and set appropriate forward rules for each subnet does that
make a difference.
perhaps something like:
/sbin/ipchains -A forward -i eth0 -j ACCEPT -d 10.87.240.0/24
/sbin/ipchains -A forward -i eth1 -j MASQ -d 10.255.239.0/24
Sorry I don't have a solution for you. Maybe this will give a hint about
what is causing the problem though.
Lourdes
> eth0 addr = 10.87.240.30
> eth1 addr = 10.255.239.2
>
> =======================================================
> /sbin/ipchains -P input ACCEPT
> /sbin/ipchains -P forward ACCEPT
> /sbin/ipchains -P output ACCEPT
> /sbin/ipchains -F
>
> # forward requests received on eth0 port 80 to 10.255.239.30 port 80
> /usr/sbin/ipmasqadm portfw -f
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 10.87.240.30 80 -R
> 10.255.239.30 80
>
> # any packet sent out the eth1 interface need to be masqueraded
> /sbin/ipchains -A forward -i eth1 -j MASQ
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
