First, a brief network description is in order... "Internal"-ish network Box1 | eth0 | 10.0.0.2 | eth0 -> Box2's eth0 Box2 | eth0 | 10.0.0.1 | eth0 -> Box1's eth0
"External"-ish network Box2 | eth1 | 4.3.2.2 | eth1 -> Box3's eth0 Box3 | eth0 | 4.3.2.1 | eth0 -> Box2's eth1
To setup what you describe, first, you'll need to ensure all 3 machines can ping each other:
1) Ensure Box1 can ping 10.0.0.1
2) Ensure Box2 can ping 10.0.0.2 and 4.3.2.1
3) Ensure Box3 can ping 4.3.2.2
Next, if this setup is not quite so simplified (if Box2 and Box3 aren't on the same physical network), you'll need to ensure that Box2 has a default gateway. This is sort of implied by Step 3 of the previous statement, but I'm making it explicit in case you ignored my ping steps and brazenly continued. :p
Box2# ip route show dev eth1
4.3.2.0/24 proto kernel scope link src 4.3.2.2
default via x.x.x.x (some machine that can route to 4.3.2.1)
Then you'll need to configure Box2 to do three things: 1) Route packets between interfaces 2) Log the packets you want it to 3) Masquerade packets from eth0 to eth1
----- Sample configuration session on Box2 ----- Box2# whoami root Box2# echo 1> /proc/sys/net/ipv4/ip_forward Box2# iptables -A INPUT -p icmp -s 10.0.0.0/24 -j LOG Box2# iptables -A PREROUTING -t nat -i eth0 -s 10.0.0.0/24 -j MASQUERADE ----- End sample session -----
You should then be able to ping Box3 from Box1, and Box2 will masquerade the packets, and log them to syslog. Note: a malicious user could then do a relatively light ping flood and possibly bring that box to it's knees (depending on it's hardware, as logging is a lot more intensive than just masquerading), so you should explore the --limit options for the LOG target before getting this anywhere near a production setup.
Potential gotcha's: If things don't go as you expect, ensure that: - the iptables default rules are all set to ACCEPT. - do you actually have routes for each of the interfaces? (ala: 'ip route show dev eth0' on Box0 should return something like... 10.0.0.0/24 scope link - Your testing method of "is it getting a ping" is valid... - All of the original ping tests _really_ work...
That should be enough to get the basics across. If your instructor can't get it working from that description, I hate to say it, but they need to find a new instructor. This is truly basic stuff - heck I've been doing masquerading since the mid 90s when it was just two or three machines sharing a dialup connection. 16yr olds figure it out every day from google.
I hope this all turns out to be helpful, for this much typing. :p Maybe someone on Google will benefit from it one of these days. :)
Aaron S. Joyner
Greg Kuhn wrote:
First off, I apologize for the inconvenience, didn't know that everybody was going to get the email. I thought all email for the mailing list was routed through the [EMAIL PROTECTED] address. I have lowered my spam blocker to medium which should taker of the problem.
and
Secondly, if I had the rules that I was trying I would post them, the machines we use are blocked from the internet because we have root access and therefore I can't get the rules tried. From my point of view nobodies doing my homework for me or us. We were all working independently. No one was successful. End of assignment, I'm just trying to get the rules sets needed so that we can all see what we should have done. I will try the suggestions provided and maybe i will figure it out. If someone can provide the solution easily and wants to great, if not thats fine to. Just thought I would ask.
Thanks, Greg
-----Original Message----- From: Jon Carnes <[EMAIL PROTECTED]> Sent: Mar 24, 2004 6:36 AM To: Triangle Linux Users Group <[EMAIL PROTECTED]> Subject: Re: Re: [TriLUG] Iptables help
Dear List maintainers (that's the Steering committee),
Can we VERP the list and have this individual kicked off?
Many thanks - Jon Carnes
=== On Wed, 2004-03-24 at 09:33, [EMAIL PROTECTED] wrote:
This is an automatic reply to your email message to [EMAIL PROTECTED]
This email address is protected by EarthLink spamBlocker. Your email message has been redirected to a "suspect email" folder for [EMAIL PROTECTED] In order for your message to be moved to this recipient's Inbox, he or she must add your email address to a list of allowed senders.
Click the link below to request that [EMAIL PROTECTED] add you to this list. https://webmail.pas.earthlink.net/wam/[EMAIL PROTECTED]&id=1b68rFPh3NZFk70
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
