iptables -> masquerade/ snat or dnat problems..
am 22.11.2006 10:51:32 von rajeshany one active here pls .. I got some brainstormings :P
while I was surfing the internet , I got a rapidshare warning,
"your ip xxx.public.xxx.110 is already downloading a file.."
Though I have a bunch of public ips, I have got only one server , and
only one connections..
To change .. I have to add some switches which I don't like to do now..
I just want a public ip xxx.public.xxx.55 for my single purpose use..
while other users may be using xxx.public.xxx.110 as their NAT
masqueraded ip.
In that case my users will be using xxx.public.xxx.110 (alias eth0) for
rapidshare download..
(may be routing works or some thing like that) (alias eth1:1
192.168.0.1/24 -> other users at my local lan)
and I will be using xxx.public.xxx.55 (alias eth0:2) for my single
purpose.. (alias eth1:2 (172.168.0.1-> me at another windows box ->
172.168.0.20) )
Though the dhcpd provides ip of 192.168.0.0/24 -> gateway (192.168.0.1)
, I use a manual ip of 172.168.0.20 -> gateway-> 172.168.0.1
which is working upto now..
well I think this is ..
stuffs related to :
SNATting and DNATting.. masquerading.. 1:1 NATting
+---------------------------+
| Internet Cloud-- |
| VSAT |
+---------------------------+
|
|
|
xxx.public.xxx.1
|
|----------------------------------------------------------- ------------------------------------------------------------ ------|
| | |
xxx.public.xxx.2 | |
xxx.public.xxx.3 ... |
xxx.public.xxx.110
(eth0) --- xxx.public.xxx.55(eth0:2)
|
|
+--------------------------------+
| 10.0.0.1(eth1)
|
| 192.168.0.1 (eth1:1)
|
| 172.168.0.1(eth1:2)
|
+
-------------------------------+
|
|
------------------------------------------------------------ -----------------------------------
-------------[Automatic boot via rc.local ]
/etc/rc.local
......
a rajesh #these are shell scripts described below
a enable #shell script running ...
.......
------------------------------------------------------------ -----------------------------------
#!/bin/sh
PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/u sr/bin"
LONGNAME="Shell script for ping utils"
NAME="a"
set -e
# Main Loop
case $1 in
rajesh)
FWVER=0.76
echo -e "\n\nLoading simple rc.firewall-iptables version
$FWVER..\n"
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo
"----------------------------------------------------------- -----------"
echo -en "ip_tables, "
$MODPROBE ip_tables
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc
echo -en "iptable_nat, "
$MODPROBE iptable_nat
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
echo " "
echo
"----------------------------------------------------------- -----------"
echo " "
echo -e " Done loading modules.\n"
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " Clearing any existing rules and setting default
policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and
related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nrc.firewall-iptables v$FWVER done.\n"
iptables -F
#flush all tables
#now enable forwarding to special users
echo "iptables -A FORWARD -d 10.0.0.9 -j ACCEPT"
echo "iptables -A FORWARD -s 10.0.0.9 -j ACCEPT"
echo " iptables -A FORWARD -d 10.0.0.10 -j ACCEPT"
echo "iptables -A FORWARD -s 10.0.0.10 -j ACCEPT"
iptables -A FORWARD -d 10.0.0.20 -j ACCEPT
iptables -A FORWARD -s 10.0.0.20 -j ACCEPT
############### This is my box #########################
echo "This is my box "
iptables -A FORWARD -d 172.168.0.20 -j ACCEPT
iptables -A FORWARD -s 172.168.0.20 -j ACCEPT
############ This is my box #############################
;;
############### Enabling forwading for all ##############
enable)
iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
;;
#######################################################3
*)
N=$NAME
exit 1
;;
esac
exit 0
------------------------------------------------------------ ----------------
THE ABOVE SCRIPT IS WHAT I AM RUNNING ..., MASQUERADING FOR ALL MY
USERS..
I HAVE ONLY TWO ETHERNETS, ONE ETH0-:XXX.PUBLIC.XXX.110, AND ETH0:2
XXX.PUBLIC.XXX.55
ETH1: 10.0.0.1
ETH1:1 192.168.0.1
ETH1:2 172.168.0.1
DHCP VIA ETH1:1 (192.168.0.1)
ALL PEOPLE USE INTERNET VIA ETH1:1
--------------
well let me explain my problem.. okay dudes..
I got a VSAT and 128 public ips WAN
but I am using only one public ip. , with a server ..
my gateway is xxx.public.xxx.1
I am using xxx.public.xxx.110 (my Server with proxy, iptables and all I
have)
eth0 is xxx.public.xxx.110, eth1:1 is 192.168.0.1 eth1:2 is 172.168.0.1
AS EXPLAINED ABOVE
now I want to add eth0:2 as xxx.public.xxx.55 and eth1:2 (172.168.0.1)
to SNAT ..
for all traceroute will show: like this:
172.168.0.20 (me) -> 172.168.0.1(my box)[xxx.public.xxx.110] ->
xxx.public.xxx.1-> Cloud of Internet
192.168.0.20 (me) -> 192.168.0.1(my box)[xxx.public.xxx.110] ->
xxx.public.xxx.1-> Cloud of Internet
now I just want to change : 172.168.0.20 (me) -> 172.168.0.1(my
box)[xxx.public.xxx.55] -> xxx.public.xxx.1-> Cloud of Internet
both xxx.public.xxx.110 and xxx.public.xxx.55 working for different ip
aliases
external aliases [eth0:2 (xxx.public.xxx.55) ] === working with [
eth1:2 (172.168.0.1) ]
external aliases [eth0:0 (xxx.public.xxx.110) ] === working with [
eth1:1 (192.168.0.1) ]
---------------------------------------------------
---------------------------