| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14
Comments:
<0> AgreSor: That's easy.
<1> p3nguin, easy for you
<1> :)
<2> BrB
<3> I don't have a firewall too
<0> At least a NAT firewall is easy for me. Without using NAT I am a bit confused.
<4> AgreSor: well let us begin
<4> p3nguin: its even easier without nat
<4> Al-Ashtar: get log watch
<1> heh..
<4> AgreSor: http://cancel.kicks-***.net/public/guest/howto/iptables
<4> AgreSor: read the things there first then come back with questions
<1> okey
<4> then we'll go over the specifics
<0> MrAnderson: I have one Linux box for routing with one external interface and one internal interface. I have multiple real world IP addresses. I have one LAN machine that needs a real world IP address from the outside. How do I get it into the LAN?
<4> p3nguin: well how is your accessing getting in
<0> Currently I use NASY for that.
<0> NAT
<4> normally you have a csu/dsu and your real network interface has multiple ips
<4> dont think you got the question
<4> how is the internet getting to your building
<4> what is the terminiation
<4> like say you had a cisco it would have a csu/dsu
<0> The internet comes to the house on a fiber then changes to Ethernet going to the Linux box.
<4> are all the ips on that fiber
<4> if they are then make virtual adapters and give them those ip's
<4> then you DNAT like any other DNAt
<0> All the IPs come in on that one ethernet cable.
<0> DNAT is NAT.
<0> I want the LAN to use the real IP.
<4> you do a one to one DNAT
<4> and please dont argue iptables with me
<4> thanks
<0> erm
<0> Don't get snooty.
<4> i wont if you dont try to argue with me when I'm trying to ***ist you
<0> Currently I have all five real IPs on the Linux box on virtual interfaces.
<4> like you of all people dont need to say to me <0> DNAT is NAT.
<0> But we already discussed that I don't want to NAT it.
<4> well you really need to unless you have an ethernet port on your box with fiber ***igned to that ip
<3> Ahhh, Cancel arguing again. Everything is normal. :D
<0> Maybe I'm not being clear about the current network configuration.
<0> I have a /29 coming in on a single CAT5e.
<0> I want to be able to give the Linux box (acting as the first node) one address and then give another computer one of the other real IPs.
<4> its clear to me
<0> Okay,.
<3> and he wants one of the LAN computer to use one of those /29 ips
<4> my recommendation to you is one to one nat
<4> Al-Ashtar: that is clear already said that
<4> example
<0> Let's elaborate on the one-to-one.
<4> iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 -j DNAT --to-destination 192.168.1.100
<4> so that says all traffic for that IP go to .100 inside
<4> done
<3> outpound
<5> you want the 1st node to be transparent
<0> Precisely.
<4> outbound is fine as remember established related
<5> and ***ign the public IP to the interface on the internal box
<3> he wants outpound
<4> you outbound with what POSTROUTING MASQUERADE
<0> nivek: Just like in IOS... but with Linux and IP tables.
<5> p3nguin, I've seen that done with some software (can't remember the name, but it was linux based)... How to do it with iptables... no clue
<3> ok, what's a 1st node ?
<0> I'll draw a diagram.
<4> thats it, then that public ip is the machine on the inside you want
<5> MrAnderson, have fun trying to get an app to bind to the public address in that setup
<4> he's resisting it now
<4> but thats what he'll end up doing
<1> u know what peples.. i see that linux cant be boring :)
<4> nivek: actually already doing it
<1> but... for now.. i must sleeep
<4> nivek: which is how I know it works as the rulesets I publish are my real live working right now rules
<4> nivek: :)
<5> except you apparently don't have a clue as to what p3nguin is talking about
<3> wouldn't POSTROUTING MASQUERADE use the IP of the main box with 2 interfaces ?
<4> nivek: and iptables doesnt "bind" it filters adn
<3> I don't know what I'm talking about
<3> heh
<4> Al-Ashtar: well we'd use snat since its static and it will use whatever adress you tell it to
<5> I said "an app" not "iptables" think.. "postfix"
<4> nivek: doesnt matter what the app
<4> nivek: and postfix will bind fine as again I have postfix up and running as the smtp agent on multiple boxes configured as such
<5> explain to me how to set up main.cf to bind to 70.150.133.71 when that address isn't on the machine?
<4> nivek: postfix has no knowledg of the netfilter nor cares
<4> nivek: you dont need to you by the adapter number dont need to by ip
<4> nivek: then you use the netfilter to do translation when it comes back in it is retranslated
<4> wchi is how one to one nat works if you didnt read the netfilter manual
<5> I'm aware of that... that's currently what *I* do
<5> but again.. that's not what p3nguin wants
<4> nivek: and yes my postfix is working and the ip is public
<4> multiple machines
<4> and you dont need to bind postfix to an addres you can do it by adapter and you can allow relay by address any you like
<5> Jason... I gotta say.. for someone so bright... you are _really_ dense at times.
<4> nivek: say anythiing you like oddly enough all my iptables works
<4> here and abroad
<5> you still aren't getting it.
<4> put that in your pipe and smoke it
<5> 1) the postfix was an example... I know you don't HAVE to bind to an ip... but if you WANTED to.. you couldn't... because in your setup.. that IP is bound to an interface in the 1st box
<3> p3nguin will draw a diagram
<5> 2) NAT is not what p3nguin wants... and he's stated so.
<4> actually you still could
<4> well he's going to need NAT unless his physical device can deliver that ip to the nic on that local machine
<4> thats just the facts of life there
<4> and the device can either do that or it cant
<3> MrAnderson: and that's the "app" nivek was talking about
<5> the question was, I believe, can iptables be set up to transparently deliver that IP to the inside box
<4> Al-Ashtar: well thats not an app its a physical device again like a csu/dsu
<4> yes
<4> already said that even gave you the rule
<5> no, you gave a nat rule
<4> which is the rule
<5> and yes, it can be done... I've had it working in production before.
<4> did you forget hwo the netfilter works
<4> without mangling or nat your option left is forward
<4> adn if this is a machine on his lan....
<4> not rocket science
<4> netfilter 101
<6> when i download something it is saved on desktop but i cant see it .. how to access it
<6> ?
<4> depends on your desktop
<3> netstat -tepan | grep ESTABLISHED # is the only way to check who's connected remotely ?
<4> why not change your d/l location?
<6> how to change it ?
<6> oh right
<6> wait let me try it
<3> don't make me repeat :P
<4> Al-Ashtar: other tools you can use ethereal, iptraf
<0> http://www.virtualaddiction.net/linux/five_ips.png
<3> way to go Pic***o
<4> p3nguin: looked at your diagram you need to do what I said
<0> I don't want to give the LAN servers private addresses. I can do that already. :)
<0> I want to p*** the public IPs to the LAN.
<4> you need to do what I said
<4> i'll probably say that a few more times
<0> We both know that netfilter will easily NAT it and give use private addresses. That is not what I want to do.
<4> and no you dont need to give them private address to do that
<3> MrAnderson: like this ? iptables -t nat -A PREROUTING -d 66.66.66.3 -i eth0 -j DNAT --to-destination 192.168.1.3
<0> Let me throw another wrench into the works.
<0> The LAN machines must pull the public IPs from an external DHCP server.
<4> and since it is the same network you could do it without dnat using forward rulls
<0> If I put the switch before all of the computer they will all put their own addresses... but without a firewall.
<4> wel i'd set them static
<4> as they are static ips publicly
<0> That defeats the purpose of this excercise.
<4> as if they are static why use dhcp?
<4> which compounds problems
Return to
#linux
or
Go to some related
logs:
ciccik
richgirl porn
#chat-world
how to fould samosa
#worldchat
chatful.com
irssi autoidentify
YELİZİ
leleupi
#allnitecafe
|
|
