router/nat with only one NIC

Tim Wunder tim
Sun Sep 26 08:36:03 PDT 2004 

On Saturday 25 September 2004 7:09 pm, someone claiming to be David Bandel 
wrote:
> On Sat, 25 Sep 2004 10:59:11 -0400, Tim Wunder <tim at thewunders.org> wrote:
> > On Saturday 25 September 2004 9:28 am, someone claiming to be Tim Wunder
> >
> > wrote:
> > > On Wednesday 08 September 2004 8:14 pm, someone claiming to be David A.
> > > Bandel
>
> [snip]
>
> > > nat requests from 10.0.0.0/24 thru 192.168.1.2 (eth0 on the server):
> > > # iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source
> > > 192.168.1.2
> >
> > Shouldn't these be DNAT rules? Aren't I trying to change the DESTINATION
> > of the packets?
> >
> > > redirect http requests thru dansguardian:
> > > # iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT -p tcp --sport
> > > 80 --to-source 192.168.1.2:3129
> > >
> > > redirect squid requests thru dansguardian:
> > > # iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT -p tcp --sport
> > > 3128 --to-source 192.168.1.2:3129
>
> SNAT changes source (from) address
> DNAT changes destination (to) address/port
>
> SNAT:  POSTROUTING
> DNAT:  PREROUTING
>
> OK, I'm confused.  You have a router/NAT box 192.168.1.254.  It should
> redirect all packets on port 80 that _don't_ come from 192.168.1.2
> back to 1.2 port 3128.
>

Sort of, I want it to redirect the packets to 1.2 port 3129. 

> Remind me what 10.x.x.x is for?  Why not part of 192.168.1.0/24?
>

No real reason, I suppose I could use 192.168.1.0/24. Didn't think it'd 
matter. Apaprently, my ignorance is hanging out again...

> > I want http and squid (ports 80 and 3128) packets sent from 10.0.0.0/24
> > to go to thru dansguardian (port 3129) on 192.168.1.2 via transparent
> > proxy. All other packets I want to have go through the router located on
> > 192.168.1.254.
>
> Don't you mean port 3128?  And where does 10.0.0.x come from?
>

Dansguardian listens to port 3129 and forwards acceptable packets to squid, 
which listens on 3128. Dansguardian does a much better job of content 
filtering than squidGuard, which I've also configured squid to use.

> > Now 192.168.1.254 also does NAT, but it's only NAT'ing packets from
> > 192.168.1.2
>
> Seems kinda silly, but OK.

I want to prevent my kids from just connecting to the internet and bypassing 
the content filter. Tha's all.

> So where is 10.x.x.x hanging out?  Which 
> system/ethernet port?
>

eth0:1 on the proxy server. But if it'd make more sense, I'll just make eth0:1 
be 192.168.1.1, and I'll have the dhcp server serve up 192.168.1.0/24 IP 
addresses ( just not 192.168.1.1, 1.2 or 1.254).

> > So... I'm doing SNAT for ports other than 80 and 3128 and DNAT for 80 and
> > 3128. Is that right?
> >
> > I'll have to play around some more, but any suggestions/guidance would be
> > welcome. Off to take car of some "honey-do's"...
>
> Sounds like some of what you want might be better served with a VLAN,
> at least for the10.x.x.x stuff.  But somewhere I'm still not clear.
>

VLAN? Yeah... I guess that's what I was trying to set up. But I don't have to. 
I'll change everything so that the proxy/dhcp server gives out 192.168.1.x IP 
addresses and do everything on 192.168.1.0/24.

So... the question remains...
How do I make port 80 requests from 192.168.1.0/24 go through 192.168.1.2 port 
3129? Additionally, how do I make everything look like it's coming from 
192.168.1.2 to the router at 192.168.1.254.

This is my current network config:
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:60:97:29:68:98
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::260:97ff:fe29:6898/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:661095 errors:0 dropped:0 overruns:0 frame:0
          TX packets:663681 errors:0 dropped:0 overruns:0 carrier:4
          collisions:54 txqueuelen:1000
          RX bytes:364144548 (347.2 Mb)  TX bytes:284783379 (271.5 Mb)
          Interrupt:11 Base address:0xe400

eth0:1    Link encap:Ethernet  HWaddr 00:60:97:29:68:98
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:661095 errors:0 dropped:0 overruns:0 frame:0
          TX packets:663681 errors:0 dropped:0 overruns:0 carrier:4
          collisions:54 txqueuelen:1000
          RX bytes:364144548 (347.2 Mb)  TX bytes:284783379 (271.5 Mb)
          Interrupt:11 Base address:0xe400

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0

# cat /proc/sys/net/ipv4/conf/eth0/send_redirects
0
# cat  /proc/sys/net/ipv4/ip_forward
1

# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http 
OWNERGID match GID1 redir ports 3129
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http 
OWNERGID match GID2 redir ports 3129
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:squid 
OWNER GID match GID1 redir ports 3129
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:squid 
OWNER GID match GID2 redir ports 3129


For added edification, my laptop is getting IP address 192.168.1.110 from the 
dhcp server.
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:F1:0B:17:19
          inet addr:192.168.1.110  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:f1ff:fe0b:1719/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:404 errors:0 dropped:0 overruns:0 frame:0
          TX packets:429 errors:0 dropped:0 overruns:0 carrier:1
          collisions:0 txqueuelen:1000
          RX bytes:48391 (47.2 Kb)  TX bytes:36935 (36.0 Kb)
          Interrupt:11 Base address:0x1000 Memory:c0204000-c0204fff

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

And pings work for 192.168.1.1, 192.168.1.2 and 68.34.76.5 (ISP's DNS server) 
from the laptop.

What doesn't work is Internet (DNS, actually). :-( 

Regards, 
Tim

-- 
Fedora Core 2, Kernel 2.6.7-1.494.2.2,  KDE 3.3.0, Xorg 6.7.0
 08:30:00 up 7 days, 22:37, 11 users,  load average: 0.00, 0.00, 0.00
It's what you learn after you know it all that counts

More information about the Linux-users mailing list