router/nat with only one NIC
David Bandel
david.bandel
Sun Sep 26 12:51:40 PDT 2004
On Sun, 26 Sep 2004 09:55:25 -0400, Tim Wunder <tim at thewunders.org> wrote:
> On Saturday 25 September 2004 7:09 pm, someone claiming to be David Bandel
> wrote:
> > On Sat, 25 Sep 2004 10:59:11 -0400, Tim Wunder <tim at thewunders.org> wrote:
> > > On Saturday 25 September 2004 9:28 am, someone claiming to be Tim Wunder
> > >
> > > wrote:
> > > > On Wednesday 08 September 2004 8:14 pm, someone claiming to be David A.
> > > > Bandel
> >
> > [snip]
> >
> > > > nat requests from 10.0.0.0/24 thru 192.168.1.2 (eth0 on the server):
> > > > # iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source
> > > > 192.168.1.2
> > >
> > > Shouldn't these be DNAT rules? Aren't I trying to change the DESTINATION
> > > of the packets?
> > >
> > > > redirect http requests thru dansguardian:
> > > > # iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT -p tcp --sport
> > > > 80 --to-source 192.168.1.2:3129
> > > >
> > > > redirect squid requests thru dansguardian:
> > > > # iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT -p tcp --sport
> > > > 3128 --to-source 192.168.1.2:3129
> >
> > SNAT changes source (from) address
> > DNAT changes destination (to) address/port
> >
> > SNAT: POSTROUTING
> > DNAT: PREROUTING
> >
> > OK, I'm confused. You have a router/NAT box 192.168.1.254. It should
> > redirect all packets on port 80 that _don't_ come from 192.168.1.2
> > back to 1.2 port 3128.
> >
>
> Sort of, I want it to redirect the packets to 1.2 port 3129.
Is 192.168.1.254 (your Firewall/NAT router) a Linux system or not?
Sounds like not from you DNS problem mentioned below.
If not, a lot of these generic boxes don't pass DNS requests, they act
as a caching DNS server themselves that you have to use.
>
> > Remind me what 10.x.x.x is for? Why not part of 192.168.1.0/24?
> >
>
> No real reason, I suppose I could use 192.168.1.0/24. Didn't think it'd
> matter. Apaprently, my ignorance is hanging out again...
Not really, there could be very good reasons for using 10.x.x.x and a
VLAN pointing only to the 192.168.1.2 (your Squid/Dan's Guardian
box).
>
> > > I want http and squid (ports 80 and 3128) packets sent from 10.0.0.0/24
> > > to go to thru dansguardian (port 3129) on 192.168.1.2 via transparent
> > > proxy. All other packets I want to have go through the router located on
> > > 192.168.1.254.
> >
> > Don't you mean port 3128? And where does 10.0.0.x come from?
> >
>
> Dansguardian listens to port 3129 and forwards acceptable packets to squid,
> which listens on 3128. Dansguardian does a much better job of content
> filtering than squidGuard, which I've also configured squid to use.
No argument there.
>
> > > Now 192.168.1.254 also does NAT, but it's only NAT'ing packets from
> > > 192.168.1.2
> >
> > Seems kinda silly, but OK.
>
> I want to prevent my kids from just connecting to the internet and bypassing
> the content filter. Tha's all.
Good idea anymore.
>
> > So where is 10.x.x.x hanging out? Which
> > system/ethernet port?
> >
>
> eth0:1 on the proxy server. But if it'd make more sense, I'll just make eth0:1
> be 192.168.1.1, and I'll have the dhcp server serve up 192.168.1.0/24 IP
> addresses ( just not 192.168.1.1, 1.2 or 1.254).
would make life easier (but only if the NAT box connected to your ISP
is a Linux box, then your scheme might be your only recourse).
>
> > > So... I'm doing SNAT for ports other than 80 and 3128 and DNAT for 80 and
> > > 3128. Is that right?
> > >
> > > I'll have to play around some more, but any suggestions/guidance would be
> > > welcome. Off to take car of some "honey-do's"...
> >
> > Sounds like some of what you want might be better served with a VLAN,
> > at least for the10.x.x.x stuff. But somewhere I'm still not clear.
> >
>
> VLAN? Yeah... I guess that's what I was trying to set up. But I don't have to.
> I'll change everything so that the proxy/dhcp server gives out 192.168.1.x IP
> addresses and do everything on 192.168.1.0/24.
>
> So... the question remains...
> How do I make port 80 requests from 192.168.1.0/24 go through 192.168.1.2 port
> 3129? Additionally, how do I make everything look like it's coming from
> 192.168.1.2 to the router at 192.168.1.254.
On .254 just block all port 80 requests that _don't_ come from 1.2,
and on 1.2 reject all requests on port 80 incoming except from .254.
>
> This is my current network config:
> # ifconfig
> eth0 Link encap:Ethernet HWaddr 00:60:97:29:68:98
> inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
> inet6 addr: fe80::260:97ff:fe29:6898/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:661095 errors:0 dropped:0 overruns:0 frame:0
> TX packets:663681 errors:0 dropped:0 overruns:0 carrier:4
> collisions:54 txqueuelen:1000
> RX bytes:364144548 (347.2 Mb) TX bytes:284783379 (271.5 Mb)
> Interrupt:11 Base address:0xe400
>
> eth0:1 Link encap:Ethernet HWaddr 00:60:97:29:68:98
> inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:661095 errors:0 dropped:0 overruns:0 frame:0
> TX packets:663681 errors:0 dropped:0 overruns:0 carrier:4
> collisions:54 txqueuelen:1000
> RX bytes:364144548 (347.2 Mb) TX bytes:284783379 (271.5 Mb)
> Interrupt:11 Base address:0xe400
>
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
>
> # cat /proc/sys/net/ipv4/conf/eth0/send_redirects
> 0
> # cat /proc/sys/net/ipv4/ip_forward
> 1
>
> # iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> REDIRECT tcp -- anywhere anywhere tcp dpt:http
> OWNERGID match GID1 redir ports 3129
> REDIRECT tcp -- anywhere anywhere tcp dpt:http
> OWNERGID match GID2 redir ports 3129
> REDIRECT tcp -- anywhere anywhere tcp dpt:squid
> OWNER GID match GID1 redir ports 3129
> REDIRECT tcp -- anywhere anywhere tcp dpt:squid
> OWNER GID match GID2 redir ports 3129
I think this is not exactly what you want. Looks like you're
redirecting all squid contacts on all interfaces to 3129. But Dan's
Guardian has to talk (I believe on localhost, 127.0.0.1) to 3128, so
you don't want to redir that.
>
> For added edification, my laptop is getting IP address 192.168.1.110 from the
> dhcp server.
> # ifconfig
> eth0 Link encap:Ethernet HWaddr 00:0C:F1:0B:17:19
> inet addr:192.168.1.110 Bcast:192.168.1.255 Mask:255.255.255.0
> inet6 addr: fe80::20c:f1ff:fe0b:1719/64 Scope:Link
> UP BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:404 errors:0 dropped:0 overruns:0 frame:0
> TX packets:429 errors:0 dropped:0 overruns:0 carrier:1
> collisions:0 txqueuelen:1000
> RX bytes:48391 (47.2 Kb) TX bytes:36935 (36.0 Kb)
> Interrupt:11 Base address:0x1000 Memory:c0204000-c0204fff
>
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
>
> And pings work for 192.168.1.1, 192.168.1.2 and 68.34.76.5 (ISP's DNS server)
> from the laptop.
>
> What doesn't work is Internet (DNS, actually). :-(
If your Internet connected system is one of those small commercial
NAT/Firewall boxes, you might need to specify it as your DNS server.
HTH,
David A. Bandel
--
Focus on the dream, not the competition.
- Nemesis Air Racing Team motto
More information about the Linux-users
mailing list