[TriLUG] Iptables help

Aaron S. Joyner aaron at joyner.ws
Wed Mar 24 12:49:59 EST 2004 

Okay, I'll give the original question a shot.  Feel free to correct me 
if I flub something, I'm going to type this out mostly from memory.

First, a brief network description is in order...
"Internal"-ish network
Box1 | eth0 | 10.0.0.2 | eth0 -> Box2's eth0
Box2 | eth0 | 10.0.0.1 | eth0 -> Box1's eth0

"External"-ish network
Box2 | eth1 |  4.3.2.2 | eth1 -> Box3's eth0
Box3 | eth0 |  4.3.2.1 | eth0 -> Box2's eth1

To setup what you describe, first, you'll need to ensure all 3 machines 
can ping each other:
1) Ensure Box1 can ping 10.0.0.1
2) Ensure Box2 can ping 10.0.0.2 and 4.3.2.1
3) Ensure Box3 can ping 4.3.2.2

Next, if this setup is not quite so simplified (if Box2 and Box3 aren't 
on the same physical network), you'll need to ensure that Box2 has a 
default gateway.  This is sort of implied by Step 3 of the previous 
statement, but I'm making it explicit in case you ignored my ping steps 
and brazenly continued.  :p
Box2# ip route show dev eth1
4.3.2.0/24  proto kernel   scope link  src 4.3.2.2
default via x.x.x.x (some machine that can route to 4.3.2.1)

Then you'll need to configure Box2 to do three things:
1) Route packets between interfaces
2) Log the packets you want it to
3) Masquerade packets from eth0 to eth1

----- Sample configuration session on Box2 -----
Box2# whoami
root
Box2# echo 1> /proc/sys/net/ipv4/ip_forward
Box2# iptables -A INPUT -p icmp -s 10.0.0.0/24 -j LOG
Box2# iptables -A PREROUTING -t nat -i eth0 -s 10.0.0.0/24 -j MASQUERADE
----- End sample session -----

You should then be able to ping Box3 from Box1, and Box2 will masquerade 
the packets, and log them to syslog.  Note: a malicious user could then 
do a relatively light ping flood and possibly bring that box to it's 
knees (depending on it's hardware, as logging is a lot more intensive 
than just masquerading), so you should explore the --limit options for 
the LOG target before getting this anywhere near a production setup.

Potential gotcha's: If things don't go as you expect, ensure that:
- the iptables default rules are all set to ACCEPT.
- do you actually have routes for each of the interfaces?
   (ala: 'ip route show dev eth0' on Box0 should return something like...
    10.0.0.0/24  scope link
- Your testing method of "is it getting a ping" is valid...
- All of the original ping tests _really_ work...

That should be enough to get the basics across.  If your instructor 
can't get it working from that description, I hate to say it, but they 
need to find a new instructor.  This is truly basic stuff - heck I've 
been doing masquerading since the mid 90s when it was just two or three 
machines sharing a dialup connection.  16yr olds figure it out every day 
from google.

I hope this all turns out to be helpful, for this much typing.  :p
Maybe someone on Google will benefit from it one of these days.  :)

Aaron S. Joyner


Greg Kuhn wrote:

>First off, I apologize for the inconvenience, didn't know that everybody was going to get the email. I thought all email for the mailing list was routed through the trilug at trilug.rog address. I have lowered my spam blocker to medium which should  taker of the problem.
>
>and
>
>Secondly, if I had the rules that I was trying I would post them, the machines we use are blocked from the internet because we have root access and therefore I can't get the rules tried. From my point of view nobodies doing my homework for me or us. We were all  working independently. No one was successful. End of assignment, I'm just trying to get the rules sets needed so that we can all see what we should have done. I will try the suggestions provided and maybe i will figure it out. If someone can provide the solution easily and wants to great, if not thats fine to. Just thought I would ask.
>
>Thanks, Greg
>
>-----Original Message-----
>From: Jon Carnes <jonc at nc.rr.com>
>Sent: Mar 24, 2004 6:36 AM
>To: Triangle Linux Users Group <trilug at trilug.org>
>Subject: Re: Re: [TriLUG] Iptables help
>
>Dear List maintainers (that's the Steering committee),
>
>Can we VERP the list and have this individual kicked off?
>
>Many thanks - Jon Carnes
>
>===
>On Wed, 2004-03-24 at 09:33, automated-response at earthlink.net wrote:
>
>>This is an automatic reply to your email message to
>>thetruthisoutthere at earthlink.net
>>
>>This email address is protected by EarthLink spamBlocker. Your email
>>message has been redirected to a "suspect email" folder for
>>thetruthisoutthere at earthlink.net. In order for your message to be
>>moved to this recipient's Inbox, he or she must add your email address
>>to a list of allowed senders.
>>
>>Click the link below to request that thetruthisoutthere at earthlink.net
>>add you to this list.
>>https://webmail.pas.earthlink.net/wam/addme?a=thetruthisoutthere@earthlink.net&id=1b68rFPh3NZFk70
>>
>

More information about the TriLUG mailing list