[GRLUG] iptables

Kaminski, Dennis J Dennis.Kaminski at dematic.com
Mon Feb 12 16:02:15 EST 2007


Thanks for the response Rick,

Here's the Linux2 routing table.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.0.0     *               255.255.255.0   U     0      0        0
eth1
172.16.0.0      *               255.255.255.0   U     0      0        0
eth0
169.254.0.0     *               255.255.0.0     U     0      0        0
eth1
default         virtualrtr      0.0.0.0         UG    0      0        0
eth0 


Dennis J Kaminski

-----Original Message-----
From: grlug-bounces at grlug.org [mailto:grlug-bounces at grlug.org] On Behalf
Of Rick Vargo
Sent: Monday, February 12, 2007 3:49 PM
To: grlug at grlug.org
Subject: Re: [GRLUG] iptables

What does the routing table on Linux2 look like?

Rick


Kaminski, Dennis J wrote:
>
> I've been using iptables for years for security on each individual 
> box. I thought I understood it, but I'm having some trouble with 
> address translation.
>
> The 3 boxes involved used to all be on the same network.
> Linux1,                 eth0 172.16.0.10/255.255.255.0
> Linux2,         eth0 172.16.0.20/255.255.255.0
> Other3,                 eth0 172.16.0.30/255.255.255.0
>
> There are some security issues on Other3 (non-linux). I'm trying to 
> move it to a different network, but still have it be accessible on its

> original address and restrict access using iptables on Linux2. I 
> thought the following would work, but it doesn't.
>
> Linux1,         eth0 172.16.0.10/255.255.255.0 (same)
>
> Linux2, eth0 172.16.0.20/255.255.255.0 (same)
>                 eth1 192.168.0.20/255.255.255.0 (new)
>
> Other3,         eth0 192.168.0.30/255.255.255.0 (changed)
>
> The default route on Other3 is Linux2 (192.168.0.20).
>
> On Linux2, ip forwarding is turned on (/proc/sys/net/ipv4/ip_forward 
> is set to 1) and the iptables contains
>
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -t filter -F
>
> #       set policies
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
>
> iptables -t nat -A PREROUTING  -d 172.16.0.30  -i eth0 -j DNAT 
> --to-destination 192.168.0.30
> iptables -t nat -A POSTROUTING -s 192.168.0.30 -j SNAT --to-source 
> 172.16.0.30 -o eth0
> iptables -A FORWARD -d 172.16.0.30  -j ACCEPT
> iptables -A FORWARD -d 192.168.0.30 -j ACCEPT
> iptables -A FORWARD -s 172.16.0.30  -j ACCEPT
> iptables -A FORWARD -s 192.168.0.30 -j ACCEPT
>
> iptables -A INPUT -s 172.16.0.0/255.255.255.0 -j ACCEPT 
> iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT      
>
> I can ssh from Linux2 to Other3 and from Other3 to Linux2, BUT there 
> is a long pause (about 40 seconds) before it asks for the password.
>
> From Other3 I can ping both ip addresses of Linux2 (172.16.0.20 and 
> 192.168.0.20), but I cannot ping Linux1 (172.16.0.10)
>
> Does anyone have any words of advice?
>
> Thanks.
>
> *Dennis Kaminski*
>
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
_______________________________________________
grlug mailing list
grlug at grlug.org
http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug


More information about the grlug mailing list