iptables and multiple ip-addresses?

01-07-2007, 06:18 PM

hello,

im trying to get my firewall working on my gentoo-box with kernel 2.6.19:

external addresses = x.x.x.2-16
internal addresses = 192.168.50.10 (192.168.50/24)
Webserver = 192.168.50.15:80
Tomcat=192.168.50.15:8080

and here my script:

----------------Start---------------------
EXT_IF=eth0
INT_IF=eth1

EXT_DNS=x.x.x.2
EXT_WEB=x.x.x.2
EXT_TOM=x.x.x.6

INT_WEB=192.168.50.15
INT_DNS=192.168.50.15

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

iptables -t nat -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# allow some internal traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT_IF -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i $INT_IF -j ACCEPT

# Enable NAT
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

# Allow active connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# DNS Server
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_DNS --dport 53 -j ACCEPT
iptables -A FORWARD -i $EXT_IF -p udp -d $INT_DNS --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_DNS --dport 53 -j
DNAT --to $INT_DNS
iptables -t nat -A PREROUTING -i $EXT_IF -p udp -d $EXT_DNS --dport 53 -j
DNAT --to $INT_DNS

# Webserver, Tomcat
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_WEB --dport 80 -j
DNAT --to $INT_WEB
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_TOM --dport 80 -j
DNAT --to $INT_WEB:8080
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 80 -j ACCEPT
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 8080 -j ACCEPT

----------------End---------------------

NAT, DNS and the 192.168.50.15:80 webserver are working, what im missing to
get the tomcat working?

it seems that only the external address x.x.x.2 is working, if i do an
ifconfig i see all external IF from eth0 up to eth0:14

any idea or help would be appreciated

01-07-2007, 09:35 PM

On Sun, 07 Jan 2007 20:18:42 +0100, Manuel Garcia wrote:

> external addresses = x.x.x.2-16

Is this possible, using iptables?

--
Regards/mvh Joachim MÃ¦land

If everything seems under control, you're just not going fast enough.
-Mario Andretti.

01-08-2007, 04:53 AM

>
>> external addresses = x.x.x.2-16
>
> Is this possible, using iptables?
>

can iptables handle only 1 external ip-address?

thx

01-08-2007, 09:16 AM

>>> external addresses = x.x.x.2-16
>>
>> Is this possible, using iptables?
>>
>
> can iptables handle only 1 external ip-address?
>

well tested with ip range x.x.x.16-20 and it works !
if i use the range x.x.x.2-20 and i publish the servers with x.x.x.2 or
x.x.x.16-18 it works too !
the rules does not work if i use x.x.x.3-16 ! <= why? i dont really
understand this

did some tests with:

tcpdump (listen on the external IF on address x.x.x.3): i can see incoming
packets
tcpdump (listen on the internal IF dst to Webserver): i can't see any
packets

some test with:

iptables -t nat -nvL PREROUTING
=> the publish rule for the webserver shows 0 pkts and 0 bytes ! <= again i
cant understand this
the default policy for all nat-chains is ACCEPT

here again the rules:
# Werserver, Tomcat
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_WEB --dport 80 -j
DNAT --to $INT_WEB
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_TOM --dport 80 -j
DNAT --to $INT_WEB:8080
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 80 -j ACCEPT
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 8080 -j ACCEPT

added a new rule:
iptables -A INPUT -i $EXT_IF -p tcp -d x.x.x.3 -j ACCEPT

got same result, still no chance

any ideas?

01-08-2007, 06:29 PM

>>> external addresses = x.x.x.2-16
>>
>> Is this possible, using iptables?
>>
>
> can iptables handle only 1 external ip-address?
>

well tested with ip range x.x.x.16-20 and it works !
if i use the range x.x.x.2-20 and i publish the servers with x.x.x.2 or
x.x.x.16-18 it works too !
the rules does not work if i use x.x.x.3-16 ! <= why? i dont really
understand this

did some tests with:

tcpdump (listen on the external IF on address x.x.x.3): i can see incoming
packets
tcpdump (listen on the internal IF dst to Webserver): i can't see any
packets

some test with:

iptables -t nat -nvL PREROUTING
=> the publish rule for the webserver shows 0 pkts and 0 bytes ! <= again i
cant understand this
the default policy for all nat-chains is ACCEPT

here again the rules:
# Werserver, Tomcat
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_WEB --dport 80 -j
DNAT --to $INT_WEB
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_TOM --dport 80 -j
DNAT --to $INT_WEB:8080
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 80 -j ACCEPT
iptables -A FORWARD -i $EXT_IF -p tcp -d $INT_WEB --dport 8080 -j ACCEPT

added a new rule:
iptables -A INPUT -i $EXT_IF -p tcp -d x.x.x.3 -j ACCEPT

got same result, still no chance

any ideas?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Multiple MAC Addresses	Brad Allison	Windows Networking	5	04-29-2007 01:56 AM
Server 2003 obtaining multiple multiple IP addresses via DHCP	pbrommer@gmail.com	Windows Networking	1	03-29-2007 02:24 AM
iptables: allow multiple source addresses	jqpx37	Linux Networking	7	10-04-2006 10:15 PM
NIC Having Multiple IP Addresses?	Anonymous	Linux Networking	12	07-29-2006 05:42 PM
Multiple IP addresses and NAT	Richard Tobin	Broadband	3	11-19-2005 10:37 PM