Re: [SLUG] Linux Networking with IPTABLES

From: Paul Aitken (paitken1@tampabay.rr.com)
Date: Fri Apr 18 2003 - 17:38:02 EDT


I am using a router, it's called RH Linux 8
I don't have a hardware router.
----- Original Message -----
From: "Ricardo A. Rodriguez P." <ricardo@ricardorodriguez.net>
To: "Slug Nks" <slug@nks.net>
Sent: Friday, April 18, 2003 12:56 PM
Subject: Re: [SLUG] Linux Networking with IPTABLES

> Isn't it easier for you to do that through the router?
>
> What router are you using?
>
> If you are using a linksys there's an easier way to do that with the
> router settings.
>
>
> On Fri, 2003-04-18 at 07:41, Backward Thinker wrote:
> Your post was a little confusing. Are you trying to block incoming
connections from the internet to computers on your internal lan? If so,
you're already done. Unless you've set up PREROUTING, people can reach your
router, and that's it (though your router can reach your lan, so make sure
it's up on patches and uneccessary services are disabled).
>
> But it sounds like you want 192.168.1.2 can receive incoming traffic
from outside your linux router with a public ip address? If so, here's the
best way. First realize that 192.168.1.2 is an internal ip address, not
publicly routable, meaning that although people on your lan can reach
192.168.1.2, when anybody outside your LAN tries to send packets to
192.168.1.2 it isn't gonna reach you. But, the ip address of your rr
address is publicly routable. So instead of people connecting to
192.168.1.2, people will be connecting to your linux router, and the linux
router will do the magic of routing it correctly through your lan, a la
iptables and PREROUTING. So, for example, if you had an http server on a
box in your internal lan, you would have the linux router preroute anything
on port 80 (or whatever) to that http server on the internal lan.
>
> Anyway, long story short, what you want is something like:
>
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
DNAT --to 192.168.1.2
>
> Since the external computers will only see one ip address, you can't
really double up on ports. Like, if you wanted to run two different
web-servers on different boxes, both on port 80... external computers will
actually have to go through a different port on the router to get forwarded
to the other host, unless you got more specific than -i eth0. So a second
rule would look like:
>
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j
DNAT --to 192.168.1.3:80
>
> So with the two above PREROUTING rules, those who connect to
IP-ADDRESS-OF-ROUTER:80 will get to 192.168.1.2:80, and those who connect to
IP-ADDRESS-OF-ROUTER:8080 will get to 192.168.1.3:80. Make sense?
>
> There's a lot more detail in the (unfortunately very long) Linux IP
Masquerade HOWTO. http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/
>
> Good luck,
> ~ Daniel
>
>
> --- "Paul Aitken" <paitken1@tampabay.rr.com> wrote:
>
> Hello,
> I am quite the linux newbie, and have tried to get assistance in
networking
> with linux. I am successfuly routed through a linux machine, but am
tyring
> to block internet to another computer.
>
> My main internet connection comes from eth0, which is directly
connected to
> my cable modem.
>
> I then have a LAN cord ran from eth1 to a hub
> The hub then has two more cords plugged into it.
>
> I only want the computer with the ip address 192.168.1.2 to receive
> internet...can you tell me how to do this please?
>
> Thank you
> Paul
>
>
>
> ________________________________________________________________
> The best thing to hit the internet in years - Juno SpeedBand!
> Surf the web up to FIVE TIMES FASTER!
> Only $14.95/ month - visit www.juno.com to sign up today!
>
>
> --
> Ricardo A. Rodriguez Peralta
> ricardo@ricardorodriguez.net
>
> Powered by: Linux 2.4.19
> http://RicardoRodriguez.net
> *****************************************************************
>



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:12:31 EDT