Alternatively you could also have a local dns/local hosts entries that point computerN at computer_1 when they are looking up whatever hostname is resolving to ext_ip....
If they are on the same LAN all normal (sane) security policy will cause the drop of their packets when they are trying to reach ext_ip from inside the network that has ext_ip and you need to bend over backwards to get them accepted.. 2015-01-08 23:02 GMT+02:00 shimi <linux...@shimi.net>: > > On Thu, Jan 8, 2015 at 10:43 AM, Erez D <erez0...@gmail.com> wrote: > >> >> >> On Wed, Jan 7, 2015 at 11:41 AM, shimi <linux...@shimi.net> wrote: >> >>> >>> >>> On Wed, Jan 7, 2015 at 11:35 AM, shimi <linux...@shimi.net> wrote: >>> >>>> >>>> >>>> On Wed, Jan 7, 2015 at 10:16 AM, Erez D <erez0...@gmail.com> wrote: >>>> >>>>> hello. >>>>> >>>>> I have an iptables question >>>>> >>>>> i have the following >>>>> >>>>> ext_ip -> NAT1 -> linux firewall-> network -> computer1:eth0 .. >>>>> computer99 >>>>> >>>>> i have no control over NAT1. >>>>> computer1 also can reach the internet via eth1. >>>>> >>>>> linux firewall redirects incoming port 7777 from ext_ip to computer1 >>>>> however i need coputer2 .. computer99 to connect to ext_ip:7777 and >>>>> also reach computer1 >>>>> >>>>> so first i did a NAT rule in linux firewall to redirect all packets >>>>> from internal to ext_ip:7777 to computer1. and did an 'ifconfig eth0:1 >>>>> $ext_ip up' on computer1. >>>>> this works. however it causes computer1 not to be able to access real >>>>> ext_ip via eth1 which is connected to the internet as well >>>>> >>>>> so i though of both doing DNAT and MASQ, which will do the same but >>>>> will not require assiging ext_ip to computer1. >>>>> howerver i do not know how to do that >>>>> >>>>> >>>> If computer1 can access ext_ip:7777, all you need is to allow >>>> ip_forward (/etc/sysctl.conf for permanent, and echo 1 > >>>> /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers >>>> have a static route to ext_ip via computer1 >>>> >>>> Then, in computer1, >>>> >>>> iptables -t nat -I POSTROUTING -o <interface going towards ext_ip> [ -i >>>> <interface subnet of computers come from> ] -s <subnet of >>>> computers/netmask> -p tcp --dport 7777 -j MASQUERADE >>>> >>>> should do... >>>> >>>> (of course, assuming the iptables FORWARD chain is not dropping those >>>> packets; otherwise you'ld need an ACCEPT rule there, too...) >>>> >>>> HTH, >>>> >>>> -- Shimi >>>> >>>> >>> And on a second read, I think I got you wrong and the purpose was to >>> access computer1 port 7777 (hopefully listening on 0.0.0.0) from computersN >>> by using the external IP from the inside? >>> >> yes >> >>> >>> couputerN default route is the linux firewall. without any rules on >> linux firewall, it will forward packets from computer1 destined to ext_ip >> to NAT1. and they will not reach computer1 att all, so rules on computer 1 >> are useless. >> >> >> Doing a DNAT on linux firewall will direct the packets to computer1, >> however computer 1 will know comuterN and will reply directly without going >> through linux firewall, and computer1 will not match the packets to the >> original connection. >> > > But if you create a static route on computerN towards the external IP via > computer1 like I suggested, then these connections will not get to linux > firewall at all, rather then get to computer1 (I'm assuming they're on the > same L2 and share IP addresses in the same IP subnet) - so rules on > computer1 will apply, wouldn't they? > > What am I missing? > > -- Shimi > > _______________________________________________ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > >
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
