[NTLUG:Discuss] IP NAT question
Daniel Hauck
xdesign at hotmail.com
Tue Sep 18 17:07:44 CDT 2001
It would be easier to simply add another network card and string ethernet to
the box if you want to fully expose the internal box to the internet. But
even in RedHat's case (and in the case of many other distros) they are
disabling all services by default allowing you to determine specifically
which services are enabled. What would be the advantage of not specifying
forwarding rule by individual port? Surely you are not intending to run
both important services and client tasks on the same box are you? And
asside from H.323 applications, I have yet to find something I can't run
from behind a Linux firewall.
----- Original Message -----
From: "Jay Urish" <j at yourlinuxguru.com>
To: <discuss at ntlug.org>
Sent: Tuesday, September 18, 2001 5:04 PM
Subject: Re: [NTLUG:Discuss] IP NAT question
> At 04:50 PM 9/18/2001 -0500, you wrote:
> >I have wanted to do similar things but you should consider using a
firewall
> >for how it was intended and forward only specific ports. "ipfwadm" is
the
> >tool I have used for that task and it works rather well. It also allows
the
> >flexibility to split services among several boxes using only one external
IP
> >address. (ex. port 80 forwards to the web server box and port 110 and 24
to
> >the mail server box.)
> >
> >This allows the default firewall rules to protect your network better.
> >Otherwise, openning up all ports...? Why not just run the ethernet
straight
> >to the box?
>
> Because the box on the clean side needs access to network resources.
>
> Believe me, I plan on filtering 99.9% of the internet out via IPchains..
> I just need the functionality first.
>
>
> >----- Original Message -----
> >From: "Jay Urish" <j at ittotalsolutions.com>
> >To: <discuss at ntlug.org>
> >Sent: Tuesday, September 18, 2001 4:23 PM
> >Subject: [NTLUG:Discuss] IP NAT question
> >
> >
> > >
> > > I am trying to NAT 3 routeable IP's through a suse 7.2 box running
kernel
> >2.4.4
> > > The kernel is compiled with the advanced_ip_router flay set to Y.
> > >
> > > I am using ipchains as well..
> > >
> > > Here are more detailed specs
> > >
> > > the box has 2 NIC's
> > > eth0 is on the dirty side on a /27
> > > eth1 is the clean side on a /24 (192.168.1.1)
> > >
> > > What I want to do is have it so I can route through the box from a
dirty
> >IP to
> > > a clean IP. I can add ipchains rules later.
> > >
> > > for example:
> > > 66.88.190.227 > 192.168.1.100
> > >
> > > I want to be able to ping that box , ftp to it etc...
> > >
> > > I have 3 ip's that I want to do this with.
> > >
> > > After spending 13 hours on this problem I haven't gained much ground.
> > > I have read a zillion how-to's but still I can't gain any ground.
> > >
> > > I can ping the dirty ip but all I get back is
> > >
> > > Reply from 66.88.190.226: Destination port unreachable.
> > > FYI .226 is the main ip of the box.
> > >
> > > Has anyone done this before?
> > > I am at my wits end. I need some direction--
> > >
> > > TIA<
> > >
> > > Jay Urish KB5VPS General Class ARO
> > > Secretary Dallas Amateur Radio Club
> > > Member: A.R.R.L, D.A.R.C, T.A.P.R, TX.VHF-FM.S
> > >
> > > _______________________________________________
> > > http://www.ntlug.org/mailman/listinfo/discuss
> > >
> >_______________________________________________
> >http://www.ntlug.org/mailman/listinfo/discuss
>
> Jay Urish KB5VPS General Class ARO
> Secretary Dallas Amateur Radio Club
> Member: A.R.R.L, D.A.R.C, T.A.P.R, TX.VHF-FM.S
> Monitoring 145.17 443.075 PL110.9
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list