[NTLUG:Discuss] IP NAT question
Jay Urish
j at yourlinuxguru.com
Tue Sep 18 17:20:02 CDT 2001
At 05:07 PM 9/18/2001 -0500, you wrote:
>It would be easier to simply add another network card and string ethernet to
>the box if you want to fully expose the internal box to the internet. But
>even in RedHat's case (and in the case of many other distros) they are
>disabling all services by default allowing you to determine specifically
>which services are enabled. What would be the advantage of not specifying
>forwarding rule by individual port? Surely you are not intending to run
>both important services and client tasks on the same box are you? And
>asside from H.323 applications, I have yet to find something I can't run
>from behind a Linux firewall.
Here is the deal,
There are 4 seperate boxes that are hooked to some electronic
test equipment. The vendor wants pc anywhere access to these boxes as well
as the ability to map drives over the net. (I know-- Its hella stupid)
Mapping ports isn't really an option. These guys want to be able to punch in
an IP and go.
>----- Original Message -----
>From: "Jay Urish" <j at yourlinuxguru.com>
>To: <discuss at ntlug.org>
>Sent: Tuesday, September 18, 2001 5:04 PM
>Subject: Re: [NTLUG:Discuss] IP NAT question
>
>
> > At 04:50 PM 9/18/2001 -0500, you wrote:
> > >I have wanted to do similar things but you should consider using a
>firewall
> > >for how it was intended and forward only specific ports. "ipfwadm" is
>the
> > >tool I have used for that task and it works rather well. It also allows
>the
> > >flexibility to split services among several boxes using only one external
>IP
> > >address. (ex. port 80 forwards to the web server box and port 110 and 24
>to
> > >the mail server box.)
> > >
> > >This allows the default firewall rules to protect your network better.
> > >Otherwise, openning up all ports...? Why not just run the ethernet
>straight
> > >to the box?
> >
> > Because the box on the clean side needs access to network resources.
> >
> > Believe me, I plan on filtering 99.9% of the internet out via IPchains..
> > I just need the functionality first.
> >
> >
> > >----- Original Message -----
> > >From: "Jay Urish" <j at ittotalsolutions.com>
> > >To: <discuss at ntlug.org>
> > >Sent: Tuesday, September 18, 2001 4:23 PM
> > >Subject: [NTLUG:Discuss] IP NAT question
> > >
> > >
> > > >
> > > > I am trying to NAT 3 routeable IP's through a suse 7.2 box running
>kernel
> > >2.4.4
> > > > The kernel is compiled with the advanced_ip_router flay set to Y.
> > > >
> > > > I am using ipchains as well..
> > > >
> > > > Here are more detailed specs
> > > >
> > > > the box has 2 NIC's
> > > > eth0 is on the dirty side on a /27
> > > > eth1 is the clean side on a /24 (192.168.1.1)
> > > >
> > > > What I want to do is have it so I can route through the box from a
>dirty
> > >IP to
> > > > a clean IP. I can add ipchains rules later.
> > > >
> > > > for example:
> > > > 66.88.190.227 > 192.168.1.100
> > > >
> > > > I want to be able to ping that box , ftp to it etc...
> > > >
> > > > I have 3 ip's that I want to do this with.
> > > >
> > > > After spending 13 hours on this problem I haven't gained much ground.
> > > > I have read a zillion how-to's but still I can't gain any ground.
> > > >
> > > > I can ping the dirty ip but all I get back is
> > > >
> > > > Reply from 66.88.190.226: Destination port unreachable.
> > > > FYI .226 is the main ip of the box.
> > > >
> > > > Has anyone done this before?
> > > > I am at my wits end. I need some direction--
> > > >
> > > > TIA<
> > > >
> > > > Jay Urish KB5VPS General Class ARO
> > > > Secretary Dallas Amateur Radio Club
> > > > Member: A.R.R.L, D.A.R.C, T.A.P.R, TX.VHF-FM.S
> > > >
> > > > _______________________________________________
> > > > http://www.ntlug.org/mailman/listinfo/discuss
> > > >
> > >_______________________________________________
> > >http://www.ntlug.org/mailman/listinfo/discuss
> >
> > Jay Urish KB5VPS General Class ARO
> > Secretary Dallas Amateur Radio Club
> > Member: A.R.R.L, D.A.R.C, T.A.P.R, TX.VHF-FM.S
> > Monitoring 145.17 443.075 PL110.9
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
>_______________________________________________
>http://www.ntlug.org/mailman/listinfo/discuss
Jay Urish
Your Linux Guru.
Sendmail/Bind/Apache/DHCPD/IPchains/Samba expertise all in one place!
www.yourlinuxguru.com
More information about the Discuss
mailing list