Multiple static ip's, need help with configuring the ip tables

[joelkota]

Hi all,

I am relativly new to iptables and i need help in configuring a customers firewall.
A dsl connection has been established and the firewall (clark connect) is working fine using squid and snort.
The ip addresses allocated are in a different subnet and i spoke to the isp and they said that they are routing through to my main ip but there is no awnser back.
Would anyone be able to help me?? i think i need to set up the routing tables correctly??

Thanks Joel

 

[ericbrunson]

post the output of ifconfig and route -n on the router and another machine that should be reachable on the local subnet.

 

[joelkota]

eth0 Link encap:Ethernet HWaddr 00:00:E8:50:02:E2
inet addr:165.228.124.146 Bcast:165.228.124.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20468 errors:1 dropped:0 overruns:0 frame:0
TX packets:18196 errors:4 dropped:0 overruns:0 carrier:4
collisions:0 txqueuelen:100
RX bytes:7986338 (7.6 Mb) TX bytes:2281627 (2.1 Mb)
Interrupt:12 Base address:0xa000

eth1 Link encap:Ethernet HWaddr 00:50:BF:E4:82E
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29970 errors:0 dropped:0 overruns:0 frame:0
TX packets:18096 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4105051 (3.9 Mb) TX bytes:7919806 (7.5 Mb)
Interrupt:10 Base address:0x4000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:256 (256.0 b) TX bytes:256 (256.0 b)



Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
165.228.124.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 165.228.124.147 0.0.0.0 UG 0 0 0 eth0


I need the 203.44.26.80/29 is the range i need to add

 

[marsd]

1. From OP eth0 is probably using dhcp and the subnet
router is at x.x.x.147. Is this correct?

2. Why do you think you need to add routes to
203.44.26.80/29? Routing does not work in this way.
Your configuration is either correct or incorrect as
is.

3. If you need to add an address in the above range
and keep the existing address then add a subinterface

ifconfig eth0:1 203.44.26.81 netmask 255.255.255.248 up

4. If you are routing internal traffic than you will need
to check if /proc/sys/net/ipv4/ip_forward is set to 1.
and how your FORWARD table is set up? Use iptables -L -v
-n.

HTH

 

[ericbrunson]

marsd is correct.

192.168.x.x can *never* be advertised on the internet and nothing will route to them. What you need is Network Address Translation on the router.

 

[joelkota]

Ill explain a bit more.

The PPPOE Connection that The firewall is establishing is getting a static ip of 165.228.124.146.

The isp has given me additional 5 additional IP's 203.44.26.80/29 (broadcast address) the active ips are 81,82,83,84,85.

These ip addresses are getting routed from the isp to the 165 address. but there is no awnser from the firewall.

I need a few things to happen.

1. i need to be able to ping these addresses and get a reply from it.

2. I need to port forward port 80 from the 203 addresses to go to certain machines on the local network. i.e 192.168.1.3, 1.4, 1.5

Thanks for the speedy responces aswell

Joel

 

[zeland]

If your ISP is NAT-ing the 203.44.26.x to your current 165.228.124.146 address, what are the additional 165.x.x.x addresses that you should be using?


--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[marsd]

Okay. You currently have access through your 165.x/24
network. Additionally the isp has given you some addresses
in another subnet, the 203.x/29 addresses.
Why this is necessary is beyond me, but okay.

Just some basic theory here. If I have an interface
on a different network than the one I am sending
to it needs to have a route to this network.
There is no way to magically route packets originating
from 203.x/29 sent from your 165.x/24 addressed interface and expect to receive them without SNAT or assigning a (sub)interface on the correct network.
As a matter of fact to create such packets in your
current configuration would take SNAT or libnet.

Solution:
I would simply add a subinterface, as shown above, using
one of your allotted 203.x/29 addresses. You can then
easily add dnat rules to redirect traffic destined for
the remaining addresses in the 203.x/29 range to internal
machines.
Example-

ifconfig eth0:1 203.44.26.81 netmask 255.255.255.248 up
iptables -t nat -A PREROUTING  -d 203.x.x.8x -i eth0 -p tcp 
--dport 80 -j DNAT --to-destination 192.168.1.x:80