[plug] Multiple WAN IP's routed down DSL line
Shannon Carver
Shannon.Carver at P-S-T.COM.AU
Wed Jul 6 11:43:28 WST 2005
Thanks for your quick reply guys, I have since removed the extra
interface (eth1:1) for xxx.xxx.108.32. All is still up and working
correctly (the web server on 108.32, that is...
I've created forwarding rules for the new boxes, as such:
iptables -A PREROUTING -t nat -d xxx.xxx.66.105 -p tcp --dport 80 -j
DNAT --to 192.168.0.9
iptables -A PREROUTING -t nat -d xxx.xxx.66.105 -p udp --dport 80 -j
DNAT --to 1
92.168.0.9
iptables -A PREROUTING -t nat -d xxx.xxx.66.106 -p tcp --dport 22 -j
DNAT --to 192.168.0.10
iptables -A PREROUTING -t nat -d xxx.xxx.66.106 -p udp --dport 22 -j
DNAT --to 192.168.0.10
But can't connect to any of these services from outside on these IP's..
Am I wrong in assuming, that the route is not setup correctly on my
ISP's side as yet? They did say it would be complete by this morning,
but would not put it past them to have a delay on this process.
Thanks Again
Shannon Carver
-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
Behalf Of Leon Brooks
Sent: Wednesday, 6 July 2005 11:16 AM
To: plug at plug.org.au
Subject: Re: [plug] Multiple WAN IP's routed down DSL line
On Wednesday 06 July 2005 09:56, Shannon Carver wrote:
> Now, to apply this new IP range, (xxx.xxx.66.104/29), I've gone a bit
> out of my depth of understanding.
Use iptables and -j DNAT to forward just the traffic you need to those
servers on internal IP addresses:
iptables -t nat -A PREROUTING -p tcp -d $EXTERNALIP \
--dport $PORTNUM -j DNAT --to $INTERNALIP
So to direct DNS traffic for xxx.xxx.66.105 to your internal server to
which you've assigned the address 172.17.2.172 you would do:
iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.66.105 \
--dport 53 -j DNAT --to 172.17.2.172
iptables -t nat -A PREROUTING -p udp -d xxx.xxx.66.105 \
--dport 53 -j DNAT --to 172.17.2.172
This has the added advantage of automatically "firewalling" any ports on
the target server which were unintentionally left open, and dropping
any unwanted traffic at the firewall rather than sending it across the
LAN for the target server to drop.
For web traffic, you would use -p tcp and --dport 80 for standard web
and --dport 443 for HTTPS.
I also use this technique for making SSH/RDP/VNC to internal machines
available on odd ports (and usually from a restricted address range). I
melted a customer's brain one day by having VNC to the same address
(and port) hit different internal machines depending on where it was
coming from.
Cheers; Leon
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Member, Perth Linux User Group
http://slpwa.asn.au/ Member, Linux Professionals WA
http://osia.net.au/ Member, Open Source Industry Australia
http://linux.org.au/ Member, Linux Australia
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au
More information about the plug
mailing list