Allright, for the first i'd like to thank those who pointed me into the right direction towards iptables; I didn't know that Kernel 2.4 per default only uses iptables and no ipchains anymore. I now got it to work with iptables. My second problem is only partially solved. The error was/is definitely that rp-pppoed does not set the new defaultroute properly to ppp0 but to eth1, which is wrong. I checked /etc/ppp/options, but couldn't find any relevant option. So I extended ip-up with "route del default" and "route add default ppp0", which works; but this couldn't be the way it should be done. Any ideas what could be the reason why rp-pppoed doesn't change the default-route ? And one last question (okay, at least by now *g*): How do I tell linux to forward requests to a specific port to a specific machine in the LAN ? With Kernel 2.2 I used ipmasqadm, but this order is also unknown to Kernel 2.4... Thanks in advance Stephan
On Tuesday 08 January 2002 11:30, OKDesign oHG Security Administrator wrote:
And one last question (okay, at least by now *g*): How do I tell linux to forward requests to a specific port to a specific machine in the LAN ? With Kernel 2.2 I used ipmasqadm, but this order is also unknown to Kernel 2.4...
Look for DNAT in "man iptables".
On your firewall machine you could try :
"iptables -t nat -A PREROUTING -i
Thank you for your hint, but the command-line you told doesn't work. The system keeps complaining (unknowg arg --dport). I also tried out the long version --destination-port with the same result. I looked at the manpage and found that iptables should know this argument, so there seems to be a syntax error. Anyone has an idea what is wrong and how the correct syntax is ? thx. Stephan -----Ursprungliche Nachricht----- Von: Andreas Baetz [mailto:andreas.baetz@herma.de] Gesendet: Mittwoch, 9. Januar 2002 08:39 An: suse-security@suse.com Betreff: Re: [suse-security] Re: Masquerading unter Kernel 2.4 On Tuesday 08 January 2002 11:30, OKDesign oHG Security Administrator wrote:
And one last question (okay, at least by now *g*): How do I tell linux to forward requests to a specific port to a specific machine in the LAN ? With Kernel 2.2 I used ipmasqadm, but this order is also unknown to Kernel 2.4...
Look for DNAT in "man iptables".
On your firewall machine you could try :
"iptables -t nat -A PREROUTING -i
On Wednesday, 9. January 2002 13:53, OKDesign oHG Security Administrator wrote:
"iptables -t nat -A PREROUTING -i
-d --dport -j DNAT --to-destination "
Thank you for your hint, but the command-line you told doesn't work. The system keeps complaining (unknowg arg --dport). I also tried out the long version --destination-port with the same result. I looked at the manpage and found that iptables should know this argument, so there seems to be a syntax error. Anyone has an idea what is wrong and how the correct syntax is ?
The protocol is missing. No [TCP|UDP], no ports. HTH Bjoern
This looks like it would work for my problem as well. But, when I try to use this command
I get a message that --dport is incorrect. When I look at iptables --help there is no entry
for --dport. (I also added the -p tcp as indicated necessary in a subsequent email
message).
Thanks for any help.
Jim
01/09/02 07:02:32 AM, Bjoern Engels
On Wednesday, 9. January 2002 13:53, OKDesign oHG Security Administrator wrote:
"iptables -t nat -A PREROUTING -i
-d --dport -j DNAT --to-destination " Thank you for your hint, but the command-line you told doesn't work. The system keeps complaining (unknowg arg --dport). I also tried out the long version --destination-port with the same result. I looked at the manpage and found that iptables should know this argument, so there seems to be a syntax error. Anyone has an idea what is wrong and how the correct syntax is ?
The protocol is missing. No [TCP|UDP], no ports.
HTH
Bjoern
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
As some people already mentioned, the protocol need to be specified. Simply
add "-p tcp" f.ex. before the -d and it works.
Stephan
-----Ursprüngliche Nachricht-----
Von: James Bliss [mailto:bliss@attbi.com]
Gesendet: Mittwoch, 9. Januar 2002 16:41
An: OKDesign oHG Security Administrator; Bjoern Engels
Cc: suse-security@suse.com
Betreff: Re: [suse-security] Re: Masquerading unter Kernel 2.4
This looks like it would work for my problem as well. But, when I try to
use this command
I get a message that --dport is incorrect. When I look at iptables --help
there is no entry
for --dport. (I also added the -p tcp as indicated necessary in a
subsequent email
message).
Thanks for any help.
Jim
01/09/02 07:02:32 AM, Bjoern Engels
On Wednesday, 9. January 2002 13:53, OKDesign oHG Security Administrator wrote:
"iptables -t nat -A PREROUTING -i
-d --dport -j DNAT --to-destination " Thank you for your hint, but the command-line you told doesn't work. The system keeps complaining (unknowg arg --dport). I also tried out the long version --destination-port with the same result. I looked at the manpage and found that iptables should know this argument, so there seems to be a syntax error. Anyone has an idea what is wrong and how the correct syntax is ?
The protocol is missing. No [TCP|UDP], no ports.
HTH
Bjoern
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Thank you for your hint, but the command-line you told doesn't work. The system keeps complaining (unknowg arg --dport). I also tried out the long version --destination-port with the same result. I looked at the manpage and found that iptables should know this argument, so there seems to be a syntax error. Anyone has an idea what is wrong and how the correct syntax is ?
The syntax is correct. Just move the -j option more to the beginning of
the command line. iptables parses the command line and dlopen()s shared
libraries depending on the options on the command line. If the (filtering)
target is too late, it won't accept the command and bails out. Known bug.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
On Wednesday 09 January 2002 13:53, OKDesign oHG Security Administrator wrote:
Thank you for your hint, but the command-line you told doesn't work. The system keeps complaining (unknowg arg --dport). I also tried out the long version --destination-port with the same result. I looked at the manpage and found that iptables should know this argument, so there seems to be a syntax error. Anyone has an idea what is wrong and how the correct syntax is ?
uups.. As some others already pointed out, the proto (-p tcp or -p udp) was missing in the rule. Andreas Baetz ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************
participants (6)
-
Andreas Baetz -
Bjoern Engels -
James Bliss -
OKDesign oHG Security Administrator -
Peter Wiersig -
Roman Drahtmueller