Masaru Nomiya wrote:
Hello, In the Message; Subject : How to setup my network? Message-ID : 168871355810.3809.7792001584785391320@mailman3.infra.opensuse.org Date & Time: Fri, 07 Jul 2023 07:05:58 -0000 [MC] == Marc Chamberlin via openSUSE Users users@lists.opensuse.org has written: MC> Hello OpenSuSE, I have been trying/experimenting with setting up MC> my SOHO network of about 5 computers, most of which are running MC> OpenSuSE 15.4 x64, and one (my main gateway computer to the MC> internet) running OpenSuSE 15.3 x64. All systems are using the MC> Plasma/KDE desktop. My main gateway computer is called "quasar" MC> and the other systems have names such as "bigbang", "nova", MC> etc... MC> My network is split into 2 halves, 192.168.10.0/25 is my MC> "internal" zone, and 192.168.10.128/25 is my "dmz" zone. Except MC> for "quasar" each computer has 2 NIC's, one for each of my MC> zones. Addresses and default routes are assigned by a dhcpd MC> server, and that much is working fine (AFAIK) at the moment. MC> "Quasar" has 3 NIC's, one of which is for my "external" zone, and MC> the other two are for my "internal" and "dmz" zones MC> respectively. The "internal" zone NIC is given a static IP MC> address of 192.168.10.100 and the "dmz" zone NIC is given a MC> static IP address of 192.168.10.200. MC> My "external" zone NIC has been assigned 5 different public IP4 MC> addresses, all statically assigned by using the YaST2->Network MC> Card Setup to assign one of these public IP4 addresses to the NIC MC> card itself, and the other 4 public IP4 addresses are assigned to MC> this same "external" NIC card as additional addresses for that MC> "external" NIC card. MC> What I want to accomplish is to set up the routing so that any MC> incoming traffic to one of these external additional IP4 MC> addresses, on a port, gets routed from "quasar" to one of my MC> other computers on the DMZ side of my network on the same port MC> number. So for example, lets say there is incoming traffic whose MC> destination is 111.111.111.112:10. I want this to be MC> routed/forwarded to my internal computer called "Nova" at it's MC> DMZ address of say 192.168.10.210:10 and I don't want to specify MC> a rule for each and every port number specifically. Different MC> computers will have different services listening on different MC> ports. MC> How do I accomplish this? So far I have tried lots of MC> combinations of setting up rich and direct rules in firewalld, MC> using firewalld's port forwarding rules, using the route tables MC> in Yast2 -> Network Setup, and trying to write iptables rules MC> directly. I have turned on masquerading of course or used MC> nat/dnat rules in iptables. This seems like it should be fairly MC> straight-forward, but I have found no joy getting this to MC> work. (and have spent many days trying to grok a solution) I MC> would sure appreciate it if any guru here could show me how to MC> accomplish this wretched task before I pull all my hair out! One MC> caveat, it would be extremely difficult for me to run extra MC> cables and I really really want to accomplish this virtually with MC> only software configuration solutions. Sorry, just for testing. ChatGPT replies: You can use the iptables command to forward traffic from one IP address to another IP addresYou can use the iptables command to forward traffic from one IP address to another IP address on the same port in OpenSUSE. Here is an example command that forwards incoming traffic on port 10 from IP address 111.111.111.112 to IP address 192.168.10.210 on the same port: iptables -t nat -A PREROUTING -d 111.111.111.112 -p tcp --dport 10 -j DNAT --to-destination 192.168.10.210:10
Many thanks Masaru Nomiya and ChatGPT for your replies, I much appreciate your taking the time to write. I think I have already tried your suggestion but without defining port numbers. Specifying port numbers explicitly would require a lot of definitions and I don't want to maintain a large list of routing definitions for my entire network. I will show the list of rules I have currently configured, on my gateway computer called "quasar", to route from my external (public) IP address to one of my internal systems called "nova". eth0:novaExt is one of the additional public IP address on "quasar" that I added to quasar's external NIC. 192.168.10.210 is the address of the NIC on "nova" for it's DMZ interface. marc@quasar:/etc> firewall-cmd --direct --get-all-rules ipv4 nat PREROUTING 2 -d 111.111.111.112 -i eth0:novaExt -j DNAT --to-destination 192.168.10.210 ipv4 nat POSTROUTING 32 -s 192.168.10.210 -j SNAT --to-source 111.111.111.112 ipv4 filter FORWARD 22 -d 192.168.10.210/32 -j ACCEPT Keep in mind this is just my latest "creative" attempt at getting the firewall rules to work as I want them to do. This does not work however so I was a bit reluctant to show my current setup because I think it may confuse the discussion.
This command adds a rule to the NAT table that matches incoming traffic with a destination IP address of 111.111.111.112 and a destination port of 10, and forwards it to the IP address 192.168.10.210 on the same port. You can also use the following command to enable IP forwarding on your gateway computer “quasar”: echo 1 > /proc/sys/net/ipv4/ip_forward
Yes, I have already done this.
This command enables IP forwarding in the kernel, which allows your gateway computer to forward packets between different network interfaces.s on the same port in OpenSUSE. Here is an example command that forwards incoming traffic on port 10 from IP address 111.111.111.112 to IP address 192.168.10.210 on the same port:
iptables -t nat -A PREROUTING -d 111.111.111.112 -p tcp --dport 10 -j DNAT --to-destination 192.168.10.210:10 This command adds a rule to the NAT table that matches incoming traffic with a destination IP address of 111.111.111.112 and a destination port of 10, and forwards it to the IP address 192.168.10.210 on the same port. You can also use the following command to enable IP forwarding on your gateway computer “quasar”:
echo 1 > /proc/sys/net/ipv4/ip_forward This command enables IP forwarding in the kernel, which allows your gateway computer to forward packets between different network interfaces. How about this answer?
I am looking for a solution that doesn't require defining ports. I simply want all activity, on any port of Quasar's External interface for eth0:novaExt, to be forwarded to Nova's DMZ interface NIC, as is... Marc....
Regards. --- ┏━━┓彡 野宮 賢 mail-to: nomiya @ lake.dti.ne.jp ┃\/彡 ┗━━┛ " Hassabis says that no one really knows for sure that AI will become a major danger. But he is certain that if progress continues at its current pace, there isn’t much time to develop safeguards. "I can see the kinds of things we're building into the Gemini series right, and we have no reason to believe that they won't work," he says." -- "Google DeepMind's CEO Says Its Next Algorithm Will Eclipse ChatGPT" --