[opensuse] Network question, probably a dumb one...
I am kinda racking my brains on this and know it is probably either duck soup easy or impossible... I have a SOHO network at home configured with one system using SuSEFirewall2 (yeah I know it is deprecated now...) running OpenSuSE Leap 15, with 2 NICs. SuSEFirewall2 provides NAT (masquerading) between my external NIC (which has a static IP address assigned to it) and my internal private LAN on the other NIC. My ISP just upgraded my internet connection with fiber optics cable and as a super bonus gave me a block of public static IP addresses to enjoy. So what I would like to do with these is to assign them so that I can get a couple of my internal machines to be directly available from the internet using these new static IP addresses. (I have been doing the things I want with a lot of FW_FORWARD_MASQ definitions in SuSEFirewall2 and playing fast and loose with port assignments) And I have a number of overlapping and duplicated services, like VNC, Web, SSH, Email etc that I have had to juggle running on two or more different systems. I know that with YaST I can assign all these new static IP addresses to the NIC card that I use to connect me to the fiber optics cable, what I don't know/understand is how to connect/route/forward (whatever the terminology is) these static IP addresses and assign them to different computers on my network, while at the same time maintaining the topology of my private LAN. Do I need separate cabling or can I do this over my existing cables? Without getting Martian errors? Can I assign both an internal DHCP assigned IP address and one of these static IP addresses to the same NIC card? And can any and all port connection requests, made on one of these static IP addresses, be routed to the appropriate "internal" machine by default? (yeah I will run a firewall on it also since it will become directly exposed to the internet if this is possible.) This is new territory for me, never had to do anything like this before! So appreciate any and all kind words of advice... Marc... (who mission is - ...To boldly go where no Marc has gone before!...) -- Linux Counter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
24.02.2019 8:30, Marc Chamberlin пишет:
I am kinda racking my brains on this and know it is probably either duck soup easy or impossible... I have a SOHO network at home configured with one system using SuSEFirewall2 (yeah I know it is deprecated now...) running OpenSuSE Leap 15, with 2 NICs. SuSEFirewall2 provides NAT (masquerading) between my external NIC (which has a static IP address assigned to it) and my internal private LAN on the other NIC. My ISP just upgraded my internet connection with fiber optics cable and as a super bonus gave me a block of public static IP addresses to enjoy.
Is your current IP part of this address block? Is it IPv4 or IPv6 (bot current IP and additional address block)?
So what I would like to do with these is to assign them so that I can get a couple of my internal machines to be directly available from the internet using these new static IP addresses. (I have been doing the things I want with a lot of FW_FORWARD_MASQ definitions in SuSEFirewall2 and playing fast and loose with port assignments) And I have a number of overlapping and duplicated services, like VNC, Web, SSH, Email etc that I have had to juggle running on two or more different systems.
I know that with YaST I can assign all these new static IP addresses to the NIC card that I use to connect me to the fiber optics cable, what I
See question above. If it is independent block of addresses that are supposed to be routed via your current public IP, you probably cannot.
don't know/understand is how to connect/route/forward (whatever the terminology is) these static IP addresses and assign them to different computers on my network, while at the same time maintaining the topology of my private LAN. Do I need separate cabling or can I do this over my existing cables? Without getting Martian errors? Can I assign both an internal DHCP assigned IP address and one of these static IP addresses to the same NIC card? And can any and all port connection requests, made on one of these static IP addresses, be routed to the appropriate "internal" machine by default? (yeah I will run a firewall on it also since it will become directly exposed to the internet if this is possible.)
This is new territory for me, never had to do anything like this before! So appreciate any and all kind words of advice... Marc...
This all depends on answer to the first question. You need to have (and explain) clear picture of network topology involving these multiple IP addresses. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrie - All IP addresses are IP4. So for example my ISP gave me the set of static IPs from 111.222.333.10 through 111.222.333.20, I will try to show a picture of what I am wanting - 111.222.333.10 I assigned to the ext NIC on my firewall system, int NIC has a current internal IP of 192.168.10.2 111.222.333.11 I want this to be handled by one of my internal systems with current internal IP of 192.168.10.10 111.222.333.12 ditto with system that has current internal IP of 192.168.10.20 111.222.333.13 ditto ... 111.222.333.20 In my experimentation I have assigned all these public static IP addresses to my ext NIC on my firewall system since that seems like a logical starting place.. My network topology is really not all that complicated, just a bunch of computers all on the same internal LAN behind a single firewall. HTHs Marc.. On 02/23/2019 10:12 PM, Andrei Borzenkov wrote:
24.02.2019 8:30, Marc Chamberlin пишет:
I am kinda racking my brains on this and know it is probably either duck soup easy or impossible... I have a SOHO network at home configured with one system using SuSEFirewall2 (yeah I know it is deprecated now...) running OpenSuSE Leap 15, with 2 NICs. SuSEFirewall2 provides NAT (masquerading) between my external NIC (which has a static IP address assigned to it) and my internal private LAN on the other NIC. My ISP just upgraded my internet connection with fiber optics cable and as a super bonus gave me a block of public static IP addresses to enjoy.
Is your current IP part of this address block? Is it IPv4 or IPv6 (bot current IP and additional address block)?
So what I would like to do with these is to assign them so that I can get a couple of my internal machines to be directly available from the internet using these new static IP addresses. (I have been doing the things I want with a lot of FW_FORWARD_MASQ definitions in SuSEFirewall2 and playing fast and loose with port assignments) And I have a number of overlapping and duplicated services, like VNC, Web, SSH, Email etc that I have had to juggle running on two or more different systems.
I know that with YaST I can assign all these new static IP addresses to the NIC card that I use to connect me to the fiber optics cable, what I See question above. If it is independent block of addresses that are supposed to be routed via your current public IP, you probably cannot.
don't know/understand is how to connect/route/forward (whatever the terminology is) these static IP addresses and assign them to different computers on my network, while at the same time maintaining the topology of my private LAN. Do I need separate cabling or can I do this over my existing cables? Without getting Martian errors? Can I assign both an internal DHCP assigned IP address and one of these static IP addresses to the same NIC card? And can any and all port connection requests, made on one of these static IP addresses, be routed to the appropriate "internal" machine by default? (yeah I will run a firewall on it also since it will become directly exposed to the internet if this is possible.)
This is new territory for me, never had to do anything like this before! So appreciate any and all kind words of advice... Marc...
This all depends on answer to the first question. You need to have (and explain) clear picture of network topology involving these multiple IP addresses.
-- Linux Counter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
24.02.2019 9:35, Marc Chamberlin пишет:
Andrie - All IP addresses are IP4. So for example my ISP gave me the set of static IPs from 111.222.333.10 through 111.222.333.20, I will try to show a picture of what I am wanting -
111.222.333.10 I assigned to the ext NIC on my firewall system, int NIC has a current internal IP of 192.168.10.2 111.222.333.11 I want this to be handled by one of my internal systems with current internal IP of 192.168.10.10 111.222.333.12 ditto with system that has current internal IP of 192.168.10.20 111.222.333.13 ditto ... 111.222.333.20 In my experimentation I have assigned all these public static IP addresses to my ext NIC on my firewall system since that seems like a logical starting place.. My network topology is really not all that complicated, just a bunch of computers all on the same internal LAN behind a single firewall.
Yes, you can forward traffic to specific external address to specific internal address and mangle packets in reverse direction to have this outgoing address. This is exactly what Network *Address* Translation is for. I do not know if SUSEfirewall2 offers high level means to configure it, on iptables level this would be DNAT for packets entering external interface and SNAT on packets leaving external interface. In which case you probably want to use --persistent to simplify tracking.
HTHs Marc..
On 02/23/2019 10:12 PM, Andrei Borzenkov wrote:
24.02.2019 8:30, Marc Chamberlin пишет:
I am kinda racking my brains on this and know it is probably either duck soup easy or impossible... I have a SOHO network at home configured with one system using SuSEFirewall2 (yeah I know it is deprecated now...) running OpenSuSE Leap 15, with 2 NICs. SuSEFirewall2 provides NAT (masquerading) between my external NIC (which has a static IP address assigned to it) and my internal private LAN on the other NIC. My ISP just upgraded my internet connection with fiber optics cable and as a super bonus gave me a block of public static IP addresses to enjoy.
Is your current IP part of this address block? Is it IPv4 or IPv6 (bot current IP and additional address block)?
So what I would like to do with these is to assign them so that I can get a couple of my internal machines to be directly available from the internet using these new static IP addresses. (I have been doing the things I want with a lot of FW_FORWARD_MASQ definitions in SuSEFirewall2 and playing fast and loose with port assignments) And I have a number of overlapping and duplicated services, like VNC, Web, SSH, Email etc that I have had to juggle running on two or more different systems.
I know that with YaST I can assign all these new static IP addresses to the NIC card that I use to connect me to the fiber optics cable, what I See question above. If it is independent block of addresses that are supposed to be routed via your current public IP, you probably cannot.
don't know/understand is how to connect/route/forward (whatever the terminology is) these static IP addresses and assign them to different computers on my network, while at the same time maintaining the topology of my private LAN. Do I need separate cabling or can I do this over my existing cables? Without getting Martian errors? Can I assign both an internal DHCP assigned IP address and one of these static IP addresses to the same NIC card? And can any and all port connection requests, made on one of these static IP addresses, be routed to the appropriate "internal" machine by default? (yeah I will run a firewall on it also since it will become directly exposed to the internet if this is possible.)
This is new territory for me, never had to do anything like this before! So appreciate any and all kind words of advice... Marc...
This all depends on answer to the first question. You need to have (and explain) clear picture of network topology involving these multiple IP addresses.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/24/2019 01:52 AM, Andrei Borzenkov wrote:
Yes, you can forward traffic to specific external address to specific internal address and mangle packets in reverse direction to have this outgoing address. This is exactly what Network *Address* Translation is for. I do not know if SUSEfirewall2 offers high level means to configure it, on iptables level this would be DNAT for packets entering external interface and SNAT on packets leaving external interface. In which case you probably want to use --persistent to simplify tracking.
If he has a block of addresses, why not use them as is, instead of this NAT nonsense? NAT is a hack to get around the IPv4 address shortage and it introduces it's own problems. Incidentally the world is moving to IPv6, where NAT is not used. For example, I have a /56 prefix, which gives me 256x 18.4 billion, billion addresses to use. No NAT needed. I just set up my firewall rules as appropriate. This is one thing that really bugs me about NAT. It's become so common that people think it's the right way to do things. It's not, it's a hack! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/24/2019 05:48 AM, James Knott wrote:
This is one thing that really bugs me about NAT. It's become so common that people think it's the right way to do things. It's not, it's a hack!
But it's an effective hack! BTW, I still don't have v6 working at home. But I've got a new Zyxel router, I'll have to give it another go. I may have more questions for you. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/24/2019 11:06 AM, Lew Wolfgang wrote:
On 02/24/2019 05:48 AM, James Knott wrote:
This is one thing that really bugs me about NAT. It's become so common that people think it's the right way to do things. It's not, it's a hack!
But it's an effective hack!
BTW, I still don't have v6 working at home. But I've got a new Zyxel router, I'll have to give it another go. I may have more questions for you.
Does your ISP provide IPv6? If not, you'll need to use a tunnel to get IPv6 from someone such as he.net. My ISP provides a /56 prefix, which works out to 256 networks, each with a /64 or 18.4 billion, billion addresses (haven't used them all yet. <g>). I believe he.net hands out /48 prefixes, which is 65536 /64s. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrie, James - I am struggling to get off the ground with iptables, I have never had to dink with firewalls at this low level before because folks have always provided me with easy to use tools like SuSEFirewall2 and YaST2 before ;-) So my Googling has come up with this representation of the commands I need to give, can you verify these for me? eth0 is my external facing NIC, eth1 is my internal facing NIC. |$ echo 1 > /proc/sys/net/ipv4/ip_forward ||$ iptables -t nat -A PREROUTING -d ||111.222.333.11 -i eth1 -j DNAT --to-destination |192.168.10.10 |$ iptables -t nat -A POSTROUTING -s ||192.168.10.10 -o eth0 -j SNAT --to-source |111.222.333.11 || I also labeled my additional IP addresses on the external NIC with the hostname that I want to route that particular IP address to, so instead of using eth0 should I be using eth0:hostname instead? So for example should this latter command be - |$ iptables -t nat -A POSTROUTING -s ||192.168.10.10 -o eth0:hostname -j SNAT --to-source |111.222.333.11 I believe this is what Andrie is calling NAT routing? James you seem to be saying there is another way to accomplish doing what I want without doing NAT, can you say more? I don't want to break anything on my system by experimenting around with stuff that I am not familiar with, so figured I better ask before I do anything. And please remember I am a neophyte with iptables so showing me the commands is really helpful, there is a LOT of stuff about iptables to grok! Does iptables persist these settings somewhere for me or is there a file/script somewhere I have to edit and add these commands? I think Andrie might have been pointing me in the right direction with his reference to the --persistent suggestion but I don't see it in the man pages for iptables so I am not sure where he wanted me to use that option. Marc... On 02/24/2019 05:48 AM, James Knott wrote:
On 02/24/2019 01:52 AM, Andrei Borzenkov wrote:
Yes, you can forward traffic to specific external address to specific internal address and mangle packets in reverse direction to have this outgoing address. This is exactly what Network *Address* Translation is for. I do not know if SUSEfirewall2 offers high level means to configure it, on iptables level this would be DNAT for packets entering external interface and SNAT on packets leaving external interface. In which case you probably want to use --persistent to simplify tracking. If he has a block of addresses, why not use them as is, instead of this NAT nonsense? NAT is a hack to get around the IPv4 address shortage and it introduces it's own problems.
Incidentally the world is moving to IPv6, where NAT is not used. For example, I have a /56 prefix, which gives me 256x 18.4 billion, billion addresses to use. No NAT needed. I just set up my firewall rules as appropriate.
This is one thing that really bugs me about NAT. It's become so common that people think it's the right way to do things. It's not, it's a hack!
-- *Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! * Linux Counter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Boy did the formatting of my post come out bad for some reason (thanks Thunderbird), I will attempt to repost it with corrections... Andrie, James - I am struggling to get off the ground with iptables, I have never had to dink with firewalls at this low level before because folks have always provided me with easy to use tools like SuSEFirewall2 and YaST2 before ;-) So my Googling has come up with this representation of the commands I need to give, can you verify these for me? eth0 is my external facing NIC, eth1 is my internal facing NIC. $ echo 1 > /proc/sys/net/ipv4/ip_forward $ iptables -t nat -A PREROUTING -d 111.222.333.11 -i eth1 -j DNAT --to-destination 192.168.10.10 $ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0 -j SNAT --to-source 111.222.333.11 I also labeled my additional IP addresses on the external NIC with the hostname that I want to route that particular IP address to, so instead of using eth0 should I be using eth0:hostname instead? So for example should this latter command be - $ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0:hostname -j SNAT --to-source 111.222.333.11 I believe this is what Andrie is calling NAT routing? James you seem to be saying there is another way to accomplish doing what I want without doing NAT, can you say more? I don't want to break anything on my system by experimenting around with stuff that I am not familiar with, so figured I better ask before I do anything. And please remember I am a neophyte with iptables so showing me the commands is really helpful, there is a LOT of stuff about iptables to grok! Does iptables persist these settings somewhere for me or is there a file/script somewhere I have to edit and add these commands? I think Andrie might have been pointing me in the right direction with his reference to the --persistent suggestion but I don't see it in the man pages for iptables so I am not sure where he wanted me to use that option. Marc... On 02/24/2019 05:48 AM, James Knott wrote:
On 02/24/2019 01:52 AM, Andrei Borzenkov wrote:
Yes, you can forward traffic to specific external address to specific internal address and mangle packets in reverse direction to have this outgoing address. This is exactly what Network *Address* Translation is for. I do not know if SUSEfirewall2 offers high level means to configure it, on iptables level this would be DNAT for packets entering external interface and SNAT on packets leaving external interface. In which case you probably want to use --persistent to simplify tracking. If he has a block of addresses, why not use them as is, instead of this NAT nonsense? NAT is a hack to get around the IPv4 address shortage and it introduces it's own problems.
Incidentally the world is moving to IPv6, where NAT is not used. For example, I have a /56 prefix, which gives me 256x 18.4 billion, billion addresses to use. No NAT needed. I just set up my firewall rules as appropriate.
This is one thing that really bugs me about NAT. It's become so common that people think it's the right way to do things. It's not, it's a hack!
-- *Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! * Linux Counter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I am still digging into this and I think I am making progress grokking somewhat... I think I found what Andrei was referring to with his suggestion to use --persistent option, it has nothing to do with making my changes to the iptables persistent, instead it has something to do with giving "a client the same source-/destination-address for each connection." I don't really understand what this means but it sounds good... Anywise I think I need to refine my earlier guess as to what iptables command I need, for example for my first static IP address I want to forward to one of my internal system might look like this? - $ iptables -t nat -A PREROUTING -d 111.222.333.11 -i eth0+ -j DNAT --persistent --to-destination 192.168.10.10 $ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth1 -j SNAT --persistent --to-source 111.222.333.11 Please let me know if this is correct? I am still not sure about how to persist these settings across a reboot, and how to add these while co-existing with the settings in /etc/sysconfig/SuSEfirewall. I did find a couple of commands - iptables-save and iptables-restore that look promising but not sure how to automate using them while using SuSEfirewall. If these are what I have to use, how best do I integrate them into the boot up/system startup? Am I on the right path? Thanks again in advance for suggestions/advice/show and tell comments! Marc.. On 02/24/2019 09:31 AM, Marc Chamberlin wrote:
Boy did the formatting of my post come out bad for some reason (thanks Thunderbird), I will attempt to repost it with corrections...
Andrie, James - I am struggling to get off the ground with iptables, I have never had to dink with firewalls at this low level before because folks have always provided me with easy to use tools like SuSEFirewall2 and YaST2 before ;-) So my Googling has come up with this representation of the commands I need to give, can you verify these for me? eth0 is my external facing NIC, eth1 is my internal facing NIC.
$ echo 1 > /proc/sys/net/ipv4/ip_forward $ iptables -t nat -A PREROUTING -d 111.222.333.11 -i eth1 -j DNAT --to-destination 192.168.10.10 $ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0 -j SNAT --to-source 111.222.333.11
I also labeled my additional IP addresses on the external NIC with the hostname that I want to route that particular IP address to, so instead of using eth0 should I be using eth0:hostname instead? So for example should this latter command be -
$ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0:hostname -j SNAT --to-source 111.222.333.11
I believe this is what Andrie is calling NAT routing? James you seem to be saying there is another way to accomplish doing what I want without doing NAT, can you say more? I don't want to break anything on my system by experimenting around with stuff that I am not familiar with, so figured I better ask before I do anything. And please remember I am a neophyte with iptables so showing me the commands is really helpful, there is a LOT of stuff about iptables to grok!
Does iptables persist these settings somewhere for me or is there a file/script somewhere I have to edit and add these commands? I think Andrie might have been pointing me in the right direction with his reference to the --persistent suggestion but I don't see it in the man pages for iptables so I am not sure where he wanted me to use that option.
Marc...
On 02/24/2019 05:48 AM, James Knott wrote:
On 02/24/2019 01:52 AM, Andrei Borzenkov wrote:
Yes, you can forward traffic to specific external address to specific internal address and mangle packets in reverse direction to have this outgoing address. This is exactly what Network *Address* Translation is for. I do not know if SUSEfirewall2 offers high level means to configure it, on iptables level this would be DNAT for packets entering external interface and SNAT on packets leaving external interface. In which case you probably want to use --persistent to simplify tracking. If he has a block of addresses, why not use them as is, instead of this NAT nonsense? NAT is a hack to get around the IPv4 address shortage and it introduces it's own problems.
Incidentally the world is moving to IPv6, where NAT is not used. For example, I have a /56 prefix, which gives me 256x 18.4 billion, billion addresses to use. No NAT needed. I just set up my firewall rules as appropriate.
This is one thing that really bugs me about NAT. It's become so common that people think it's the right way to do things. It's not, it's a hack!
-- *Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! * Linux Counter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/24/2019 08:17 PM, Marc Chamberlin wrote:
I am still digging into this and I think I am making progress grokking somewhat... I think I found what Andrei was referring to with his suggestion to use --persistent option, it has nothing to do with making my changes to the iptables persistent, instead it has something to do with giving "a client the same source-/destination-address for each connection." I don't really understand what this means but it sounds good... Anywise I think I need to refine my earlier guess as to what iptables command I need, for example for my first static IP address I want to forward to one of my internal system might look like this? -
$ iptables -t nat -A PREROUTING -d 111.222.333.11 -i eth0+ -j DNAT --persistent --to-destination 192.168.10.10 $ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth1 -j SNAT --persistent --to-source 111.222.333.11
I've never had to use iptables in that manner. With SuSEFirewall2, there was a graphical interface in Yast. There is one for firewalld, which I am not familiar with. However, I did find this link: https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.... If this is what they're providing now for configuring the firewall, it's a big step back. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
24.02.2019 20:31, Marc Chamberlin пишет:
Boy did the formatting of my post come out bad for some reason (thanks Thunderbird), I will attempt to repost it with corrections...
Andrie, James - I am struggling to get off the ground with iptables, I have never had to dink with firewalls at this low level before because folks have always provided me with easy to use tools like SuSEFirewall2 and YaST2 before ;-) So my Googling has come up with this representation of the commands I need to give, can you verify these for me? eth0 is my external facing NIC, eth1 is my internal facing NIC.
$ echo 1 > /proc/sys/net/ipv4/ip_forward
Routing should have already been enabled in your case, you are already using this system as router.
$ iptables -t nat -A PREROUTING -d 111.222.333.11 -i eth1 -j DNAT --to-destination 192.168.10.10 $ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0 -j SNAT --to-source 111.222.333.11
Yes.
I also labeled my additional IP addresses on the external NIC with the hostname that I want to route that particular IP address to, so instead of using eth0 should I be using eth0:hostname instead? So for example should this latter command be -
$ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0:hostname -j SNAT --to-source 111.222.333.11
I do not think so. You still have just one interface and multiple addresses on it. But try and tell us :)
I believe this is what Andrie is calling NAT routing? James you seem to be saying there is another way to accomplish doing what I want without doing NAT, can you say more? I don't want to break anything on my system by experimenting around with stuff that I am not familiar with, so figured I better ask before I do anything. And please remember I am a neophyte with iptables so showing me the commands is really helpful, there is a LOT of stuff about iptables to grok!
Alternative is to simply plug cable from your ISP into switch, connect all hosts to it and assign hosts addresses you got from ISP. This means each host will be directly connected to Internet. This requires (or at least makes easier) full address block from your ISP. Note that from security point of view it is the same as above two commands.
Does iptables persist these settings somewhere for me or is there a file/script somewhere I have to edit and add these commands? I think
You need to check SUSEfirewall2 manuals. I presume it has some place where you can add arbitrary rules.
Andrie might have been pointing me in the right direction with his reference to the --persistent suggestion but I don't see it in the man pages for iptables so I am not sure where he wanted me to use that option.
--persistent is useful when you configure forwarding to multiple addresses and makes sure specific client is always forwarded to the same address. If you make 1-to-1 forwarding it does not matter. Sorry for for confusion.
Marc...
On 02/24/2019 05:48 AM, James Knott wrote:
On 02/24/2019 01:52 AM, Andrei Borzenkov wrote:
Yes, you can forward traffic to specific external address to specific internal address and mangle packets in reverse direction to have this outgoing address. This is exactly what Network *Address* Translation is for. I do not know if SUSEfirewall2 offers high level means to configure it, on iptables level this would be DNAT for packets entering external interface and SNAT on packets leaving external interface. In which case you probably want to use --persistent to simplify tracking. If he has a block of addresses, why not use them as is, instead of this NAT nonsense? NAT is a hack to get around the IPv4 address shortage and it introduces it's own problems.
Incidentally the world is moving to IPv6, where NAT is not used. For example, I have a /56 prefix, which gives me 256x 18.4 billion, billion addresses to use. No NAT needed. I just set up my firewall rules as appropriate.
This is one thing that really bugs me about NAT. It's become so common that people think it's the right way to do things. It's not, it's a hack!
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Andrei Borzenkov <arvidjaar@gmail.com> [02-24-19 23:11]:
24.02.2019 20:31, Marc Chamberlin пишет:
Boy did the formatting of my post come out bad for some reason (thanks Thunderbird), I will attempt to repost it with corrections...
Andrie, James - I am struggling to get off the ground with iptables, I have never had to dink with firewalls at this low level before because folks have always provided me with easy to use tools like SuSEFirewall2 and YaST2 before ;-) So my Googling has come up with this representation of the commands I need to give, can you verify these for me? eth0 is my external facing NIC, eth1 is my internal facing NIC.
$ echo 1 > /proc/sys/net/ipv4/ip_forward
Routing should have already been enabled in your case, you are already using this system as router.
$ iptables -t nat -A PREROUTING -d 111.222.333.11 -i eth1 -j DNAT --to-destination 192.168.10.10 $ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0 -j SNAT --to-source 111.222.333.11
Yes.
I also labeled my additional IP addresses on the external NIC with the hostname that I want to route that particular IP address to, so instead of using eth0 should I be using eth0:hostname instead? So for example should this latter command be -
$ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0:hostname -j SNAT --to-source 111.222.333.11
I do not think so. You still have just one interface and multiple addresses on it. But try and tell us :)
I believe this is what Andrie is calling NAT routing? James you seem to be saying there is another way to accomplish doing what I want without doing NAT, can you say more? I don't want to break anything on my system by experimenting around with stuff that I am not familiar with, so figured I better ask before I do anything. And please remember I am a neophyte with iptables so showing me the commands is really helpful, there is a LOT of stuff about iptables to grok!
Alternative is to simply plug cable from your ISP into switch, connect all hosts to it and assign hosts addresses you got from ISP. This means each host will be directly connected to Internet. This requires (or at least makes easier) full address block from your ISP. Note that from security point of view it is the same as above two commands.
Does iptables persist these settings somewhere for me or is there a file/script somewhere I have to edit and add these commands? I think
You need to check SUSEfirewall2 manuals. I presume it has some place where you can add arbitrary rules.
/etc/sysconfig/scripts/SuSEfirewall2-custom
Andrie might have been pointing me in the right direction with his reference to the --persistent suggestion but I don't see it in the man pages for iptables so I am not sure where he wanted me to use that option.
--persistent is useful when you configure forwarding to multiple addresses and makes sure specific client is always forwarded to the same address. If you make 1-to-1 forwarding it does not matter. Sorry for for confusion.
Marc...
On 02/24/2019 05:48 AM, James Knott wrote:
On 02/24/2019 01:52 AM, Andrei Borzenkov wrote:
Yes, you can forward traffic to specific external address to specific internal address and mangle packets in reverse direction to have this outgoing address. This is exactly what Network *Address* Translation is for. I do not know if SUSEfirewall2 offers high level means to configure it, on iptables level this would be DNAT for packets entering external interface and SNAT on packets leaving external interface. In which case you probably want to use --persistent to simplify tracking. If he has a block of addresses, why not use them as is, instead of this NAT nonsense? NAT is a hack to get around the IPv4 address shortage and it introduces it's own problems.
Incidentally the world is moving to IPv6, where NAT is not used. For example, I have a /56 prefix, which gives me 256x 18.4 billion, billion addresses to use. No NAT needed. I just set up my firewall rules as appropriate.
This is one thing that really bugs me about NAT. It's become so common that people think it's the right way to do things. It's not, it's a hack!
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Patrick Shanahan <paka@opensuse.org> [02-25-19 00:08]:
* Andrei Borzenkov <arvidjaar@gmail.com> [02-24-19 23:11]:
24.02.2019 20:31, Marc Chamberlin пишет:
Boy did the formatting of my post come out bad for some reason (thanks Thunderbird), I will attempt to repost it with corrections...
Andrie, James - I am struggling to get off the ground with iptables, I have never had to dink with firewalls at this low level before because folks have always provided me with easy to use tools like SuSEFirewall2 and YaST2 before ;-) So my Googling has come up with this representation of the commands I need to give, can you verify these for me? eth0 is my external facing NIC, eth1 is my internal facing NIC.
$ echo 1 > /proc/sys/net/ipv4/ip_forward
Routing should have already been enabled in your case, you are already using this system as router.
$ iptables -t nat -A PREROUTING -d 111.222.333.11 -i eth1 -j DNAT --to-destination 192.168.10.10 $ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0 -j SNAT --to-source 111.222.333.11
Yes.
I also labeled my additional IP addresses on the external NIC with the hostname that I want to route that particular IP address to, so instead of using eth0 should I be using eth0:hostname instead? So for example should this latter command be -
$ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0:hostname -j SNAT --to-source 111.222.333.11
I do not think so. You still have just one interface and multiple addresses on it. But try and tell us :)
I believe this is what Andrie is calling NAT routing? James you seem to be saying there is another way to accomplish doing what I want without doing NAT, can you say more? I don't want to break anything on my system by experimenting around with stuff that I am not familiar with, so figured I better ask before I do anything. And please remember I am a neophyte with iptables so showing me the commands is really helpful, there is a LOT of stuff about iptables to grok!
Alternative is to simply plug cable from your ISP into switch, connect all hosts to it and assign hosts addresses you got from ISP. This means each host will be directly connected to Internet. This requires (or at least makes easier) full address block from your ISP. Note that from security point of view it is the same as above two commands.
Does iptables persist these settings somewhere for me or is there a file/script somewhere I have to edit and add these commands? I think
You need to check SUSEfirewall2 manuals. I presume it has some place where you can add arbitrary rules.
/etc/sysconfig/scripts/SuSEfirewall2-custom
and need to tell /etc/sysconfig/SuSEfirewall2 such: ## Type: string # # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT # /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" remove "#" from #FW_...
Andrie might have been pointing me in the right direction with his reference to the --persistent suggestion but I don't see it in the man pages for iptables so I am not sure where he wanted me to use that option.
--persistent is useful when you configure forwarding to multiple addresses and makes sure specific client is always forwarded to the same address. If you make 1-to-1 forwarding it does not matter. Sorry for for confusion.
Marc...
On 02/24/2019 05:48 AM, James Knott wrote:
On 02/24/2019 01:52 AM, Andrei Borzenkov wrote:
Yes, you can forward traffic to specific external address to specific internal address and mangle packets in reverse direction to have this outgoing address. This is exactly what Network *Address* Translation is for. I do not know if SUSEfirewall2 offers high level means to configure it, on iptables level this would be DNAT for packets entering external interface and SNAT on packets leaving external interface. In which case you probably want to use --persistent to simplify tracking. If he has a block of addresses, why not use them as is, instead of this NAT nonsense? NAT is a hack to get around the IPv4 address shortage and it introduces it's own problems.
Incidentally the world is moving to IPv6, where NAT is not used. For example, I have a /56 prefix, which gives me 256x 18.4 billion, billion addresses to use. No NAT needed. I just set up my firewall rules as appropriate.
This is one thing that really bugs me about NAT. It's become so common that people think it's the right way to do things. It's not, it's a hack!
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/24/2019 11:10 PM, Andrei Borzenkov wrote:
$ echo 1 > /proc/sys/net/ipv4/ip_forward Routing should have already been enabled in your case, you are already using this system as router.
$ iptables -t nat -A PREROUTING -d 111.222.333.11 -i eth1 -j DNAT --to-destination 192.168.10.10 $ iptables -t nat -A POSTROUTING -s 192.168.10.10 -o eth0 -j SNAT --to-source 111.222.333.11
Yes.
If he has a block of addresses that are sufficient for his needs, why NAT? Depending on what he gets from the ISP, it may require routing, but he'll also want appropriate filtering. IPTables is perfectly capable of handling a block of addresses, without using NAT. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/24/2019 12:23 PM, Marc Chamberlin wrote:
ided me with easy to use tools like SuSEFirewall2 and YaST2 before ;-) So my Googling has come up with this representation of the commands I need to give, can you verify these for me? eth0 is my external facing NIC, eth1 is my internal facing NIC.
|$ echo 1 > /proc/sys/net/ipv4/ip_forward ||$ iptables -t nat -A PREROUTING -d ||111.222.333.11 -i eth1 -j DNAT --to-destination |192.168.10.10 |$ iptables -t nat -A POSTROUTING -s ||192.168.10.10 -o eth0 -j SNAT --to-source |111.222.333.11 ||
I stopped using SuSE Firewall almost 3 years ago, but back then I just used Yast to configure it. These days I'm using pfSense.
I believe this is what Andrie is calling NAT routing? James you seem to be saying there is another way to accomplish doing what I want without doing NAT, can you say more? I don't want to break anything on my system by experimenting around with stuff that I am not familiar with, so figured I better ask before I do anything.
There are two ways. One is to provide a transit network, which carries your subnet to your router. The other way is to make the addresses directly available, without additional routing. Either way, you'd set up the rules to pass or block as needed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/24/2019 09:38 AM, James Knott wrote:
There are two ways. One is to provide a transit network, which carries your subnet to your router. The other way is to make the addresses directly available, without additional routing. Either way, you'd set up the rules to pass or block as needed.
James - I got no idea how to do either of these things you are suggesting. Nor am I using a external router, I just have an OpenSuSE system running SuSEFirewall2 to handle my routing. Google is not helping be to grok your suggestions either, so can you provide me with the details of what I need to do? If it is to set up iptables then can you show me some examples of the commands I need to issue? As I mentioned, I am not a guru on setting up networks and have only done simple ones in the past... Thanks... Marc.. -- *Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! * Linux Counter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/24/2019 06:15 PM, Marc Chamberlin wrote:
There are two ways. One is to provide a transit network, which carries your subnet to your router. The other way is to make the addresses directly available, without additional routing. Either way, you'd set up the rules to pass or block as needed. James - I got no idea how to do either of these things you are suggesting. Nor am I using a external router, I just have an OpenSuSE system running SuSEFirewall2 to handle my routing. Google is not helping be to grok your suggestions either, so can you provide me with the
On 02/24/2019 09:38 AM, James Knott wrote: details of what I need to do? If it is to set up iptables then can you show me some examples of the commands I need to issue? As I mentioned, I am not a guru on setting up networks and have only done simple ones in the past... Thanks...
Well, OpenSUSE is generally configured as a router, when used a a firewall, but doesn't have to be. However, as I mentioned, I moved to pfSense almost 3 years ago and I believe there's a new firewall in use now, so I don't have current configuration information. Perhaps there's someone else here who can help. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/24/2019 12:30 AM, Marc Chamberlin wrote:
I know that with YaST I can assign all these new static IP addresses to the NIC card that I use to connect me to the fiber optics cable, what I don't know/understand is how to connect/route/forward (whatever the terminology is) these static IP addresses and assign them to different computers on my network, while at the same time maintaining the topology of my private LAN.
Since you have multiple public addresses, you don't need NAT. That will allow the firewall to pass through all the addresses. Do they just give you a block of addresses or also another address for routing? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday, 24 February 2019 16:00:39 ACDT Marc Chamberlin wrote:
[...] I know that with YaST I can assign all these new static IP addresses to the NIC card that I use to connect me to the fiber optics cable, what I don't know/understand is how to connect/route/forward (whatever the terminology is) these static IP addresses and assign them to different computers on my network, while at the same time maintaining the topology of my private LAN. Do I need separate cabling or can I do this over my existing cables? Without getting Martian errors? Can I assign both an internal DHCP assigned IP address and one of these static IP addresses to the same NIC card? And can any and all port connection requests, made on one of these static IP addresses, be routed to the appropriate "internal" machine by default? (yeah I will run a firewall on it also since it will become directly exposed to the internet if this is possible.)
This is new territory for me, never had to do anything like this before! So appreciate any and all kind words of advice... Marc...
(who mission is - ...To boldly go where no Marc has gone before!...)
Putting my network hat back on (I usually leave it at work, unless I'm on call), the way I would approach this is to use the firewall in transparent mode, connect the "inside" (trusted) ethernet NIC to an ethernet switch and plug each host into the switch. Configure the IP public IP addresses directly on each host, and make sure you have the appropriate firewall rules setup to ONLY allow incoming traffic to each host that you want to be publically accessible, on the appropriate (desired) ports, and drop all other incoming traffic. You'll need a management address on the inside interface of your firewall, but it does not even need to have an IP address assigned to its outside interface. If it does, it definitely should not accept connections to its own IP address on the outside interface. If you need to manage it remotely, connect to a host inside your network using an encrypted connection and then connect back to the firewall's inside connection. You could use a L2 switch on the inside network, since all hosts are in the same subnet, and all will have the same default gateway (provided by your ISP) - the inside address of your firewall will also be in the same subnet. Of course, you *could* use a L3 switch, and create a separate routed subnet for the non-publicly accessible hosts within your network, but that would be more work (and L3 switches are more expensive than L2 switches). Regards, Rodney. -- ============================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au CCNA #CSCO12880208 ==============================================================
On 24/02/2019 06.30, Marc Chamberlin wrote:
I am kinda racking my brains on this and know it is probably either duck soup easy or impossible... I have a SOHO network at home configured with one system using SuSEFirewall2 (yeah I know it is deprecated now...) running OpenSuSE Leap 15, with 2 NICs. SuSEFirewall2 provides NAT (masquerading) between my external NIC (which has a static IP address assigned to it) and my internal private LAN on the other NIC. My ISP just upgraded my internet connection with fiber optics cable and as a super bonus gave me a block of public static IP addresses to enjoy.
And don't they publish instructions? Now, it is strange an ISP that hands out 4 Ipv4 addresses for free, they are a scarce resource. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 02/25/2019 08:36 AM, Carlos E. R. wrote:
Now, it is strange an ISP that hands out 4 Ipv4 addresses for free, they are a scarce resource.
Mine provides 2 IPv4, but I normally use 1, with the other used occasionall for testing. On the other hand, I get 2^72 IPv6 addresses from them. Since he's only getting 4 addresses, they're probably not routed to him. Rather, they expect him to connect computers directly or through a a firewall. Are the addresses assigned? Or DHCP? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/25/2019 10:38 AM, James Knott wrote:
On 02/25/2019 08:36 AM, Carlos E. R. wrote:
Now, it is strange an ISP that hands out 4 Ipv4 addresses for free, they are a scarce resource. Mine provides 2 IPv4, but I normally use 1, with the other used occasionall for testing. On the other hand, I get 2^72 IPv6 addresses from them.
Since he's only getting 4 addresses, they're probably not routed to him. Rather, they expect him to connect computers directly or through a a firewall. Are the addresses assigned? Or DHCP?
James, the addresses are assigned to me. And yeah I know I am "lucky" to have an ISP that had a bunch in reserve and could pass a few on to me to use. -- *Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! * Linux Counter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019-02-24 12:30 a.m., Marc Chamberlin wrote:
This is new territory for me, never had to do anything like this before! So appreciate any and all kind words of advice... Marc...
(who mission is - ...To boldly go where no Marc has gone before!...)
Oh Boy! James is so right. This is all how it used to be when we Greybeards connected back in the 1980s and early 19990s before the commercial dominance and demands of the post-DotComBoom/Crash brought in NAT. James says it was about IPv4 address shortage, and, well, yes, we got to that, but laziness of administration on the part of the IP-ignorant telcos who were just learning to administer networks factored in. They thought of single PC owners who only had one machine and hence only needed one machine, and people like James and myself who owned one of more Class C (at one point I owned a Class B) (and yes, back then, that WAS the terminology) and had their own 56K or T1 feeds were mavericks who knew more about IP networking than their staff did. But as we moved on it came back to having the single IP and NAT became almost universal for 'home-owners' and small systems/locations. I glance at my bookcases and see that many of my books on networking, be they from Cisco on address architectures, O'Reilly on many aspects of networking from VPN, network security, DNS and onwards still think in terms of NAT-less models. If it comes down to it, the original classics by Doug Comer are still valid https://www.cs.purdue.edu/homes/comer/netbooks.html and I very strongly recommend then. Very readable and great examples. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/25/2019 09:33 AM, Anton Aylward wrote:
On 2019-02-24 12:30 a.m., Marc Chamberlin wrote:
This is new territory for me, never had to do anything like this before! So appreciate any and all kind words of advice... Marc...
(who mission is - ...To boldly go where no Marc has gone before!...) Oh Boy! James is so right. This is all how it used to be when we Greybeards connected back in the 1980s and early 19990s before the commercial dominance and demands of the post-DotComBoom/Crash brought in NAT.
https://linux-hacks.blogspot.com/2008/06/unix-dilbert-just-for-fun.html
James says it was about IPv4 address shortage, and, well, yes, we got to that, but laziness of administration on the part of the IP-ignorant telcos who were just learning to administer networks factored in. They thought of single PC owners who only had one machine and hence only needed one machine, and people like James and myself who owned one of more Class C (at one point I owned a Class B) (and yes, back then, that WAS the terminology) and had their own 56K or T1 feeds were mavericks who knew more about IP networking than their staff did. But as we moved on it came back to having the single IP and NAT became almost universal for 'home-owners' and small systems/locations.
I never had a subnet for myself or T1. However, my first ISP provided a static address, assigned to me. I think that was necessary as I connected with SLIP back then. When I was at IBM, back in the late 90s, I had 5 static addresses, one for my own use and 4 for testing. Same with SNA.
I glance at my bookcases and see that many of my books on networking, be they from Cisco on address architectures, O'Reilly on many aspects of networking from VPN, network security, DNS and onwards still think in terms of NAT-less models.
If it comes down to it, the original classics by Doug Comer are still valid https://www.cs.purdue.edu/homes/comer/netbooks.html and I very strongly recommend then. Very readable and great examples.
I have some books from O'Reilly, Stevens and IBM, as well as my Cisco CCNA texts, among others. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Andrei Borzenkov -
Anton Aylward -
Carlos E. R. -
James Knott -
Lew Wolfgang -
Marc Chamberlin -
Patrick Shanahan -
Rodney Baker