DNAT & multiple entries + multiple external addresses

arb.comms@btclick.com arb.comms@btclick.com
Sat, 19 Jan 2002 13:09:19 -0000 

This is a multi-part message in MIME format.

------=_NextPart_000_0000_01C1A0EA.818CE310
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

O.K. guys a bit of help need,

I have a need to let PCAnywhere through the firewall, have managed this in
DNAT but what I would like to do is bolt the rules down so as i ony let
specific remote computers through. I have three remote sites that require
access, all have a fixed IP, so how do you write a rule that says

for this protocal | only allow these three machines to connect | when the
destination is this server.

I know this may sound trivial, but i am a bit stuck.

###########################################################################

The second one, (thanks to all who helped on this) is for eth0 with fixed
address i can use $ ip addr add ...........
to add secondary addresses to the primary physical interface like so

    eth0    123.123.123.241/28 dgw 123.123.123.254
                |
                |- ip addr add 123.123.123.242 dgw 123.123.123.254
                |
                |- etc.etc.etc.

so in iptables 1.2.4. i add $EXT2="123.123.123.242" and use this in the
rules my questions are as follows:

As I am already protecting $EXT=123.123.123.241 which is the address of the
physical card, do i need to add a seperate set of rules to protect $EXT2

as it is only a logical address. I just get the feeling I may as well just
be adding a new network card and allowing everthing through.

Or do the input rules applied to the primary address bound to the external
card also apply for this virtual address also associated with the same card
?

If i am not making sense please say so, but i am hoping you see what i am
getting at.

Maybe the answer is the same for the PCAnywhere input, so can i say for
range of $INPUT_ADDRESSES do x. where $INPUT_ADDRESSES are 123.123.123.241
and 242 ?

yours going in circles Alan.r.b.






------=_NextPart_000_0000_01C1A0EA.818CE310
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D531515212-19012002>O.K. guys a bit of help =
need,</SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial size=3D2>I have =
a need to let=20
PCAnywhere through the firewall, have managed this in DNAT but what I =
would like=20
to do is bolt the rules down so as i ony let specific remote computers =
through.=20
I have three remote sites that require access, all have a fixed IP, so =
how do=20
you write a rule that says</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial size=3D2>for =
this protocal |=20
only allow these three machines to connect | when the destination is =
this=20
server.</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial size=3D2>I know =
this may=20
sound trivial, but i am a bit stuck.</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2>################################################################=
###########</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial size=3D2>The =
second one,=20
(thanks to all who helped on this) is for eth0 with&nbsp;fixed address i =
can use=20
$ ip addr add ...........</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial size=3D2>to add =
secondary=20
addresses to the primary physical interface like so</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002>&nbsp;&nbsp;&nbsp; <FONT =
face=3DArial=20
size=3D2>eth0&nbsp;&nbsp;&nbsp; 123.123.123.241/28 dgw=20
123.123.123.254</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;=20
|</FONT></SPAN></DIV>
<DIV><SPAN=20
class=3D531515212-19012002>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
<FONT face=3DArial size=3D2>|- ip addr add 123.123.123.242 dgw=20
123.123.123.254</FONT></SPAN></DIV>
<DIV><SPAN=20
class=3D531515212-19012002>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
<FONT face=3DArial size=3D2>|</FONT></SPAN></DIV>
<DIV><SPAN=20
class=3D531515212-19012002>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
<FONT face=3DArial size=3D2>|- etc.etc.etc.</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial size=3D2>so in =
iptables=20
1.2.4. i add $EXT2=3D"123.123.123.242" and use this in the rules my =
questions are=20
as follows:</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial size=3D2>As I =
am already=20
protecting $EXT=3D123.123.123.241 which is&nbsp;the address of =
the&nbsp;physical=20
card, do i need to add a seperate set of rules to protect=20
$EXT2</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial size=3D2>as it =
is only a=20
logical address. I just get the feeling I may as well just be adding a =
new=20
network card and allowing everthing through.</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial =
size=3D2>Or&nbsp;do the input=20
rules applied to the primary address bound to the external card also =
apply for=20
this virtual address also associated with the same card =
?</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial size=3D2>If i =
am not making=20
sense please say so, but i am hoping you see what i am getting=20
at.</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial size=3D2>Maybe =
the answer is=20
the same for the PCAnywhere input, so can i say for range of =
$INPUT_ADDRESSES do=20
x. where $INPUT_ADDRESSES are 123.123.123.241 and 242 =
?</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial size=3D2>yours =
going in=20
circles Alan.r.b.</FONT></SPAN></DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531515212-19012002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0000_01C1A0EA.818CE310--