Results 1 to 3 of 3
I'm in the process of learning how to use iptables and was wondering if someone could help me with this... My setup is as follows: my pc is hooked up ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 04-12-2006 #1
Question about iptables....
My setup is as follows: my pc is hooked up to a router with a network address of 192.168.1.0, which is hooked up to the internal interface on my linux box(ip=184.108.40.206), which hooks up to my external interface in the same box(ip=220.127.116.11), which in turn hooks up to my cable modem(ip=18.104.22.168), and finally up to the internet(ip=22.214.171.124).
Say I want to get on the internet from my pc would the packets get a new source and destination ip at every device are would they stay: destination = 126.96.36.199, source = 192.168.5.0 through out the routing process?
Also could a packet going in/out of the external interface, ip spoofing aside, have a destination/source ip of 192.168.1.0? Or would it be the ip of the next interface in line, 188.8.131.52?
- 04-12-2006 #2
- Join Date
- Apr 2005
well first item, unless you have used 'demo IP's " you are not using the proper addressing scheme for a private network. private networks should all be using IP's in the 'non routable' address space. you really don't want to be using routable addresses inside your network this could cause problems in several ways..
The proper ranges are:
10.1.1.1 - 10.255.255.254
172.16.1.1 - 172.31.255.254
192.168.1.1 - 192.168.255.254
If you are asking IP specific question that you want helpful answers to especially when it comes to something like iptables swapping out the addressess just confuses the situation more and makes it difficult for people to assist you .
for instance 192.168.1.0 is a network addresss it can't talk to anything, you need to supply a host IP address.
184.108.40.206 is in a completely dfferent network address range in a completely different subnet from 192.168.1.0 and a host from one could could NEVER talk directly to a host with the other address without something routing in between,
The point I am trying to make is that it's almost impossible for anyone to assist you if you create scenarios with imaginary addresses that wont work in the first place.
From a security standpoint if you are using all non-routable IP's in your internal network and a NAT router in fromt of it no-one can directly connect to any IP in your internal network to begin with, so basically you are hiding information that can't help anyone hack you in the first place., and the only accomplishemnt is confusing the situation to the point where it's more of a hassle to try and answer your question than to just skip over it.. .
If I tell you I have the follwoing setup..
Without knowing the Public Internet Ip of the NAT router you really have nothing... but you DO have legitimate numbers with which to write iptables rules, and an easy way to picture the network, it's routing and the interaction between the various subnets.
source and destination addresses in packets will only be changed when they go through a NAT (Network Address Translation) device or a Proxy. Your broadband router is a NAT device. they are not changed at every hop.
as a packet traverses the network it says I have a source IP of 192.168.1.1 and a destination IP of 172.16.2.2.
checks the routing table and says OK the next hop on the way to my destination is 192.168.1.2 so the packet goes to the next device which in this example is the Linux machine.
It again checks the routing table and see that it needs to go out the 172.16.2.1 interface to reach it's final destination of 172.16.2.2.
During that entire process the source and destination addresses did not change. had the packet traversed the NAT router howver the Source IP would have changed to the Public IP of the NAT router, and a table entry would have been created in the routers address translation table so when the packet was retrned from the destination the translation could be reversed and the packet could be successfully delivered to the Privately addressed host in the internal network.far...out
- 04-21-2006 #3
Sorry for any confusion that I caused and for taking so long to respond. Like you said I was just using 'demo IPs' because of the security issues and because I didn't think the real ones were that important to the question. I know what the routing tables are but I just thought that it would be easier to basicly label the devices 1,2,3 instead of using a longer number. I guess in my attempt to simplify things I just made them more confusing. Thanks for the info and the help, next time I will try to be more clear.
On another note, thanks to the help I've recieved from this site I have got my box, KVM switch and all, up and running . It took alot of long days and late nights to get it going but it was well worth it. I know I've only scratched the surface and as I learn more maybe I can help some people like others have help me.
Thanks for all the help and yes linux does indeed rock...