IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[20:10]<vzrllysv>ok fine. iptables -t nat -A POSTROUTING -p tcp --dport 25 -d smtp.isp.com -j SNAT --to-source my.ip.add.ress
[20:12]<vzrllysv>so each packet comes from the requestor to you, from you to smtp.isp.com because of the DNAT rule, then the reply goes from smtp.isp.com back to you (because of the SNAT rule), and through you back to the requestor thanks to connection tracking magic.
[20:15]<rxrgmy>trappist ok.. get it :) thanks a lot
[20:16]<vzrllysv>np
[20:17]<rxrgmy>trappist it works fine. Thanks a LOT!!!
[20:30]<vzrllysv>chandi: cool :)
[20:30]<vzrllysv>I've never actually done it
[20:30]<vzrllysv>I thought, in theory it should work :)
[20:30]<rxrgmy>haha
[20:34]<vyrn-vnzsr>chandi: I'm thinking of doing something similar, can you paste the two rules you used to accomplish this?
[20:48]<vyrn-vnzsr>chandi: or not.. :(
[20:56]<vyrn-vnzsr>nm, figured it out with a test case...seen what I was doing wrong
[22:32]<asvygus->Hello, not really a iptables question but is it possible to assign two ip adresses to one NIC?
[22:33]<tdbnzr>Astinus-: eth0:0
[22:33]<asvygus->TmBerg: using ifconfig?
[22:34]<tdbnzr>Astinus-: Yes, Or /etc/network/interfaces ( Debian )
[22:35]<asvygus->TmBerg: ok, u see i've been a little bit confused since the ip-aliasing howto said that ip-aliasing was supposed to be replaced by something "more superior" in 2.4/2.6 but the only thing i found was this new ip-tools package, which is rather cryptic to understand
[22:36]<asvygus->and eth0:0 as far as i know is ip-aliasing?
[22:42]<pf-rwrd>kinda newbish question: is it possible to just forward all traffic from eth0 to eth1?
[22:43]<rlraxne>yup alias
[22:44]<rfnlx0>lo all.
[22:44]<rfnlx0> I am migrating to a new server and I want to forward all traffic arriving at the old server to be forwarded to the new one (DNAT?)
[22:44]<rfnlx0>(to bridge the time DNS takes to update)
[22:44]<rfnlx0>I'm totally confused by all the howtos and docs.
[22:45]<rfnlx0>suppose I want to test this on port 9999
[22:45]<rfnlx0>I would do:
[22:45]<rfnlx0>iptables -A INPUT -p tcp --dport 9999 -j DNAT --to-destination newip
[22:45]<rlraxne>ifconfig ${INSIDE_DEV} ${INSIDE_IP} netmask ${INSIDE_NETMASK} broadcast ${INSIDE_BROADCAST}
[22:45]<rlraxne>ifconfig ${INSIDE_DEV}:1 ${INSIDE_IP2} netmask ${INSIDE_NETMASK2} broadcast ${INSIDE_BROADCAST2}
[22:45]<rfnlx0>but I get "iptables: Invalid argument"
[22:46]<rlraxne>aleph0: because you dont do DNAT in input chain
[22:47]<rlraxne>you do that in -t nat -A PREROUTE or -t nat -A POSTROUTE
[22:47]<rfnlx0>ok. I did have preroute and postroute before. but I'm not getting the result I expect
[22:48]<rfnlx0>hang on. I was suggested: "iptables -t nat -A PREROUTING -p tcp --dport 9999 -j DNAT --to newip". is that wrong?
[22:53]<fyguw_drgau>aleph0: what port the service is running?
[22:53]<fyguw_drgau>aleph0: for eg.. If i have an internal server running a webservice i would do something like this
[22:54]<rfnlx0>9999 - but it's not an 'internal server' it's just the other server I'm migrating to.
[22:54]<fyguw_drgau>aleph0: iptables -t nat -A PREROUTING -s 0/0 -d <pub-ip> -j DNAT --to <localip:80>
[22:54]<fyguw_drgau>without < and > of course ;)
[22:54]<rfnlx0>ok
[22:54]<fyguw_drgau>aleph0: what do you mean by other server you are migrating to?
[22:55]<fyguw_drgau>an you explain your setup a bit
[22:55]<fyguw_drgau>can
[22:56]<rfnlx0>sure. I have two servers at a hosting company and I want to migrate from one to the other. (both have public IP addresses and are not on some internal net). I want to forward all traffic arriving at the old server to the new one in order to neatly bridge the time it takes for al DNS servers to update my domain to the new IP.
[22:57]<fyguw_drgau>aleph0: Sounds like a nice idea.. But there are some problems...
[22:57]<fyguw_drgau>aleph0: For one.. For DNAT to work.. The default gateway of the second server should be set to the DNATing server
[22:58]<fyguw_drgau>aleph0: otherwise It will try to respond with Its own default gateway.. and in your case ... Bot are being in teh public IP...
[22:58]<rfnlx0>well I could do that for the transition period... I suppose.
[22:59]<fyguw_drgau>the clients will discard the responce as they will be sending it to the IP AA.AA.AA.AA and getting the responce from BB.BB.BB.BB
[22:59]<fyguw_drgau>aleph0: However You can do something like this...
[23:00]<rfnlx0>hm. I thought something like that might happen. so I need a new default gateway on the new box and some SNAT as well huh?
[23:00]<fyguw_drgau>bring the first server down.. And in the second server create an aliased interface.. with the IP same as the first server..
[23:01]<fyguw_drgau>aleph0: that would be a simple solution
[23:01]<fyguw_drgau>otherwise.. more harder approach will be...
[23:01]<fyguw_drgau>DNAT the connection from the first box to the second box...
[23:02]<fyguw_drgau>in the prerouting chain..
[23:02]<fyguw_drgau>and SNAT it to its own IP in the postrouting chain..
[23:02]<fyguw_drgau>which one will you go for,,
[23:02]<fyguw_drgau>?
[23:03]<rfnlx0>in the second sulution I still need to set the default gateway of the new box to the old IP.
[23:03]<rfnlx0>right?
[23:03]<fyguw_drgau>Nope..
[23:03]<fyguw_drgau>if you do like this .. you dont need to
[23:03]<fyguw_drgau>provided bot the boxes can reach each other..
[23:03]<fyguw_drgau>are they in the same subnet?
[23:04]<rfnlx0>nope
[23:04]<fyguw_drgau>fine.. try this.. this should work..
[23:04]<rfnlx0>I think they might just be in the same city :-/
[23:04]<fyguw_drgau>in the first box..
[23:04]<fyguw_drgau>run..
[23:05]<fyguw_drgau>iptables -t nat -A PREROUTING -s 0.0.0.0/0 -d <public-ip> -p tcp --dport <port> -j DNAT --to <second server:port>
[23:05]<fyguw_drgau>then
[23:06]<fyguw_drgau>iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -d <secondBOX IP> -p tcp --dport <second box port> -j SNAT --to <firstbox's IP>
[23:07]<rfnlx0>:D
[23:07]<fyguw_drgau>What It will do is that.. It will rewrite both source and destination address.. taht should work
[23:08]<rfnlx0>it does work!
[23:08]<fyguw_drgau>SO where is the party at ;)
[23:08]<rfnlx0>heidelberg, germany.
[23:08]<rfnlx0>;-)
[23:09]<fyguw_drgau>oh my gosh..
[23:09]<rfnlx0>you are in Dehli?
[23:10]<fyguw_drgau>Well somewhere near..
[23:10]<rfnlx0>cool.
[23:10]<fyguw_drgau>cool.... it is
[23:10]<rfnlx0>well. I'll get to work then... I'll be back later. thanks a lot!
[23:11]<fyguw_drgau>No probs
[23:11]<rrgydrg>I have done google searches, tried all the forums I can think of, and nothing is working to correct the error I'm getting. I've compiled *everything* as a module, and nothing seems to work. ip_tables modules is loaded, I have the userland tools installed, and I see get "iptables v1.3.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
[23:11]<rrgydrg>Perhaps iptables or your kernel needs to be upgraded."
[23:12]<zj2wow0>modprobe iptable_filter
[23:13]<rrgydrg>wow
[23:14]<rrgydrg>I can't believe that just worked
[23:14]<rrgydrg>lol
[23:15]<zj2wow0>:D
[23:15]<zj2wow0>Did you enable automatic module loading in your kernel config?
[23:16]<rrgydrg>I'll have to check, I believe I did
[23:16]<rrgydrg>but that would explain why it didn't autoload that module I guess
[23:17]<rrgydrg>at least compiling kernels doesn't take as long as it used to :P
[23:18]<zj2wow0>hehe
[23:20]<rrgydrg>well, thanks robw810 now I can finish up

Back to #iptables
Or go to some related logs:
#gentoo
#gentoo
#blender
#reactos
#gentoo