Re: multiple external ips on external interface

This is a discussion on Re: multiple external ips on external interface within the IPFilter forums, part of the System Security and Security Related category; Jim, Thanks a lot for your reply. Right now I have enabled ip_forwarding and first trying to get the ipnat ...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page Re: multiple external ips on external interface

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 10-15-2004
Jeet
 
Posts: n/a
Default Re: multiple external ips on external interface
Jim,
Thanks a lot for your reply.
Right now I have enabled ip_forwarding and first
trying to get the ipnat working My ipf.conf is empty
and default is to pass all.

my external interface qfe0 connects to a cisco
3548 switch and the switch goes to a router.
qfe0 is 10.10.10.1
if I try a ipnat map with qfe0 it works fine.
However if I try a map with the second ip 10.10.10.2
I can see that the ipnat has translated the ip but
there is no response back.
Same is the problem with rdr, there is no response.
Then I thought maybe I have to do a proxy arp for the
second ip so that the switch and the router would know
that packets for 10.10.10.2 should go to qfe0 so I did
a
arp -s 10.10.10.2 <mac-address qfe0>
however that did not work too.

Any ideas would surely help.

-Jeet



--- Jim Sandoz <sandoz@lucent.com> wrote:

>
> jeet,
>
> ipfilter consists of two subsystems, "ipf" and
> "ipnat".
>
> ipf's task is to filter packets by using criteria
> which
> you define in /etc/opt/ipf/ipf.conf.
>
> ipnat's task is to rewrite packets using criteria
> which
> you define in /etc/opt/ipf/ipnat.conf
>
> you can use ipf and ipnat individually (by leaving
> the
> config file nulled you effectively disable that
> function),
> or you can use them in tandem. most folks use both.
> there are some interactions between the two which i
> will
> note in a moment.
>
> you will be interested in using ipnat to rewrite the
> IP
> addresses of specific packets coming into your
> exterenal
> interface. this will cause some packets to be
> routed by
> your sparc into the private address space behind it.
>
> keep in mind that you need kernel routing enabled to
> do
> this. if you sparc has two interfaces configured at
> boot
> time it should do this automatically; otherwise you
> can
> force it to do kernel routing via
> # /usr/sbin/ndd -set /dev/ip ip_forwarding 1
>
> but the direct answer to your question is "no", you
> don't
> configure any additional IP addresses on your
> external
> interface. however, you do need to add some rules
> to
> ipnat's config file to rewrite specific address/port
> pairs; one such example would be
> rdr qfe0 10.10.10.1/32 port 80 -> 172.16.1.2 port
> 8080 tcp
> this says
> "any packets arriving on interface qfe0 with the
> destination
> of 10.10.10.1:80 should be rewritten to have a
> destination
> address of 172.16.1.2:8080, then given to ipf for
> filtering,
> and if not blocked by ipf subsequently passed to the
> kernel
> for routing"
>
> substitute your "external" interface (hme1?) for the
> qfe0
> above.
>
> the above statement implies that ipf is configured
> to accept
> (i.e. "pass") packets that have a destination
> address of
> 172.16.1.2:8080 -- this little tidbit causes trouble
> for
> everyone. keep this in mind when writing ipf rules;
> ipf
> has to deal with packets AFTER ipnat has rewritten
> them.
>
> you may be asking, "what happens to the reply packet
> coming
> back out of the network from 172.16.1.2:8080"?
> well, ipnat
> keeps a table of its translations, just like ipf
> keeps a
> table of its states. hence, on the return journey,
> ipnat
> rewrites the IP address back to the original. as
> far as the
> remote machine is concerned, it is talking to your
> sparc and
> has no knowledge that your sparc is actually
> frontending the
> real physical webserver.
>
> you will want to read
> http://www.phildev.net/ipf/
> and
> http://www.obfuscation.org/ipf/
>
> also see
>
http://marc.theaimsgroup.com/?l=ipfi...9861622589&w=2
> and
>
http://marc.theaimsgroup.com/?l=ipfi...8074705794&w=2
> and
>
http://marc.theaimsgroup.com/?l=ipfi...1495100723&w=2
>
> jim
>
>
>
> Jeet wrote:
> > Hi Everyone,
> > I have started using ipfilters on solaris 9 sparc
> > Ultra 10.
> >
> > However I have a small newbie question the
> external
> > interface is
> >
> > e.g 10.10.10.1 internal 172.16.1.1
> >
> >
> > In order to set up something like this
> >
> > 10.10.10.2:80 - 172.16.1.2:8080
> > 10.10.10.3:80 - 172.16.1.3:8080
> >
> >
> > Do I have to configure the external interfaces
> with
> > the external ip's or there is some way to get it
> > working without that.
> >
> > Thanks a lot.
> > -Jeet
>
>




__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 12:03 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0