Two Wan IP configure in Linux Server(ILS and MPLS)
124 views
Skip to first unread message
khalif_786 shekh
Jun 3, 2015, 2:37:55 AM6/3/15
to vg...@googlegroups.com
Hello,
I have configure Two WAN IP (ILS and MPLS). I have require Public traffic rout to ILS Line and Intranet traffic route to MPLS Line.
Note: Currently ILS traffic working fine but I have configure two gateway in Linux server (ILS and MPLS)
MPLS traffic route to mpls gateway. Kindly suggest me. How it configure in Linux system.
--
*
*
Regards,
Mahmadkhalif Shekh | Database Administrator
RHCE
*
Regards,
Mahmadkhalif Shekh | Database Administrator
RHCE
Bhushan
Jun 3, 2015, 4:56:36 AM6/3/15
to vg...@googlegroups.com
Hi Mahmadkhalif,
You can refer following VGLUG post for solution. Let us know if you have any queries after reading this.
You can refer following VGLUG post for solution. Let us know if you have any queries after reading this.
Linux IP routing: help
https://groups.google.com/forum/#!topic/vglug/hbHRypa9g9w
Regards,
Bhushan Karia
https://groups.google.com/forum/#!topic/vglug/hbHRypa9g9w
Regards,
Bhushan Karia
khalif_786 shekh
Jul 2, 2015, 8:31:35 PM7/2/15
to vg...@googlegroups.com
Dear Bushan/Nilesh Sir/Tejas Barot/Sham Sir,
I have facing critical issue in network so Kindly give a suggestion priority base.
Thanks for mail,
We have configure three interface in Linux Firewall:
eth0 mpls 10.15.15.0
eth1 public xxxxxx
eth2 internal 192.168.100.0
As per your suggestion I have configure mpls network traffic route to mpls gateway I have configure below thing for both wan ip work.
This is configuration for MPLS::
MPLS Network : IP : 10.15.15.2
netmask : 255.255.255.0
gateway : 10.15.15.1
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
210.212.153.224 0.0.0.0 255.255.255.248 U 0 0 0 eth1
10.15.15.0 10.15.15.1 255.255.255.0 UG 0 0 0 eth0
10.15.15.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
0.0.0.0 210.212.153.225 0.0.0.0 UG 0 0 0 eth1
ip route show table mpls:
default via 10.15.15.1 dev eth0
ip route show:
210.212.153.224/29 dev eth1 proto kernel scope link src 210.212.153.230
10.15.15.0/24 via 10.15.15.1 dev eth0
10.15.15.0/24 dev eth0 proto kernel scope link src 10.15.15.2 metric 1
169.254.0.0/16 dev eth1 scope link metric 1003
169.254.0.0/16 dev eth2 scope link metric 1004
192.168.0.0/16 dev eth2 proto kernel scope link src 192.168.100.1
default via 210.212.153.225 dev eth1 proto static
Allow traffic in ip tables :
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.100.7:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.100.7.80
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Forwarding rule :
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.100.7
Public interface working fine
above configuration from region site incoming traffic coming to mpls router to our squid server eth0 interface but it is
not nating to our LAN IP (web server 192.168.100.7).
--
Please read http://www.catb.org/~esr/faqs/smart-questions.html before posting.
You received this message because you are subscribed to the "Vibrant GNU/Linux User Group".
To stop receiving emails from this group, mail to VGLUG+un...@googlegroups.com
To post to this group, send email to VG...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/VGLUG
---
You received this message because you are subscribed to the Google Groups "VGLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vglug+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Bhushan
Jul 3, 2015, 4:47:20 AM7/3/15
to vg...@googlegroups.com
Hi Mahmadkhalif,
Please go through my inline comments.
Please go through my inline comments.
Squid is running on which port i suppose it is running other than 80 port? Are you doing transparent redirection using iptables for this if yes share rule for that and order of those rules along with above rules. If squid is running on 80 ports then this rules should work. Just verify once that traffic is coming from interface eth0 for that.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEForwarding rule :iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.100.7
What is action (-j option) for this rule?, if there is no action here then there is no use of this rule.
Public interface working fineabove configuration from region site incoming traffic coming to mpls router to our squid server eth0 interface but it isnot nating to our LAN IP (web server 192.168.100.7).
Also share other nat PREROUTING rules so that we can check and verify if there is any conflicting rule.
khalif_786 shekh
Jul 6, 2015, 10:55:31 PM7/6/15
to vg...@googlegroups.com
Thanks for mail Bhushan,
Squid service working 1010 port . it is configure with dansgurdian.
I will reach office then I will share iptables rule. MPLS traffic coming eth0 interface. It is confirm for same.
Thanking you,
Bhushan
Jul 9, 2015, 5:59:37 AM7/9/15
to vg...@googlegroups.com
Hi Mahmadkhalif,
On Tuesday, July 7, 2015 at 8:25:31 AM UTC+5:30, khalif_786 shekh wrote:
Thanks for mail Bhushan,Squid service working 1010 port . it is configure with dansgurdian.
As per my mail, as squid is running on 1010 port so in this case there should be rule for port redirection for transparent proxy. So if that rule is followed then following rule will not be followed.
Please share all iptables rules for final conclusion.
khalif_786 shekh
Jul 9, 2015, 7:35:56 AM7/9/15
to vg...@googlegroups.com
Dear Bhusan
Thanks for mail,
As per your mail Iptables rules are given below.
root@squid ~]# service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to: 192.168.100.1:22
2 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:22 to: 192.168.100.1:22
3 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 t o:192.168.100.7:3389
4 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 t o:192.168.100.7:3389
5 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to: 192.168.100.7:80
6 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 to: 192.168.100.7:80
7 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 to: 192.168.100.7:80
8 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to: 192.168.100.7:80
9 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 t o:192.168.100.20:3389
10 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 t o:192.168.100.20:3389
11 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6060 t o:192.168.100.7:6060
12 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6060 t o:192.168.100.7:6060
13 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5050 t o:192.168.100.7:5050
14 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5050 t o:192.168.100.7:5050
15 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:25 to: 192.168.100.4:25
16 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to: 192.168.100.4:25
17 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:443 to :192.168.100.4:443
18 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to :192.168.100.4:443
19 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 to: 192.168.100.4:80
20 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to: 192.168.100.4:80
21 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 red ir ports 1010
22 REDIRECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 red ir ports 1010
23 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 r edir ports 1010
24 REDIRECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3128 r edir ports 1010
25 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7070 t o:192.168.100.7:7070
26 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:7070 t o:192.168.100.7:7070
27 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to: 192.168.100.7:80
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to: 192.168.100.1:22
2 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:22 to: 192.168.100.1:22
3 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 t o:192.168.100.7:3389
4 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 t o:192.168.100.7:3389
5 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to: 192.168.100.7:80
6 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 to: 192.168.100.7:80
7 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 to: 192.168.100.7:80
8 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to: 192.168.100.7:80
9 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 t o:192.168.100.20:3389
10 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 t o:192.168.100.20:3389
11 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6060 t o:192.168.100.7:6060
12 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6060 t o:192.168.100.7:6060
13 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5050 t o:192.168.100.7:5050
14 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5050 t o:192.168.100.7:5050
15 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:25 to: 192.168.100.4:25
16 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to: 192.168.100.4:25
17 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:443 to :192.168.100.4:443
18 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to :192.168.100.4:443
19 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 to: 192.168.100.4:80
20 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to: 192.168.100.4:80
21 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 red ir ports 1010
22 REDIRECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 red ir ports 1010
23 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 r edir ports 1010
24 REDIRECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3128 r edir ports 1010
25 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7070 t o:192.168.100.7:7070
26 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:7070 t o:192.168.100.7:7070
27 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to: 192.168.100.7:80
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
3 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
3 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 10.15.15.0/24 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 10.15.15.0/24 0.0.0.0/0
4 ACCEPT udp -- 0.0.0.0/0 210.212.153.230 udp dpt:443
5 ACCEPT tcp -- 0.0.0.0/0 210.212.153.230 tcp dpt:443
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:443
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389
10 REJECT all -- 174.139.106.50 0.0.0.0/0 reject-with ic mp-port-unreachable
11 REJECT all -- 59.188.242.190 0.0.0.0/0 reject-with ic mp-port-unreachable
12 REJECT all -- 117.239.189.64 0.0.0.0/0 reject-with ic mp-port-unreachable
13 REJECT all -- 59.188.242.190 0.0.0.0/0 reject-with ic mp-port-unreachable
14 REJECT all -- 74.125.68.188 0.0.0.0/0 reject-with ic mp-port-unreachable
15 REJECT all -- 210.212.153.23 0.0.0.0/0 reject-with ic mp-port-unreachable
16 REJECT all -- 117.239.189.64 0.0.0.0/0 reject-with ic mp-port-unreachable
17 REJECT all -- 101.71.48.55 0.0.0.0/0 reject-with ic mp-port-unreachable
18 REJECT all -- 42.194.9.36 0.0.0.0/0 reject-with ic mp-port-unreachable
19 REJECT all -- 36.251.137.60 0.0.0.0/0 reject-with ic mp-port-unreachable
20 REJECT all -- 36.251.139.60 0.0.0.0/0 reject-with ic mp-port-unreachable
21 REJECT all -- 101.71.46.197 0.0.0.0/0 reject-with ic mp-port-unreachable
22 REJECT all -- 36.250.231.56 0.0.0.0/0 reject-with ic mp-port-unreachable
23 REJECT all -- 115.231.233.46 0.0.0.0/0 reject-with ic mp-port-unreachable
24 REJECT all -- 115.231.234.108 0.0.0.0/0 reject-with ic mp-port-unreachable
25 REJECT all -- 115.231.231.116 0.0.0.0/0 reject-with ic mp-port-unreachable
26 REJECT all -- 115.231.231.109 0.0.0.0/0 reject-with ic mp-port-unreachable
27 REJECT all -- 183.61.164.137 0.0.0.0/0 reject-with ic mp-port-unreachable
28 REJECT all -- 122.13.193.127 0.0.0.0/0 reject-with ic
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 10.15.15.0/24 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 10.15.15.0/24 0.0.0.0/0
4 ACCEPT udp -- 0.0.0.0/0 210.212.153.230 udp dpt:443
5 ACCEPT tcp -- 0.0.0.0/0 210.212.153.230 tcp dpt:443
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:443
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389
10 REJECT all -- 174.139.106.50 0.0.0.0/0 reject-with ic mp-port-unreachable
11 REJECT all -- 59.188.242.190 0.0.0.0/0 reject-with ic mp-port-unreachable
12 REJECT all -- 117.239.189.64 0.0.0.0/0 reject-with ic mp-port-unreachable
13 REJECT all -- 59.188.242.190 0.0.0.0/0 reject-with ic mp-port-unreachable
14 REJECT all -- 74.125.68.188 0.0.0.0/0 reject-with ic mp-port-unreachable
15 REJECT all -- 210.212.153.23 0.0.0.0/0 reject-with ic mp-port-unreachable
16 REJECT all -- 117.239.189.64 0.0.0.0/0 reject-with ic mp-port-unreachable
17 REJECT all -- 101.71.48.55 0.0.0.0/0 reject-with ic mp-port-unreachable
18 REJECT all -- 42.194.9.36 0.0.0.0/0 reject-with ic mp-port-unreachable
19 REJECT all -- 36.251.137.60 0.0.0.0/0 reject-with ic mp-port-unreachable
20 REJECT all -- 36.251.139.60 0.0.0.0/0 reject-with ic mp-port-unreachable
21 REJECT all -- 101.71.46.197 0.0.0.0/0 reject-with ic mp-port-unreachable
22 REJECT all -- 36.250.231.56 0.0.0.0/0 reject-with ic mp-port-unreachable
23 REJECT all -- 115.231.233.46 0.0.0.0/0 reject-with ic mp-port-unreachable
24 REJECT all -- 115.231.234.108 0.0.0.0/0 reject-with ic mp-port-unreachable
25 REJECT all -- 115.231.231.116 0.0.0.0/0 reject-with ic mp-port-unreachable
26 REJECT all -- 115.231.231.109 0.0.0.0/0 reject-with ic mp-port-unreachable
27 REJECT all -- 183.61.164.137 0.0.0.0/0 reject-with ic mp-port-unreachable
28 REJECT all -- 122.13.193.127 0.0.0.0/0 reject-with ic
29 REJECT all -- 101.71.45.140 0.0.0.0/0 reject-with ic mp-port-unreachable
30 REJECT all -- 101.71.46.7 0.0.0.0/0 reject-with ic mp-port-unreachable
31 REJECT all -- 115.231.231.234 0.0.0.0/0 reject-with ic mp-port-unreachable
32 REJECT all -- 115.231.231.197 0.0.0.0/0 reject-with ic mp-port-unreachable
33 REJECT all -- 115.231.231.116 0.0.0.0/0 reject-with ic mp-port-unreachable
34 REJECT all -- 14.17.74.186 0.0.0.0/0 reject-with ic mp-port-unreachable
35 REJECT all -- 42.194.9.36 0.0.0.0/0 reject-with ic mp-port-unreachable
36 REJECT all -- 122.226.186.27 0.0.0.0/0 reject-with ic mp-port-unreachable
37 DROP all -- 122.226.186.27 0.0.0.0/0
38 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6060
39 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6060
40 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5050
41 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5050
42 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:22222
43 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22222
44 ACCEPT udp -- 192.168.0.0/16 0.0.0.0/0 udp dpt:1010
45 ACCEPT tcp -- 192.168.0.0/16 0.0.0.0/0 tcp dpt:1010
46 ACCEPT udp -- 192.168.0.0/16 0.0.0.0/0 udp dpt:3128
47 ACCEPT tcp -- 192.168.0.0/16 0.0.0.0/0 tcp dpt:3128
48 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED
49 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
50 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
51 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
52 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
54 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
55 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
56 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
57 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
58 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
59 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7070
60 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:7070
61 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with ic mp-host-prohibited
62 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F /0x00
63 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F /0x3F
64 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x1 7/0x02 state NEW
65 DROP all -f 0.0.0.0/0 0.0.0.0/0
66 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp state NEW recent: UPDATE seconds: 1 hit_count: 10 name: UDP side: source
67 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp state NEW recent: UPDATE seconds: 1 hit_count: 10 name: UDP side: source
30 REJECT all -- 101.71.46.7 0.0.0.0/0 reject-with ic mp-port-unreachable
31 REJECT all -- 115.231.231.234 0.0.0.0/0 reject-with ic mp-port-unreachable
32 REJECT all -- 115.231.231.197 0.0.0.0/0 reject-with ic mp-port-unreachable
33 REJECT all -- 115.231.231.116 0.0.0.0/0 reject-with ic mp-port-unreachable
34 REJECT all -- 14.17.74.186 0.0.0.0/0 reject-with ic mp-port-unreachable
35 REJECT all -- 42.194.9.36 0.0.0.0/0 reject-with ic mp-port-unreachable
36 REJECT all -- 122.226.186.27 0.0.0.0/0 reject-with ic mp-port-unreachable
37 DROP all -- 122.226.186.27 0.0.0.0/0
38 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6060
39 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6060
40 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5050
41 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5050
42 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:22222
43 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22222
44 ACCEPT udp -- 192.168.0.0/16 0.0.0.0/0 udp dpt:1010
45 ACCEPT tcp -- 192.168.0.0/16 0.0.0.0/0 tcp dpt:1010
46 ACCEPT udp -- 192.168.0.0/16 0.0.0.0/0 udp dpt:3128
47 ACCEPT tcp -- 192.168.0.0/16 0.0.0.0/0 tcp dpt:3128
48 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED
49 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
50 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
51 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
52 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
54 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
55 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
56 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
57 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
58 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
59 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7070
60 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:7070
61 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with ic mp-host-prohibited
62 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F /0x00
63 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F /0x3F
64 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x1 7/0x02 state NEW
65 DROP all -f 0.0.0.0/0 0.0.0.0/0
66 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp state NEW recent: UPDATE seconds: 1 hit_count: 10 name: UDP side: source
67 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp state NEW recent: UPDATE seconds: 1 hit_count: 10 name: UDP side: source
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 192.168.100.1 tcp dpt:22
2 ACCEPT udp -- 0.0.0.0/0 192.168.100.1 udp dpt:22
3 ACCEPT udp -- 0.0.0.0/0 192.168.100.7 udp dpt:3389
4 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:3389
5 ACCEPT udp -- 0.0.0.0/0 192.168.100.7 udp dpt:80
6 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:80
7 ACCEPT udp -- 0.0.0.0/0 192.168.100.7 udp dpt:80
8 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:80
9 ACCEPT tcp -- 0.0.0.0/0 192.168.100.20 tcp dpt:3389
10 ACCEPT udp -- 0.0.0.0/0 192.168.100.7 udp dpt:6060
11 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:6060
12 ACCEPT udp -- 0.0.0.0/0 192.168.100.7 udp dpt:5050
13 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:5050
14 ACCEPT udp -- 0.0.0.0/0 192.168.100.4 udp dpt:3389
15 ACCEPT udp -- 0.0.0.0/0 192.168.100.4 udp dpt:25
16 ACCEPT tcp -- 0.0.0.0/0 192.168.100.4 tcp dpt:25
17 ACCEPT udp -- 0.0.0.0/0 192.168.100.4 udp dpt:443
18 ACCEPT tcp -- 0.0.0.0/0 192.168.100.4 tcp dpt:443
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 192.168.100.1 tcp dpt:22
2 ACCEPT udp -- 0.0.0.0/0 192.168.100.1 udp dpt:22
3 ACCEPT udp -- 0.0.0.0/0 192.168.100.7 udp dpt:3389
4 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:3389
5 ACCEPT udp -- 0.0.0.0/0 192.168.100.7 udp dpt:80
6 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:80
7 ACCEPT udp -- 0.0.0.0/0 192.168.100.7 udp dpt:80
8 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:80
9 ACCEPT tcp -- 0.0.0.0/0 192.168.100.20 tcp dpt:3389
10 ACCEPT udp -- 0.0.0.0/0 192.168.100.7 udp dpt:6060
11 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:6060
12 ACCEPT udp -- 0.0.0.0/0 192.168.100.7 udp dpt:5050
13 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:5050
14 ACCEPT udp -- 0.0.0.0/0 192.168.100.4 udp dpt:3389
15 ACCEPT udp -- 0.0.0.0/0 192.168.100.4 udp dpt:25
16 ACCEPT tcp -- 0.0.0.0/0 192.168.100.4 tcp dpt:25
17 ACCEPT udp -- 0.0.0.0/0 192.168.100.4 udp dpt:443
18 ACCEPT tcp -- 0.0.0.0/0 192.168.100.4 tcp dpt:443
19 ACCEPT udp -- 0.0.0.0/0 192.168.100.4 udp dpt:80
20 ACCEPT tcp -- 0.0.0.0/0 192.168.100.4 tcp dpt:80
21 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
23 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:7070 s tate NEW,RELATED,ESTABLISHED
24 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with ic mp-host-prohibited
25 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:80
20 ACCEPT tcp -- 0.0.0.0/0 192.168.100.4 tcp dpt:80
21 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
23 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:7070 s tate NEW,RELATED,ESTABLISHED
24 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with ic mp-host-prohibited
25 ACCEPT tcp -- 0.0.0.0/0 192.168.100.7 tcp dpt:80
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
num target prot opt source destination
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 MARK all -- 10.15.15.0/24 0.0.0.0/0 MARK set 0x1
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 MARK all -- 10.15.15.0/24 0.0.0.0/0 MARK set 0x1
Chain INPUT (policy ACCEPT)
num target prot opt source destination
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
Thanks for respective response.
ElectroMech
Jul 10, 2015, 12:01:46 AM7/10/15
to vg...@googlegroups.com
Hi
Never post or include any live ip or real host name on public mailing list.
Bhushan
Jul 10, 2015, 7:47:31 AM7/10/15
to vg...@googlegroups.com
Hi Mahmadkhalif,
I was going through your mails, as per your requirement packet flow is as below.
Region Site ----> MPLS Router-----> [eth0] Linux Server [eth2]----> WebServer
As per above flow if traffic is coming from eth0 with destination port 80, You are redirecting it to your webserver, so you are changing destination ip and port in PREROUTING for the same with below rule.
I was going through your mails, as per your requirement packet flow is as below.
Region Site ----> MPLS Router-----> [eth0] Linux Server [eth2]----> WebServer
As per above flow if traffic is coming from eth0 with destination port 80, You are redirecting it to your webserver, so you are changing destination ip and port in PREROUTING for the same with below rule.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.100.7:80
This rule is first so it should work properly and there would be no conflict with transparent proxy redirection rule, which is at bottom. Now traffic will go successfully from eth2 with your mentioned rule in filter FORWARD.
Forwarding rule :
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.100.7 -j ACCEPT
But what about response traffic from web server? I have seen two ACCEPT rules in your last mail, but i suppose these are with specific conditions of interface.
Forwarding rule :
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.100.7 -j ACCEPT
But what about response traffic from web server? I have seen two ACCEPT rules in your last mail, but i suppose these are with specific conditions of interface.
From your last mail you mentioned below problem.
"above configuration from region site incoming traffic coming to mpls router to our squid server eth0 interface but it is not nating to our LAN IP (web server 192.168.100.7)."
So i suppose from above rules traffic is redirected to webserver properly but response traffic is getting dropped. By adding ACCEPT rules for response traffic problem would be resolved. Please let me know if you still face any problem after adding rule.
Regards,
Bhushan Karia
Regards,
Bhushan Karia
...
Reply all
Reply to author
Forward
0 new messages