Many external IP-adresses

Forum traitant de la distribution sécurisée montante nommée IP cop et basée sur la distribution Smoothwall. C'est à l'heure actuelle le forum le plus actif du site.

Modérateur: modos Ixus

Many external IP-adresses

Messagepar teukka » 30 Août 2005 12:39

Hi

First have to say, sorry that I'm writing in english..... hope somebody answers to me :)

How can I have (can I have) many external IP-adresses in my IPCop firewall?

The page http://www.ipcop.org/1.4.0/en/admin/html/section-firewall.html#section-port-forwarding
says "Ports ranges cannot overlap each other." and "You cannot forward the same port to several machines."

This is strange because in my opinion many commercial firewall's can have many external IP's and
route things like I need (okay I'm nerd with no money).

The situation is like that I need to get firewall/nat that can route/handle following:

- 2 separate www-servers, lets say geek1 and geek2
- geek1 has internal IP 192.168.0.10 and external IP 123.123.123.1
- geek2 has internal IP 192.168.0.11 and external IP 123.123.123.2

So the final question is, does IPCop understund ipaliasing at all in external interface?
and if it does how can i use it? :)

Regards,

Pekka
Finland
teukka
Matelot
Matelot
 
Messages: 3
Inscrit le: 30 Août 2005 12:35

Messagepar MI6Fred » 30 Août 2005 13:14

IPCop only handles one external connexion, that means one IP adress. You can access one, two or three different local networks (green, orange and blue interfaces) from IPCop but it only handles one Internet link.

The port forwarding documentation refers to the way every NAT capable firewall works : you can only forward one port to one local IP adress.

How do you plan de receive packets for both IPs on your IPCop box ? Do you have two external connexions ?

Such advanced routing rules are not supported in IPCop as far as I know, at least not in their web interface. If you have only one external connexion (only one interface is connected to the Internet), you may be able to manually set these rules.
MI6Fred
Premier-Maître
Premier-Maître
 
Messages: 70
Inscrit le: 11 Oct 2004 19:07

Messagepar teukka » 30 Août 2005 13:24

MI6Fred a écrit:IPCop only handles one external connexion, that means one IP adress. You can access one, two or three different local networks (green, orange and blue interfaces) from IPCop but it only handles one Internet link.

The port forwarding documentation refers to the way every NAT capable firewall works : you can only forward one port to one local IP adress.

How do you plan de receive packets for both IPs on your IPCop box ? Do you have two external connexions ?


I have one physical external interface (with one IP-address) on IPCop machine but just about 15min ago I make some IP-aliases from command line for it so now the interface has three public adresses like this:

Code: Tout sélectionner
eth0    Link encap:Ethernet  HWaddr 00:XX:XX:XX:XX:XX
          inet addr:123.123.123.1  Bcast:123.123.123.255  Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:596251 errors:0 dropped:0 overruns:0 frame:0
          TX packets:702833 errors:0 dropped:0 overruns:0 carrier:0
          collisions:15135 txqueuelen:1000
          RX bytes:88581153 (84.4 MiB)  TX bytes:595212210 (567.6 MiB)
          Interrupt:52 Base address:0x8400

eth0:0 Link encap:Ethernet  HWaddr 00:XX:XX:XX:XX:XX
          inet addr:123.123.123.2  Bcast:62.255.255.255  Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:52 Base address:0x8400

eth0:1 Link encap:Ethernet  HWaddr 00:XX:XX:XX:XX:XX
          inet addr:123.123.123.3  Bcast:62.255.255.255  Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:52 Base address:0x8400


So Now when I have many addresses on same card normally I can use them all to connect that machine. But I still can't get IPcop (or that machine) understund that it really has many external IP-adresses and could use them... I can make ssh-server listen only address 123.123.123.1 and port 22
or adresses 123.123.123.1 and 123.123.123.2 but not 123.123.123.3 so why can't I make things that I describe earlier.. I'm confused
teukka
Matelot
Matelot
 
Messages: 3
Inscrit le: 30 Août 2005 12:35

Messagepar Franck78 » 30 Août 2005 13:29

~false

IPCop can handles many IP aliases on it's RED interface. Of course RED can't be standart adsl with DHCP. Your provider must assign you some fixed IP.

There is some pending problems with aliases and NAT.
Maybe GUI don't let you do port transfert of this style:

IPaliases1:portX=>svr1
IPaliases2:portX=>svr2

if portX is the same. This is due to NAT (if not possible). Just try or read portfw.cgi!
Franck
L'art de poser une question sur ce site afin d'obtenir la réponse
A LIRE
Avatar de l’utilisateur
Franck78
Amiral
Amiral
 
Messages: 5625
Inscrit le: 20 Fév 2004 01:00
Localisation: Paris

Messagepar teukka » 30 Août 2005 13:35

Franck78 a écrit:~false

IPCop can handles many IP aliases on it's RED interface. Of course RED can't be standart adsl with DHCP. Your provider must assign you some fixed IP.

There is some pending problems with aliases and NAT.
Maybe GUI don't let you do port transfert of this style:

IPaliases1:portX=>svr1
IPaliases2:portX=>svr2

if portX is the same. This is due to NAT (if not possible). Just try or read portfw.cgi!


Thanks! no my situation is not completly poor \o/ I'll just read and try then anh hope :)

thanks again

Pekka
teukka
Matelot
Matelot
 
Messages: 3
Inscrit le: 30 Août 2005 12:35

Messagepar MI6Fred » 30 Août 2005 13:44

In my opinion, the web interface would need quite some changes to be able to handle such rules ... you should write them yourself, in rc.firewall.local.
MI6Fred
Premier-Maître
Premier-Maître
 
Messages: 70
Inscrit le: 11 Oct 2004 19:07

Messagepar phaby » 30 Août 2005 16:15

je suis desolé mais je vais repondre en français

on peut effectivement attribuer plusieurs adresses IP à l'interface RED et faire des transferts de ports sur ces differentes adresse IP.

Franck78 a écrit:There is some pending problems with aliases and NAT.
Maybe GUI don't let you do port transfert of this style:

IPaliases1:portX=>svr1
IPaliases2:portX=>svr2

if portX is the same. This is due to NAT (if not possible). Just try or read portfw.cgi!


Voici un extrait de mes transferts de ports (realises par l'interface graphique):

TCP a.b.c.37 :
80(HTTP) => 192.168.150.247 : 80(HTTP) Serveur Audio HTTP

TCP a.b.c.39 :
80(HTTP) => 192.168.150.249 : 80(HTTP) Server Web

J'ai donc des transferts sur le meme ports (sur des alias differents et des @IP des destinations differentes) et cela marche, pourrais-tu donner plus de precisions sur ces problemes ??
Avatar de l’utilisateur
phaby
Lieutenant de vaisseau
Lieutenant de vaisseau
 
Messages: 188
Inscrit le: 04 Nov 2003 01:00
Localisation: Pas tres loin

Messagepar Franck78 » 30 Août 2005 16:35

Un peu longuet à lire, c'est le premier topic:
https://sourceforge.net/mailarchive/mes ... id=9540949

Mais il y en a eu d'autres des topics. Sur Ixus aussi d'ailleurs.
Pour résumer très rapidement, on ne peut pas assigner une IP-alias qui seraient exclusivement réservée à un serveur en GREEN/ORANGE.
En effet, certains aimeraient bien qu'un serveur connu sur internet par son IP alias utilise toujours cette IP-alias dans ses échanges. Mais le masquerade assigne toujours l'IP-RED...
Le dernier problème/exemple en date était un serveur SMTP.

Voila
Franck
L'art de poser une question sur ce site afin d'obtenir la réponse
A LIRE
Avatar de l’utilisateur
Franck78
Amiral
Amiral
 
Messages: 5625
Inscrit le: 20 Fév 2004 01:00
Localisation: Paris

Messagepar phaby » 30 Août 2005 16:46

exact, je comprends mieux...

j'ai eu ce probleme, un prestataire nous envoyait des requetes sur une @IP-alias mais ce n'est pas celle-ci qui leur repondait (mais bien l'@IP DEFAULT ), on a cherchait un p'tit moment pourquoi ça marchait pas !! ;-)
Avatar de l’utilisateur
phaby
Lieutenant de vaisseau
Lieutenant de vaisseau
 
Messages: 188
Inscrit le: 04 Nov 2003 01:00
Localisation: Pas tres loin


Retour vers IPCop

Qui est en ligne ?

Utilisateur(s) parcourant actuellement ce forum : Aucun utilisateur inscrit et 1 invité

cron