DNAT and MASQUERADE

[shimi]

On Wed, Jan 7, 2015 at 10:16 AM, Erez D <erez0001 at gmail.com> wrote:

> hello.
>
> I have an iptables question
>
> i have the following
>
> ext_ip -> NAT1 -> linux firewall-> network -> computer1:eth0 .. computer99
>
> i have no control over NAT1.
> computer1 also can reach the internet via eth1.
>
> linux firewall redirects incoming port 7777 from ext_ip to computer1
> however i need coputer2 .. computer99 to connect to ext_ip:7777 and also
> reach computer1
>
> so first i did a NAT rule in linux firewall to redirect all packets from
> internal to ext_ip:7777  to computer1. and did an 'ifconfig eth0:1 $ext_ip
> up' on computer1.
> this works. however it causes computer1 not to be able to access real
> ext_ip via eth1 which is connected to the internet as well
>
> so i though of both doing DNAT and MASQ, which will do the same but will
> not require assiging ext_ip to computer1.
> howerver i do not know how to do that
>
>
If computer1 can access ext_ip:7777, all you need is to allow ip_forward
(/etc/sysctl.conf for permanent, and echo 1 >
/proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers
have a static route to ext_ip via computer1

Then, in computer1,

iptables -t nat -I POSTROUTING -o <interface going towards ext_ip> [ -i
<interface subnet of computers come from> ] -s <subnet of
computers/netmask> -p tcp --dport 7777 -j MASQUERADE

should do...

(of course, assuming the iptables FORWARD chain is not dropping those
packets; otherwise you'ld need an ACCEPT rule there, too...)

HTH,

-- Shimi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20150107/a766bb52/attachment.html>