DNAT and MASQUERADE

DNAT and MASQUERADE

shimi linux-il at shimi.net
Wed Jan 7 11:41:05 IST 2015 

On Wed, Jan 7, 2015 at 11:35 AM, shimi <linux-il at shimi.net> wrote:

>
>
> On Wed, Jan 7, 2015 at 10:16 AM, Erez D <erez0001 at gmail.com> wrote:
>
>> hello.
>>
>> I have an iptables question
>>
>> i have the following
>>
>> ext_ip -> NAT1 -> linux firewall-> network -> computer1:eth0 .. computer99
>>
>> i have no control over NAT1.
>> computer1 also can reach the internet via eth1.
>>
>> linux firewall redirects incoming port 7777 from ext_ip to computer1
>> however i need coputer2 .. computer99 to connect to ext_ip:7777 and also
>> reach computer1
>>
>> so first i did a NAT rule in linux firewall to redirect all packets from
>> internal to ext_ip:7777  to computer1. and did an 'ifconfig eth0:1 $ext_ip
>> up' on computer1.
>> this works. however it causes computer1 not to be able to access real
>> ext_ip via eth1 which is connected to the internet as well
>>
>> so i though of both doing DNAT and MASQ, which will do the same but will
>> not require assiging ext_ip to computer1.
>> howerver i do not know how to do that
>>
>>
> If computer1 can access ext_ip:7777, all you need is to allow ip_forward
> (/etc/sysctl.conf for permanent, and echo 1 >
> /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers
> have a static route to ext_ip via computer1
>
> Then, in computer1,
>
> iptables -t nat -I POSTROUTING -o <interface going towards ext_ip> [ -i
> <interface subnet of computers come from> ] -s <subnet of
> computers/netmask> -p tcp --dport 7777 -j MASQUERADE
>
> should do...
>
> (of course, assuming the iptables FORWARD chain is not dropping those
> packets; otherwise you'ld need an ACCEPT rule there, too...)
>
> HTH,
>
> -- Shimi
>
>
And on a second read, I think I got you wrong and the purpose was to access
computer1 port 7777 (hopefully listening on 0.0.0.0) from computersN by
using the external IP from the inside?

If so, did:

iptables -I PREROUTING -i <interface of computersN subnet> -s <subnet of
computers/netmask> -p tcp --dport -j REDIRECT --to-port 7777

not work?

-- Shimi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20150107/5443cde5/attachment.html>

More information about the Linux-il mailing list