DNAT and MASQUERADE
Erez D
erez0001 at gmail.com
Tue Jan 20 13:26:33 IST 2015
On Thu, Jan 8, 2015 at 11:02 PM, shimi <linux-il at shimi.net> wrote:
>
> On Thu, Jan 8, 2015 at 10:43 AM, Erez D <erez0001 at gmail.com> wrote:
>
>>
>>
>> On Wed, Jan 7, 2015 at 11:41 AM, shimi <linux-il at shimi.net> wrote:
>>
>>>
>>>
>>> On Wed, Jan 7, 2015 at 11:35 AM, shimi <linux-il at shimi.net> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Jan 7, 2015 at 10:16 AM, Erez D <erez0001 at gmail.com> wrote:
>>>>
>>>>> hello.
>>>>>
>>>>> I have an iptables question
>>>>>
>>>>> i have the following
>>>>>
>>>>> ext_ip -> NAT1 -> linux firewall-> network -> computer1:eth0 ..
>>>>> computer99
>>>>>
>>>>> i have no control over NAT1.
>>>>> computer1 also can reach the internet via eth1.
>>>>>
>>>>> linux firewall redirects incoming port 7777 from ext_ip to computer1
>>>>> however i need coputer2 .. computer99 to connect to ext_ip:7777 and
>>>>> also reach computer1
>>>>>
>>>>> so first i did a NAT rule in linux firewall to redirect all packets
>>>>> from internal to ext_ip:7777 to computer1. and did an 'ifconfig eth0:1
>>>>> $ext_ip up' on computer1.
>>>>> this works. however it causes computer1 not to be able to access real
>>>>> ext_ip via eth1 which is connected to the internet as well
>>>>>
>>>>> so i though of both doing DNAT and MASQ, which will do the same but
>>>>> will not require assiging ext_ip to computer1.
>>>>> howerver i do not know how to do that
>>>>>
>>>>>
>>>> If computer1 can access ext_ip:7777, all you need is to allow
>>>> ip_forward (/etc/sysctl.conf for permanent, and echo 1 >
>>>> /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers
>>>> have a static route to ext_ip via computer1
>>>>
>>>> Then, in computer1,
>>>>
>>>> iptables -t nat -I POSTROUTING -o <interface going towards ext_ip> [ -i
>>>> <interface subnet of computers come from> ] -s <subnet of
>>>> computers/netmask> -p tcp --dport 7777 -j MASQUERADE
>>>>
>>>> should do...
>>>>
>>>> (of course, assuming the iptables FORWARD chain is not dropping those
>>>> packets; otherwise you'ld need an ACCEPT rule there, too...)
>>>>
>>>> HTH,
>>>>
>>>> -- Shimi
>>>>
>>>>
>>> And on a second read, I think I got you wrong and the purpose was to
>>> access computer1 port 7777 (hopefully listening on 0.0.0.0) from computersN
>>> by using the external IP from the inside?
>>>
>> yes
>>
>>>
>>> couputerN default route is the linux firewall. without any rules on
>> linux firewall, it will forward packets from computer1 destined to ext_ip
>> to NAT1. and they will not reach computer1 att all, so rules on computer 1
>> are useless.
>>
>>
>> Doing a DNAT on linux firewall will direct the packets to computer1,
>> however computer 1 will know comuterN and will reply directly without going
>> through linux firewall, and computer1 will not match the packets to the
>> original connection.
>>
>
> But if you create a static route on computerN towards the external IP via
> computer1 like I suggested, then these connections will not get to linux
> firewall at all, rather then get to computer1 (I'm assuming they're on the
> same L2 and share IP addresses in the same IP subnet) - so rules on
> computer1 will apply, wouldn't they?
>
> What am I missing?
>
1. this means that i need to put static routes on computerN which is
computer2 .. computer99, which some are linux, some windows, some android,
some iphone, etc ...
the same thing can be acheved by adding a static route on linux firewall to
do the same
2. computer 1 will receive packets destined to ext_ip, so they will be
ignored.
>
> -- Shimi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20150120/634f3195/attachment-0001.html>
More information about the Linux-il
mailing list