DNAT and MASQUERADE
E.S. Rosenberg
esr+linux-il at g.jct.ac.il
Mon Jan 12 20:50:22 IST 2015
Alternatively you could also have a local dns/local hosts entries that
point computerN at computer_1 when they are looking up whatever hostname is
resolving to ext_ip....
If they are on the same LAN all normal (sane) security policy will cause
the drop of their packets when they are trying to reach ext_ip from inside
the network that has ext_ip and you need to bend over backwards to get them
accepted..
2015-01-08 23:02 GMT+02:00 shimi <linux-il at shimi.net>:
>
> On Thu, Jan 8, 2015 at 10:43 AM, Erez D <erez0001 at gmail.com> wrote:
>
>>
>>
>> On Wed, Jan 7, 2015 at 11:41 AM, shimi <linux-il at shimi.net> wrote:
>>
>>>
>>>
>>> On Wed, Jan 7, 2015 at 11:35 AM, shimi <linux-il at shimi.net> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Jan 7, 2015 at 10:16 AM, Erez D <erez0001 at gmail.com> wrote:
>>>>
>>>>> hello.
>>>>>
>>>>> I have an iptables question
>>>>>
>>>>> i have the following
>>>>>
>>>>> ext_ip -> NAT1 -> linux firewall-> network -> computer1:eth0 ..
>>>>> computer99
>>>>>
>>>>> i have no control over NAT1.
>>>>> computer1 also can reach the internet via eth1.
>>>>>
>>>>> linux firewall redirects incoming port 7777 from ext_ip to computer1
>>>>> however i need coputer2 .. computer99 to connect to ext_ip:7777 and
>>>>> also reach computer1
>>>>>
>>>>> so first i did a NAT rule in linux firewall to redirect all packets
>>>>> from internal to ext_ip:7777 to computer1. and did an 'ifconfig eth0:1
>>>>> $ext_ip up' on computer1.
>>>>> this works. however it causes computer1 not to be able to access real
>>>>> ext_ip via eth1 which is connected to the internet as well
>>>>>
>>>>> so i though of both doing DNAT and MASQ, which will do the same but
>>>>> will not require assiging ext_ip to computer1.
>>>>> howerver i do not know how to do that
>>>>>
>>>>>
>>>> If computer1 can access ext_ip:7777, all you need is to allow
>>>> ip_forward (/etc/sysctl.conf for permanent, and echo 1 >
>>>> /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers
>>>> have a static route to ext_ip via computer1
>>>>
>>>> Then, in computer1,
>>>>
>>>> iptables -t nat -I POSTROUTING -o <interface going towards ext_ip> [ -i
>>>> <interface subnet of computers come from> ] -s <subnet of
>>>> computers/netmask> -p tcp --dport 7777 -j MASQUERADE
>>>>
>>>> should do...
>>>>
>>>> (of course, assuming the iptables FORWARD chain is not dropping those
>>>> packets; otherwise you'ld need an ACCEPT rule there, too...)
>>>>
>>>> HTH,
>>>>
>>>> -- Shimi
>>>>
>>>>
>>> And on a second read, I think I got you wrong and the purpose was to
>>> access computer1 port 7777 (hopefully listening on 0.0.0.0) from computersN
>>> by using the external IP from the inside?
>>>
>> yes
>>
>>>
>>> couputerN default route is the linux firewall. without any rules on
>> linux firewall, it will forward packets from computer1 destined to ext_ip
>> to NAT1. and they will not reach computer1 att all, so rules on computer 1
>> are useless.
>>
>>
>> Doing a DNAT on linux firewall will direct the packets to computer1,
>> however computer 1 will know comuterN and will reply directly without going
>> through linux firewall, and computer1 will not match the packets to the
>> original connection.
>>
>
> But if you create a static route on computerN towards the external IP via
> computer1 like I suggested, then these connections will not get to linux
> firewall at all, rather then get to computer1 (I'm assuming they're on the
> same L2 and share IP addresses in the same IP subnet) - so rules on
> computer1 will apply, wouldn't they?
>
> What am I missing?
>
> -- Shimi
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20150112/e39b5458/attachment-0001.html>
More information about the Linux-il
mailing list