DNAT and MASQUERADE
Erez D
erez0001 at gmail.com
Tue Jan 20 13:28:10 IST 2015
On Mon, Jan 12, 2015 at 8:50 PM, E.S. Rosenberg <esr+linux-il at g.jct.ac.il>
wrote:
> Alternatively you could also have a local dns/local hosts entries that
> point computerN at computer_1 when they are looking up whatever hostname is
> resolving to ext_ip....
>
nice idea. nut i'm not using DNS for that. also will cause all access to
ext_ip to go to computer1 (i may want to forward some ports to computer1
and some to other computers)
>
> If they are on the same LAN all normal (sane) security policy will cause
> the drop of their packets when they are trying to reach ext_ip from inside
> the network that has ext_ip and you need to bend over backwards to get them
> accepted..
>
> 2015-01-08 23:02 GMT+02:00 shimi <linux-il at shimi.net>:
>
>>
>> On Thu, Jan 8, 2015 at 10:43 AM, Erez D <erez0001 at gmail.com> wrote:
>>
>>>
>>>
>>> On Wed, Jan 7, 2015 at 11:41 AM, shimi <linux-il at shimi.net> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Jan 7, 2015 at 11:35 AM, shimi <linux-il at shimi.net> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Wed, Jan 7, 2015 at 10:16 AM, Erez D <erez0001 at gmail.com> wrote:
>>>>>
>>>>>> hello.
>>>>>>
>>>>>> I have an iptables question
>>>>>>
>>>>>> i have the following
>>>>>>
>>>>>> ext_ip -> NAT1 -> linux firewall-> network -> computer1:eth0 ..
>>>>>> computer99
>>>>>>
>>>>>> i have no control over NAT1.
>>>>>> computer1 also can reach the internet via eth1.
>>>>>>
>>>>>> linux firewall redirects incoming port 7777 from ext_ip to computer1
>>>>>> however i need coputer2 .. computer99 to connect to ext_ip:7777 and
>>>>>> also reach computer1
>>>>>>
>>>>>> so first i did a NAT rule in linux firewall to redirect all packets
>>>>>> from internal to ext_ip:7777 to computer1. and did an 'ifconfig eth0:1
>>>>>> $ext_ip up' on computer1.
>>>>>> this works. however it causes computer1 not to be able to access real
>>>>>> ext_ip via eth1 which is connected to the internet as well
>>>>>>
>>>>>> so i though of both doing DNAT and MASQ, which will do the same but
>>>>>> will not require assiging ext_ip to computer1.
>>>>>> howerver i do not know how to do that
>>>>>>
>>>>>>
>>>>> If computer1 can access ext_ip:7777, all you need is to allow
>>>>> ip_forward (/etc/sysctl.conf for permanent, and echo 1 >
>>>>> /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers
>>>>> have a static route to ext_ip via computer1
>>>>>
>>>>> Then, in computer1,
>>>>>
>>>>> iptables -t nat -I POSTROUTING -o <interface going towards ext_ip> [
>>>>> -i <interface subnet of computers come from> ] -s <subnet of
>>>>> computers/netmask> -p tcp --dport 7777 -j MASQUERADE
>>>>>
>>>>> should do...
>>>>>
>>>>> (of course, assuming the iptables FORWARD chain is not dropping those
>>>>> packets; otherwise you'ld need an ACCEPT rule there, too...)
>>>>>
>>>>> HTH,
>>>>>
>>>>> -- Shimi
>>>>>
>>>>>
>>>> And on a second read, I think I got you wrong and the purpose was to
>>>> access computer1 port 7777 (hopefully listening on 0.0.0.0) from computersN
>>>> by using the external IP from the inside?
>>>>
>>> yes
>>>
>>>>
>>>> couputerN default route is the linux firewall. without any rules on
>>> linux firewall, it will forward packets from computer1 destined to ext_ip
>>> to NAT1. and they will not reach computer1 att all, so rules on computer 1
>>> are useless.
>>>
>>>
>>> Doing a DNAT on linux firewall will direct the packets to computer1,
>>> however computer 1 will know comuterN and will reply directly without going
>>> through linux firewall, and computer1 will not match the packets to the
>>> original connection.
>>>
>>
>> But if you create a static route on computerN towards the external IP via
>> computer1 like I suggested, then these connections will not get to linux
>> firewall at all, rather then get to computer1 (I'm assuming they're on the
>> same L2 and share IP addresses in the same IP subnet) - so rules on
>> computer1 will apply, wouldn't they?
>>
>> What am I missing?
>>
>> -- Shimi
>>
>> _______________________________________________
>> Linux-il mailing list
>> Linux-il at cs.huji.ac.il
>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20150120/5afe68d4/attachment.html>
More information about the Linux-il
mailing list