1-1 nat on IP other than external address. iptables CentOS
Here is the the way I would like to setup my CentOS server: (IP address' changed)
eth0 connects to Internet with IP address 1.1.1.1/24 eth1 connects to LAN with IP address 192.168.1.1 I flushed all the tables, removed all chains and started fresh with this: iptables -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1 Everything browsing out fine. I want to add a server on LAN subnet IP address I want 1-1 NAT LAN IP: 192.168.1.2 NAT IP: 1.1.1.2 I added this: iptables -A PREROUTING -d 1.1.1.2 -i eth0 -j DNAT --to-destination 192.168.1.2 iptables -I POSTROUTING 1 -s 192.168.1.2 -o eth0 -j SNAT --to-source 1.1.1.2 everything still browses out except 1.1.1.2 which doesn't. When I ping an outside address from the 192.168.1.2 server POSTROUTING SNAT access list packet counts increment PREROUTING DNAT access list packet counts do not increment. *filter :INPUT ACCEPT [128:23940] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [27:1080] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -d 1.1.1.2 -i eth0 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Fri Apr 15 05:34:52 2011 # Generated by iptables-save v1.3.5 on Fri Apr 15 05:34:52 2011 *mangle :PREROUTING ACCEPT [143827:69012084] :INPUT ACCEPT [63978:16601117] :FORWARD ACCEPT [79849:52410967] :OUTPUT ACCEPT [74039:9730318] :POSTROUTING ACCEPT [153724:62134477] COMMIT # Completed on Fri Apr 15 05:34:52 2011 # Generated by iptables-save v1.3.5 on Fri Apr 15 05:34:52 2011 *nat :PREROUTING ACCEPT [7725:676768] :POSTROUTING ACCEPT [2439:147630] :OUTPUT ACCEPT [11673:780215] -A PREROUTING -d 1.1.1.2 -i eth0 -j DNAT --to-destination 192.168.1.2 -A POSTROUTING -s 192.168.1.2 -o eth0 -j SNAT --to-source 1.1.1.2 -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1 COMMIT |
Only the first packet of a masqueraded / nat'd connection seems to trigger rules in iptables. If your connections for 192.168.1.2 are all outbound, you only need the SNAT rule and you will see only one increment per connection attempt. Connections initiated inbound for 1.1.1.2 will trigger the DNAT rule in a similar way.
|
still not working
the problem ramains that the server at 192.168.1.2 isn't able to browse out. I moved the FORWARD rule for traffic from anywhere to the 1.1.1.2 address to the top of the list and it still doesn't record any inbound connections. I do this all the time with Cisco (ip nat static) and SonicWALL. I need to know how to make this work. Any help?
|
SNAT to unused external IP address
I found the following information here: http://www.netfilter.org/documentati.../NAT-HOWTO.txt
If you are doing SNAT onto an unused address on the local LAN (for example, you're mapping onto 1.2.3.99, a free IP on your 1.2.3.0/24 network), your NAT box will need to respond to ARP requests for that address as well as its own: the easiest way to do this is create an IP alias, e.g.: # ip address add 1.2.3.99 dev eth0 With this entry I was able to add this line to iptables and I was able to access the server on the new IP address: iptables -t nat -A PREROUTING -i etho -d 1.1.1.2 -j DNAT --to-192.168.1.2 I also found reference to the command here: http://linux-ip.net/html/tools-ip-address.html that recommended this command ip address add <ip>/<mask> brd + eth0 (ip address add 1.1.1.2/28 brd + eth0) Anyone know how to make that entry permanent after reboot? |
to make the additional address permanent on centos or red hat / fedora
look in /etc/sysconfig/network-scripts copy ifcfg-eth0 to ifcfg-eth0:1 (this will bring the mac address used to keep the interface names jumping from card to card on some hardware) edit ifcfg-eth0:1 change the DEVICE= line to reflect the new interface name (eth0:1) change the IPADDR= and related lines as required. This is a slightly different approach than the newer 'ip addr ...' method, but I know it works run 'service network restart' |
Also, the 1.1.1.2 DNAT rule should only effect inbound connections and not the browsing out.
|
All times are GMT -5. The time now is 09:58 PM. |