LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   1-1 nat on IP other than external address. iptables CentOS (https://www.linuxquestions.org/questions/linux-networking-3/1-1-nat-on-ip-other-than-external-address-iptables-centos-875132/)

crwdawg 04-15-2011 04:42 AM
1-1 nat on IP other than external address. iptables CentOS
 
Here is the the way I would like to setup my CentOS server: (IP address' changed)
eth0 connects to Internet with IP address 1.1.1.1/24
eth1 connects to LAN with IP address 192.168.1.1

I flushed all the tables, removed all chains and started fresh with this:
iptables -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1

Everything browsing out fine.

I want to add a server on LAN subnet IP address I want 1-1 NAT
LAN IP: 192.168.1.2
NAT IP: 1.1.1.2

I added this:
iptables -A PREROUTING -d 1.1.1.2 -i eth0 -j DNAT --to-destination 192.168.1.2
iptables -I POSTROUTING 1 -s 192.168.1.2 -o eth0 -j SNAT --to-source 1.1.1.2

everything still browses out except 1.1.1.2 which doesn't.

When I ping an outside address from the 192.168.1.2 server
POSTROUTING SNAT access list packet counts increment
PREROUTING DNAT access list packet counts do not increment.

*filter
:INPUT ACCEPT [128:23940]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27:1080]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 1.1.1.2 -i eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Apr 15 05:34:52 2011
# Generated by iptables-save v1.3.5 on Fri Apr 15 05:34:52 2011
*mangle
:PREROUTING ACCEPT [143827:69012084]
:INPUT ACCEPT [63978:16601117]
:FORWARD ACCEPT [79849:52410967]
:OUTPUT ACCEPT [74039:9730318]
:POSTROUTING ACCEPT [153724:62134477]
COMMIT
# Completed on Fri Apr 15 05:34:52 2011
# Generated by iptables-save v1.3.5 on Fri Apr 15 05:34:52 2011
*nat
:PREROUTING ACCEPT [7725:676768]
:POSTROUTING ACCEPT [2439:147630]
:OUTPUT ACCEPT [11673:780215]
-A PREROUTING -d 1.1.1.2 -i eth0 -j DNAT --to-destination 192.168.1.2
-A POSTROUTING -s 192.168.1.2 -o eth0 -j SNAT --to-source 1.1.1.2
-A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT

jmajor 04-18-2011 07:11 PM
Only the first packet of a masqueraded / nat'd connection seems to trigger rules in iptables. If your connections for 192.168.1.2 are all outbound, you only need the SNAT rule and you will see only one increment per connection attempt. Connections initiated inbound for 1.1.1.2 will trigger the DNAT rule in a similar way.

crwdawg 04-19-2011 07:09 AM
still not working
 
the problem ramains that the server at 192.168.1.2 isn't able to browse out. I moved the FORWARD rule for traffic from anywhere to the 1.1.1.2 address to the top of the list and it still doesn't record any inbound connections. I do this all the time with Cisco (ip nat static) and SonicWALL. I need to know how to make this work. Any help?

crwdawg 04-20-2011 12:05 AM
SNAT to unused external IP address
 
I found the following information here: http://www.netfilter.org/documentati.../NAT-HOWTO.txt

If you are doing SNAT onto an unused address on the local LAN (for
example, you're mapping onto 1.2.3.99, a free IP on your 1.2.3.0/24
network), your NAT box will need to respond to ARP requests for
that address as well as its own: the easiest way to do this is
create an IP alias, e.g.:


# ip address add 1.2.3.99 dev eth0

With this entry I was able to add this line to iptables and I was able to access the server on the new IP address:
iptables -t nat -A PREROUTING -i etho -d 1.1.1.2 -j DNAT --to-192.168.1.2


I also found reference to the command here: http://linux-ip.net/html/tools-ip-address.html
that recommended this command
ip address add <ip>/<mask> brd + eth0 (ip address add 1.1.1.2/28 brd + eth0)

Anyone know how to make that entry permanent after reboot?

jmajor 05-01-2011 09:24 PM
to make the additional address permanent on centos or red hat / fedora

look in /etc/sysconfig/network-scripts
copy ifcfg-eth0 to ifcfg-eth0:1 (this will bring the mac address used to keep the interface names jumping from card to card on some hardware)
edit ifcfg-eth0:1
change the DEVICE= line to reflect the new interface name (eth0:1)
change the IPADDR= and related lines as required.

This is a slightly different approach than the newer 'ip addr ...' method, but I know it works

run 'service network restart'

jmajor 05-01-2011 09:27 PM
Also, the 1.1.1.2 DNAT rule should only effect inbound connections and not the browsing out.


All times are GMT -5. The time now is 09:58 PM.