Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would expect all connections originated from the local box to the
217.118.168.80 redirected to 62.138.116.25, but it does not happen.
curl and tcpdump show that the connections still go to the 217.118.168.80, so it looks like the iptables rule does not have any effect... probably I missed some important point?
Your help/suggestions are highly appreciated.
/* --
uname -a
Linux NB0618-L 3.16.0-71-generic #91~14.04.1-Ubuntu SMP Mon Apr 18 19:43:36 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
I am trying to implement destination NAT on a Linux box ...
[...]
I would expect all connections originated from the local box ...
Whups, that is "Source NAT," or SNAT!
Source-NAT is what maps the local-addresses at the source, in the outbound traffic, so that replies can be returned to the same source, "inside."
Destination-NAT is what allows incoming traffic to be delivered to a particular place on the internal network, so that replies can be returned to the same destination, "outside."
When I want everyone in my office to be able to use the Internet, that's SNAT. Traffic can be sent out, and replied-to. But, if I wanted to set up a publicly-accessible web server on one of the office machines, I'd have to set up DNAT rules to allow that external traffic to be properly routed: from the gateway, to my internal server, and back again.
so when some particular outside IP is contacted from inside,
I need the destination IP re-written, so that the packets go to a different address,
if I understood your point, it is not DNAT (other direction) ...
could you advice what do I actually need for the use case?
Quote:
Originally Posted by sundialsvcs
Whups, that is "Source NAT," or SNAT!
Destination-NAT is what allows incoming traffic to be delivered to a particular place on the internal network, so that replies can be returned to the same destination, "outside."
so when some particular outside IP is contacted from inside,
I need the destination IP re-written, so that the packets go to a different address,
if I understood your point, it is not DNAT (other direction) ...
could you advice what do I actually need for the use case?
I think you got it right from the beginning, after all. But you did append -j ACCEPT at the end, right? It doesn't look as if you did so
iptables has this weird behaviour... it doesn't give an error if you don't use jump or some other directive. It's like a dead rule. It happened to me before, I hope that's the problem and it's easier than expected
I didn't take into consideration one aspect though. The local box has a private network, right? So you still do need SNAT, don't you, in order for the translation of Private IPs to Public IPs to be made?
I didn't take into consideration one aspect though. The local box has a private network, right? So you still do need SNAT, don't you, in order for the translation of Private IPs to Public IPs to be made?
It's ok, the overloaded snat is performed by the firewall...
I am not sure if I've got your point -- multiple "-j" are not allowed, so
iptables -t nat -A PREROUTING -d 217.118.168.80 -j DNAT --to-destination 62.138.116.25 -j ACCEPT
would not be accepted, let me try that out:
iptables -t nat -A PREROUTING -d 217.118.168.80 -j DNAT --to-destination 62.138.116.25 -j ACCEPT
iptables v1.4.21: multiple -j flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
Quote:
Originally Posted by vincix
I think you got it right from the beginning, after all. But you did append -j ACCEPT at the end, right? It doesn't look as if you did so
iptables has this weird behaviour... it doesn't give an error if you don't use jump or some other directive. It's like a dead rule. It happened to me before, I hope that's the problem and it's easier than expected
so when some particular outside IP is contacted from inside,
I need the destination IP re-written, so that the packets go to a different address,
if I understood your point, it is not DNAT (other direction) ...
could you advice what do I actually need for the use case?
Outside network -> Your Network = DNAT
Your network -> Outside network = SNAT or MASQ
Example:
Code:
iptables -t nat -A PREROUTING -i <external interface> -d <outside ip address> -j DNAT --to-destination <inside ip address>
iptables -A FORWARD -i <external interface> -d <inside ip address> -j ACCEPT
iptables -t nat POSTROUTE -o <external interface> -j MASQURADE
I always place the interface in my rules so that the rule is only applied to the interface it needs to be.
When you do not supply an interface the rule is applied to all interfaces.
Outside network -> Your Network = DNAT
Your network -> Outside network = SNAT or MASQ
Example:
Code:
iptables -t nat -A PREROUTING -i <external interface> -d <outside ip address> -j DNAT --to-destination <inside ip address>
iptables -A FORWARD -i <external interface> -d <inside ip address> -j ACCEPT
iptables -t nat POSTROUTE -o <external interface> -j MASQURADE
I always place the interface in my rules so that the rule is only applied to the interface it needs to be.
When you do not supply an interface the rule is applied to all interfaces.
I am not sure if I've got your point -- multiple "-j" are not allowed, so
iptables -t nat -A PREROUTING -d 217.118.168.80 -j DNAT --to-destination 62.138.116.25 -j ACCEPT
would not be accepted, let me try that out:
iptables -t nat -A PREROUTING -d 217.118.168.80 -j DNAT --to-destination 62.138.116.25 -j ACCEPT
iptables v1.4.21: multiple -j flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
Yes, it obviously doesn't work. I simply mixed things up altogether.
I was wondering what the nat OUTPUT chain was there for
I still don't see how it works if you do a SNAT in POSTROUTING, though. I mean, I don't understand the logic. POSTROUTING is the last chain, you wouldn't be able to change anything afterwards, so I don't understand how this actually works, given that OUTPUT precedes POSTROUTING, and SNAT means that you jump direct to POSTROUTING.
Yes, it obviously doesn't work. I simply mixed things up altogether.
I was wondering what the nat OUTPUT chain was there for
I still don't see how it works if you do a SNAT in POSTROUTING, though. I mean, I don't understand the logic. POSTROUTING is the last chain, you wouldn't be able to change anything afterwards, so I don't understand how this actually works, given that OUTPUT precedes POSTROUTING, and SNAT means that you jump direct to POSTROUTING.
Not sure if this is directed towards myself or not.
In any part of that path you can change anything you want. The only thing you would not want to change in the POSTROUTE is the destination address as you have already past the part that makes the routing decisions.
As to SNAT, you can do that in either OUTPUT or POSTROUTE chain.
It is the same with the DNAT, you can do that in either PREROUTE or INPUT chain.
Not sure if this is directed towards myself or not.
In any part of that path you can change anything you want. The only thing you would not want to change in the POSTROUTE is the destination address as you have already past the part that makes the routing decisions.
As to SNAT, you can do that in either OUTPUT or POSTROUTE chain.
It is the same with the DNAT, you can do that in either PREROUTE or INPUT chain.
Well, that's exactly what I was talking about when I said that in the POSTROUTING chain you cannot change anything. I was referring to this context, and obviously, to the destination address.
So you've got SNAT for the private-to-public translation, and then you've got DNAT, to redirect packets to a different destination.
But iff you use SNAT, you use the POSTROUTING chain, don't you? So then how do you then change the destination of the packets?
Ok, only now did I understand what you were trying to do. So you were actually interested in redirecting all the IPs originating from the computer you're applying iptables to to a different destination, based on the initial packet destination. I thought you were actually trying to apply the rule to your private IPs on your lan. I thought you were using your linux machine as a router (or maybe you do, but that's irrelevant in this case).
So your discovery is exactly what you needed, indeed.
But what I thought you were trying to do (and also interested me) was routing your lan with SNAT and redirecting all packets with a specific destination to another specific destination. And in order to do that, you simply apply both DNAT and SNAT. SNAT for your LAN, and DNAT for changing the destination. For instance:
@lazydog
I don't think the INPUT chain in the nat table actually exists. So I don't think you can apply either SNAT or DNAT to the INPUT chain. Correct me if I'm wrong.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.