LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables forward - multiple external to multiple internal (https://www.linuxquestions.org/questions/linux-networking-3/iptables-forward-multiple-external-to-multiple-internal-609518/)

astbis 12-27-2007 08:18 PM

iptables forward - multiple external to multiple internal
 
[NOT SOLVED]

Hi

This post is a follow up on http://www.linuxquestions.org/questi...etwork-608234/ , but since the question can stand for itself here a new thread.

I'm trying to route multiple external IP's, configured on a host-server, to multiple internal IP's.

Example:
IP 74.74.74.145 to 192.168.2.2
IP 74.74.74.146 to 192.168.2.3
Internal gateway/hostip 192.168.2.1


My problem is that both ext. IP's are pointing to first internal IP (192.168.2.2). I've found different way's to route between network, but as far as i can tell all are all based on different interfaces. You can se below in my ifconfig, that both external IP's are configured as alias to the host IP.

I'm stuck now. Any ideas?

astbis



Here my attempt:
Code:

$IPTABLES --table nat --append POSTROUTING -o eth0 -j MASQUERADE
$IPTABLES -A FORWARD --in-interface vmnet1 -j ACCEPT
$IPTABLES -A INPUT -i vmnet1 -s 192.168.2.0/24 -d $LOCALIP -j ACCEPT

$IPTABLES -t nat -A PREROUTING -d 74.74.74.145 -j DNAT --to-destination 192.168.2.2
$IPTABLES -t nat -A PREROUTING -d 74.74.74.146 -j DNAT --to-destination 192.168.2.3


Ifconfig:
Code:

eth0      Link encap:Ethernet  HWaddr 00:1D:92:39:34:84
          inet addr:{HOSTIP}  Bcast:{HOSTBROADCAST}  Mask:255.255.255.224
          inet6 addr: fe80::21d:92ff:fe39:3484/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:57885 errors:0 dropped:0 overruns:0 frame:0
          TX packets:83088 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6057111 (5.7 Mb)  TX bytes:43827316 (41.7 Mb)
          Interrupt:20 Base address:0x6000

eth0:Emai Link encap:Ethernet  HWaddr 00:1D:92:39:34:84
          inet addr:47.47.47.145  Bcast:47.47.47.151  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:20 Base address:0x6000

eth0:Webs Link encap:Ethernet  HWaddr 00:1D:92:39:34:84
          inet addr:47.47.47.146  Bcast:47.47.47.151  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:20 Base address:0x6000

vmnet1    Link encap:Ethernet  HWaddr 00:50:56:C0:00:01
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:447 errors:0 dropped:0 overruns:0 frame:0
          TX packets:591 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


win32sux 12-28-2007 05:31 PM

Here's an example of how you could do it:
Code:

$IPTABLES -P FORWARD DROP

$IPTABLES -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -d 192.168.2.2 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.2.2 -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -d 192.168.2.3 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.2.3 -j ACCEPT

$IPTABLES -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -d 192.168.2.0/24 \
-m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.2.0/24 \
-m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i $WAN_IFACE -d 74.74.74.145 -j DNAT --to-destination 192.168.2.2
$IPTABLES -t nat -A PREROUTING -i $WAN_IFACE -d 74.74.74.146 -j DNAT --to-destination 192.168.2.3

$IPTABLES -t nat -A POSTROUTING -o $WAN_IFACE -s 192.168.2.2 -j SNAT --to-source 74.74.74.145
$IPTABLES -t nat -A POSTROUTING -o $WAN_IFACE -s 192.168.2.3 -j SNAT --to-source 74.74.74.146
$IPTABLES -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

Notice how the MASQUERADE rule is at the *bottom* of the POSTROUTING chain. That way the alias IPs will match their proper SNAT rule before having a chance to match that one. Also, remember that $WAN_IFACE always needs to be the name of the real WAN interface - not an alias name (iptables only cares about real interfaces).

EDIT: These rules will only work on a gateway/firewall setup in which you have a LAN and WAN interface. I just took a look at your previous post and it seems you're doing some virtual host stuff which I have no idea about. So if this isn't an old school gateway/firewall just ignore this - although it might still help you indirectly.

astbis 12-29-2007 07:46 AM

Thanks it works like a charm.

astbis 01-24-2008 04:27 PM

It seems, that there are difficulties after all.

All traffic coming from externat sources to the internal/virtual machine works find and also the opposite way internal/virtual to external machine.


The setup:
Two internal machines.
192.168.2.2 / 74.74.74.145
192.168.2.3 / 74.74.74.146

I will try to explain the problem.

I am on 74.74.74.145 and try to nmap the services on 74.74.74.146 i get the result of the hostmachine. So neither 74.74.74.145 or 74.74.74.146 answeres. Ping works fine.

How can i get one internal/virtual machine to access the other internal without using the internal addresses?


All times are GMT -5. The time now is 08:48 AM.