LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-16-2012, 04:47 PM   #1
adiab
LQ Newbie
 
Registered: Jan 2007
Posts: 7

Rep: Reputation: 0
Question n00b iptables NAT help


Hi,
I'm an iptables n00b and have a scenario I need some help with. I'll try my best to explain clearly.

I have 2 boxes.

Box1
* eth0(public IP)
* /26 (public), I'll refer to these as Box1Public1, Box1Public2, Box1Public3 etc. Different network to eth0

Box2
* eth0(public IP) - different network to Box1
* /24 (private), I'll refer to them as Box2Private1, Box2Private2, Box2Private3 etc.


I'm trying to setup rules to NAT a few of the Box1 Public Addresses to Box2's private addresses.

ie.

RandomBox SSH => Box1Public1 => (nat on Box1) => Box2 => (nat on Box2) => Box2Private1

So far I have managed to get the first NAT to work....Ie I am reaching Box2, but how do I get to the private IP of Box2?
I used the following on Box1:
iptables -t nat -A PREROUTING -p tcp -d <Box1Public1> -j DNAT --to-destination <Box2Eth0>
iptables -t nat -A POSTROUTING -j MASQUERADE

So now I am getting the packets onto Box2, I need to identify them as having gone through Box1Public1 in order to NAT again to the correct Private IP.

Am I using the right approach by using DNAT. I'm guessing I can't modify the source address as then the packets would never get back to the originating address.

Any pointers?

Thanks for reading.
 
Old 12-21-2012, 06:11 AM   #2
nikmit
Member
 
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178

Rep: Reputation: 34
NAT can be a bitch to get right

"I'm guessing I can't modify the source address as then the packets would never get back to the originating address."
You should NAT the source too, as the connection needs to go back through Box1. Otherwise RandomBox will get a reply to an SSH request from an unexpected IP and will drop it.

What I did in a similar situation was make a vpn between the two servers and save myself some natting

Nik
 
  


Reply

Tags
dnat, ip, iptables, public, tcp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
n00b iptables question. AsherSevyn Linux - Security 5 12-02-2012 03:21 AM
iptables: can't initialize iptables table `NAT' linuxgentoo Linux - Kernel 3 01-17-2010 10:15 AM
IPTABLES and NAT metallica1973 Linux - Security 7 09-07-2007 09:08 PM
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 05:08 AM
iptables n00b Jestrik Linux - Software 3 12-12-2003 09:58 PM


All times are GMT -5. The time now is 03:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration