LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-03-2010, 12:55 PM   #1
Ashmatash
LQ Newbie
 
Registered: Feb 2010
Posts: 3

Rep: Reputation: 0
Need help implementing Port Address Translation with iptables


My previous routing experience has been mostly with Cisco routers. Cisco's NAT overloading translates both sides of the connection with a single command.
If you specify that the incoming connection be translated to a different port, IOS automatically translates both sides of the connection. Sure, there are some firewall adjustments too, but as far as the NAT goes, that's all that was needed.

My current reality:

I have a client running multiple Windows machines behind a Linux router. We would like to be able to connect to RDP (port 3389) from the internet, but though a different incoming port, say, 10110.

These are the commands I'm was trying to use in my firewall.user script:
#
#
iptables --table nat --append prerouting_wan --protocol TCP --in-interface $WAN --dport 44344 --jump DNAT --to-destination [MyPrivateIP]:3389
#
iptables --append forwarding_wan --protocol TCP --destination [MyPrivateIP] --dport 3389 --jump ACCEPT
#
#

Not surprisingly, these aren't doing the job.

The problem seems to be a matter of connection tracking.

I need to figure out how to implement a one-to-one port mapping for both incoming and outgoing traffic, but to have the port re-mapping take effect only when a matching inbound connection originates on the WAN interface.

Implementing two rules, one changing the inbound traffic and one for outbound might work, but that method would be static and too restrictive. After all, the internal hosts may need to communicate on that port without the modifications to the destination port.


Please advise
 
Old 02-03-2010, 08:52 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
If I'm underatanding your requirements correctly, this could be done like (example):
Code:
iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 10110 -j DNAT \
--to-destination 192.168.1.101:3389
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE -d 192.168.1.101 --dport 3389 \
--m state --state NEW -j ACCEPT
Here, the packet arrives on the WAN interface with the primary address as destination IP and 10110 as the destination port. Linux then changes the destination address on the packet to 192.168.1.101 and the destination port to 3389. The packet then traverses the FORWARD chain and is sent to ACCEPT (so that it may be placed on the wire connected to $LAN_IFACE) if it matches the relevant rule (otherwise it'll be sent to DROP in my example).

As for the returning (source port 3389) and forthcoming packets, they will get picked up by the connection tracking mechanism, and the first rule's ESTABLISHED state should match them just fine. Notice that the only rule which affects outbound traffic is the one for packets in states RELATED and ESTABLISHED.

Last edited by win32sux; 02-03-2010 at 08:59 PM.
 
1 members found this post helpful.
Old 02-04-2010, 12:39 AM   #3
Ashmatash
LQ Newbie
 
Registered: Feb 2010
Posts: 3

Original Poster
Rep: Reputation: 0
Wow, thanks! That sounds like a winner.
I'll try it out and see how it goes.
I really appreciate help.
 
Old 02-04-2010, 06:15 PM   #4
Ashmatash
LQ Newbie
 
Registered: Feb 2010
Posts: 3

Original Poster
Rep: Reputation: 0
win32sux, you the man!
You solution worked almost right out of the box.

I had to tweak it a little for OpenWRT, but is was so spot on that it worked despite myself. I'm still not completely sure about what's happening, but I think I'm getting there.
After trying to get help with this on the OpenWRT forums all week without a single response,I REALLY appreciate the quick reply, not to mention the excellent solution.

Here's the whole thing for posterity's sake, and any other newbies like myself running OpenWRT specifically.

# Some global firewall settings...
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Some fiddling with the destination port...
iptables -t nat -A prerouting_wan -p TCP -i eth0.1 -dport 10110 -j DNAT --to-destination 192.168.0.101:3389

# A little forwarding rule for the connection...
iptables -A forwarding_wan -p TCP -i eth0.1 -o br-lan -d 192.168.0.101 --dport 3389 -m state --state NEW -j ACCEPT


Cheers.
 
Old 02-04-2010, 10:11 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Ashmatash View Post
win32sux, you the man!
You solution worked almost right out of the box.

I had to tweak it a little for OpenWRT, but is was so spot on that it worked despite myself. I'm still not completely sure about what's happening, but I think I'm getting there.
After trying to get help with this on the OpenWRT forums all week without a single response,I REALLY appreciate the quick reply, not to mention the excellent solution.

Here's the whole thing for posterity's sake, and any other newbies like myself running OpenWRT specifically.

# Some global firewall settings...
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Some fiddling with the destination port...
iptables -t nat -A prerouting_wan -p TCP -i eth0.1 -dport 10110 -j DNAT --to-destination 192.168.0.101:3389

# A little forwarding rule for the connection...
iptables -A forwarding_wan -p TCP -i eth0.1 -o br-lan -d 192.168.0.101 --dport 3389 -m state --state NEW -j ACCEPT


Cheers.
I'm glad it worked out well for you.

BTW, many thanks for taking the time to post the final product here.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Port/Address forwarding with iptables with one network interface. Nextrastus Linux - Networking 5 09-18-2013 09:55 AM
How to open port on iptables locked on a specific internal MAC address? blackman890 Linux - Security 2 10-05-2007 02:16 AM
Test if port address translation is working dales79 Linux - Security 1 01-17-2006 07:01 AM
iptables - howto block by a port and IP address -HELP! macnanc Linux - Networking 2 03-07-2003 04:45 AM
IP address translation? mikeshn Linux - Software 5 05-25-2002 05:51 AM


All times are GMT -5. The time now is 06:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration