Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I've been trying to make some changes in my iptables firewall and don't seem to understand a few things. First let me say that my purpose is to get a stable 1:1 NAT working. I have 5 static IPs on from my ISP and I wanted to assign two of them to internal systems from which my roomate and I play online games. I don't want to do a bridging firewall.
To tackle this problem I installed two extra NICs on the WAN side and assigned them real routable IPs. I then added two statements in my iptables firewall to NAT two private side IPs to the two real IPs. These are the statements I used:
The problem is that while I can get out on the internet using this configuration, it appears that each NAT is using the WAN side IP from eth0. If they are both somehow using the eth0 IP then this defeats the purpose of having two seperate NATs for my gaming systems.
Is there something I'm missing here? I'm just trying to setup some kind of 1:1 NAT so that I can use my private side address scheme for my internal network and still be able to have a complete set of ports for each of these gaming systems to utilize. I'm completely out of ideas here.
The reason I have setup two WAN side NICs is because even through I can use aliasing to setup these real IPs (eth0:1 & eth0:2), iptables 1.2.8a will not seem to recognize these designations for an interface. In other words I can write a statement which uses eth0 but not eth0:1. I have no idea why. I just assumed it was a limitation of iptables.
What I'm trying to do is setup two WAN side IPs which will be NATed to two private side IPs. In other words I'd like 68.x.x.1 to be NATed to 192.168.0.5 and 68.x.x.2 to be NATed to 192.168.0.6. The reason for this is that these two systems are for playing games. Many of the games I have will use the exact same ports for a connection. Either that is something that was set in the game code (like the decision to use the DirectPlay ports) or the game programmers just decided to use a particular port for everyone with a copy of the game. Since there is overlap in game ports, my only solution is to use two different WAN side IPs and map two different private side IPs to them.
So on my system I will have eth0, eth2, & eth3 assigned real routable WAN side IPs with eth1 being a private side IP. The two game systems will connect through eth1 and be NATed to eth2 & eth2. All other systems on the LAN will use the standard NAT provided on eth0 since they do not have specific requirements for the same ports (web surfing, etc).
Apparently iptables will not accept 'eth0:1' as an interface designation. Like I said...I have no idea why. Weird huh? I can assign IPs to eth0:1, eth0:2, eth0:3 all day long but iptables still won't recognize a statement with an aliased interface designation in it.
Thanks for those statements. I'll try them out tonight. I think I tried something similar to them at one point but I'm not sure I got the syntax correct. I'll see if yours work any better. They look like they should work to me. I'll let you know how it turns out.
$IPT -t nat -A POSTROUTING -s $LAN -o eth0:1 -j SNAT --to-source $WANIP
but I can write...
$IPT -t nat -A POSTROUTING -s $LAN -o eth0 -j SNAT --to-source $WANIP
Well, I've never tested iptables on multi-ip assigned NIC, but I don't understand what for do you need 'eth0:1' phrase.
I've always seen the '-i ethN' or '-o ethN' as physical definition of the NIC. The 'ethN:1' is logical one - the packet will be received or send via physical ethN.
So assuming the ethN:1 is acceptable in iptables rule what will be the meaning of it and what will be the difference in comparison with the rule containing ethN:0?
The ethx:x format is for assigning an alias, or a 'virutal' interface. In order for all of this to work I must have multiple WAN side IP addresses. Your assertion was that I did not need mulltiple NICs assigned with real IPs on the WAN side. I was trying to explain why this was necessary.
Since I need multiple real routable IPs on the WAN side, I must be able to assign these to an interface, real or virtual. I tried assigning a virtual interface, eth0:1, instead of putting in another NIC (eth2) at first. I assigned eth0:1 an IP which is the second IP address on the same WAN side NIC. The first IP is assigned to eth0. If I wanted a third IP on the same NIC, I would assign it to eth0:2 for example. The problem with that setup is that iptables does not seem to accept a virtual designation for a NIC in its statements. eth0 is acceptable but eth0:1 is not. Therefore I had no choice but to install another NIC on the WAN side and designate it eth2.
Under normal circumstances it is not necessary to have multiple WAN side IPs for a standard NAT. I have used the statement of:
to NAT all of my systems and get them online. No problems there. However, a NAT can not assign the exact same port to different systems. This is normally not a problem. You can have one system surfing on port 40000 and another on 50000. But in many of the online games I play, the game is written to use a specific port or ports which cannot be changed. With one person playing a game this is still not a problem. When my roomate wants to play the same game with me online, we have two systems that are demanding to use the exact same port. This makes the game impossible to play. Yes, it is stupid that the game programmers did this, but it is not something I can change. The solution is to have two different NATs mapped back to two different private side IPs. That way each private side IP has a complete set of ports to utilize. Therefore we can both play the same game which may require the strict use of port 6152 for example.
The problem is that I can't seem to get two different NATs working at the same time. The iptables documentation says that this should not be a problem but it is. I assign two different IPs to two different WAN side interfaces. In my case eth2 and eth3. Then I write two different iptables statements like thus:
Two different NATs setup on different WAN side IPs mapping back to two different private side IPs. One of the problems I am currently experiencing is that when I set it up like this, I loose connectivity on from the NATs on eth0. To sum up....
I have one NAT (which I am currently running) on eth0. It works fine using a standard SNAT statement. I bring up eth2, assign it a WAN side IP, and write the first statement above to create a second NAT specifically for that one system. The second NAT on eth2 works fine, but then I loose the regular NAT on eth0 for all of the other systems. The iptables documentation says that there is not a problem with overlapping NATs and that the code is smart enough to sort it out. It appears that either the documentation is wrong (in which case I need to figure out how to write a statement which excludes certain IPs in the NAT), or there is some kind of routing type problem (which I have checked over and over again to no avail -- the routing looks fine to be and the WAN side IPs are assigned through DHCP anyway), or there is some sort of limitation of which I am not aware. I just don't know why this is not working and I have not found any documentation on any site which can shed some light on the subject.
Well. Maybe I'm stupid but I think having two NICs it is still possible to get what you want.
Assume that you assign:
- eth0:0 with first public IP 62.x.x.1
- eth0:1 with second public IP 62.x.x.2
- eth1 with local IP 192.0.0.1
and you want redirection
62.x.x.1 <-> 192.0.0.5
62.x.x.2 <-> 192.0.0.6
I think that using rules
iptables -t nat -A PREROUTING -i eth0 -d 68.x.x.1 -j DNAT --to-destination=192.168.0.5
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.5 -j SNAT --to-source=68.x.x.1
iptables -t nat -A PREROUTING -i eth0 -d 68.x.x.2 -j DNAT --to-destination=192.168.0.6
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.6 -j SNAT --to-source=68.x.x.2
you will get what you want.
If the box with IP 192.0.0.5 sends the packet using port 5000 it will leave your router with the address 68.x.x.1:5000
If something arrives to your router with address 68.x.x.1:5000 it will be routed to 192.0.0.5 port 5000.
Am I wrong? If so, where?
Of course the rest of LAN boxes should use "standard" NAT.
So you need to define eth0:2 also with IP let's say 62.x.x.3 and use
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to-source=68.x.x.3
I cannot assign two IPs to the same NIC without using a virtual interface. My ISP will not assign a route through their network unless I use DHCP. The program dhcpd will not allow multiple IPs on eth0. I don't know any other way to get multiple WAN side IPs without another NIC. That really isn't the problem however.
The statements you used are ones that I have tried. The problem is that when I assign more than one IP to the WAN side, only one of the IPs will activate. I have no idea of what is happening so I'll just describe the behavior.
I can assign a WAN side IP (via DHCP) to eth0, eth2, & eth3. No problems there. When I try to use any iptables statement to NAT more than one of these interfaces, only one will NAT. I loose connectivity with the other two. I'm not even sure that this is not some weird routing issue. It could be something strange in iptables for all I know. According to the iptables man page, it is possible to use multiple and even overlapping NATs. But still the problem persists. I've looked over everything many times and it looks like it should work.
My ISP will not assign a route through their network unless I use DHCP.
Wow! Very strange that you has to use DHCP to get access to internet. And interesting... I am wondering if it is a standard action of a dhcp daemon. Do you have some info about it? Which stuff has such possibility?
BTW: Does it mean that you cannot statically assign IPs, gateway, dns etc since it will not be working (packet won't be routed) ?
I can assign a WAN side IP (via DHCP) to eth0, eth2, & eth3. No problems there. When I try to use any iptables statement to NAT more than one of these interfaces, only one will NAT. I loose connectivity with the other two. I'm not even sure that this is not some weird routing issue. It could be something strange in iptables for all I know. According to the iptables man page, it is possible to use multiple and even overlapping NATs. But still the problem persists.[/B]
This is unusual. What tests did you do? What does it mean 'loose connectivity' ? Can't you even ping from eth0 to eth2? From eth0 or eth2 to the ISP's IP?
Iptables doesn't currently support virtual interfaces. So for example, eth0:0 and eth0:1 are both recognized as eth0. You need to use some other packet characteristic in order to make routing decisions. As dorian33 was saying, the easiest way is to use the ipaddress of eth0:0 and eth0:1 like this:
eth0:0 == 10.1.1.1
eth0:1 == 10.2.2.2
Instead of using:
iptables -t nat -A PREROUTING -i eth0:0 -j DNAT --to-destination 192.168.1.1
iptables -t nat -A PREROUTING -i eth0:1 -j DNAT --to-destination 192.168.2.2
iptables -t nat -A PREROUTING -i eth0 -d 10.1.1.1 -j DNAT --to-destination 192.168.1.1
iptables -t nat -A PREROUTING -i eth0 -d 10.2.2.2 -j DNAT --to-destination 192.168.2.2
OK, so since this took me a while to get right, and since I couldn't find a nice clean example of it else where here a easy solution:
echo 1 > /proc/sys/net/ipv4/ip_forward
# Set up PREROUTING Rule. If destination is the 100 range, map to 172.27.4.x
iptables -t nat -A PREROUTING -d 192.168.100.0/24 -j NETMAP --to 172.27.4.0/24
# Set up so that packets can find their way home again, change the source to our 172 Network IP address
iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -d 172.27.4.0/24 -j NETMAP --to 172.27.1.3
FYI for those debugging iptables, messages go to /var/log/messages:
iptables -t raw -A PREROUTING <Condition> -j TRACE
iptables -t raw -A PREROUTING -s 192.168.123.41 -j TRACE