LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-20-2003, 04:52 AM   #1
Garak
LQ Newbie
 
Registered: Feb 2003
Location: Seattle, WA
Posts: 16

Rep: Reputation: 1
IPTables 1:1 NAT


I've been trying to make some changes in my iptables firewall and don't seem to understand a few things. First let me say that my purpose is to get a stable 1:1 NAT working. I have 5 static IPs on from my ISP and I wanted to assign two of them to internal systems from which my roomate and I play online games. I don't want to do a bridging firewall.

To tackle this problem I installed two extra NICs on the WAN side and assigned them real routable IPs. I then added two statements in my iptables firewall to NAT two private side IPs to the two real IPs. These are the statements I used:

iptables -t nat -A POSTROUTING -s $LAN1 -o eth2 -j SNAT --to-source $WANIP1

iptables -t nat -A POSTROUTING -s $LAN2 -o eth3 -j SNAT --to-source $WANIP2

The problem is that while I can get out on the internet using this configuration, it appears that each NAT is using the WAN side IP from eth0. If they are both somehow using the eth0 IP then this defeats the purpose of having two seperate NATs for my gaming systems.

Is there something I'm missing here? I'm just trying to setup some kind of 1:1 NAT so that I can use my private side address scheme for my internal network and still be able to have a complete set of ports for each of these gaming systems to utilize. I'm completely out of ideas here.

Any comments or suggestions would be appreciated.

Last edited by Garak; 06-20-2003 at 09:12 AM.
 
Old 06-20-2003, 02:20 PM   #2
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 587

Rep: Reputation: 32
Fist matter is that you really don't need extra NICs. The Linux box (router) can still have 2 NICs: one for external connection and one for internal LAN. You can just assign several IPs to one NIC.

Independently of above I do not understand what do you want to do.

Let's assume that:
a. you have 2 public IPs.
b. your linux box has 2 eths: eth0- "world" with public ext_ip1 & eth1 with non-public int_ip1
c. you want to "give" public ext_ip2 to internal box

You have two choices:
1. setup private int_ip2 for the internal box and redirect all the traffic send to ext_ip2 to int_ip2
2. setup public ext_ip2 directly to internal box.

Which one of above solution you want?
 
Old 06-20-2003, 02:34 PM   #3
Garak
LQ Newbie
 
Registered: Feb 2003
Location: Seattle, WA
Posts: 16

Original Poster
Rep: Reputation: 1
The reason I have setup two WAN side NICs is because even through I can use aliasing to setup these real IPs (eth0:1 & eth0:2), iptables 1.2.8a will not seem to recognize these designations for an interface. In other words I can write a statement which uses eth0 but not eth0:1. I have no idea why. I just assumed it was a limitation of iptables.

What I'm trying to do is setup two WAN side IPs which will be NATed to two private side IPs. In other words I'd like 68.x.x.1 to be NATed to 192.168.0.5 and 68.x.x.2 to be NATed to 192.168.0.6. The reason for this is that these two systems are for playing games. Many of the games I have will use the exact same ports for a connection. Either that is something that was set in the game code (like the decision to use the DirectPlay ports) or the game programmers just decided to use a particular port for everyone with a copy of the game. Since there is overlap in game ports, my only solution is to use two different WAN side IPs and map two different private side IPs to them.

So on my system I will have eth0, eth2, & eth3 assigned real routable WAN side IPs with eth1 being a private side IP. The two game systems will connect through eth1 and be NATed to eth2 & eth2. All other systems on the LAN will use the standard NAT provided on eth0 since they do not have specific requirements for the same ports (web surfing, etc).
 
Old 06-20-2003, 03:24 PM   #4
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 587

Rep: Reputation: 32
Quote:
In other words I can write a statement which uses eth0 but not eth0:1.
But you always can use '-i eth0 -d 68.x.x.1' against '-i eth0:0'. Am I wrong?

Quote:
In other words I'd like 68.x.x.1 to be NATed to 192.168.0.5 and 68.x.x.2 to be NATed to 192.168.0.6.
I think the following will do:
iptables -t nat -A PREROUTING -d 68.x.x.1 -j DNAT --to-destination=192.168.0.5
iptables -t nat -A POSTROUTING -s 192.168.0.5 -j SNAT --to-source=68.x.x.1
iptables -t nat -A PREROUTING -d 68.x.x.2 -j DNAT --to-destination=192.168.0.6
iptables -t nat -A POSTROUTING -s 192.168.0.6 -j SNAT --to-source=68.x.x.2
iptables -A FORWARD -j ACCEPT

Of course you may also add phrases concerning protocol(s), port(s) & interface(s)
 
Old 06-20-2003, 03:40 PM   #5
Garak
LQ Newbie
 
Registered: Feb 2003
Location: Seattle, WA
Posts: 16

Original Poster
Rep: Reputation: 1
I haven't been able to write a statement like:

$IPT -t nat -A POSTROUTING -s $LAN -o eth0:1 -j SNAT --to-source $WANIP

but I can write...

$IPT -t nat -A POSTROUTING -s $LAN -o eth0 -j SNAT --to-source $WANIP

Apparently iptables will not accept 'eth0:1' as an interface designation. Like I said...I have no idea why. Weird huh? I can assign IPs to eth0:1, eth0:2, eth0:3 all day long but iptables still won't recognize a statement with an aliased interface designation in it.

Thanks for those statements. I'll try them out tonight. I think I tried something similar to them at one point but I'm not sure I got the syntax correct. I'll see if yours work any better. They look like they should work to me. I'll let you know how it turns out.
 
Old 06-20-2003, 04:12 PM   #6
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 587

Rep: Reputation: 32
Quote:
$IPT -t nat -A POSTROUTING -s $LAN -o eth0:1 -j SNAT --to-source $WANIP
but I can write...
$IPT -t nat -A POSTROUTING -s $LAN -o eth0 -j SNAT --to-source $WANIP
Well, I've never tested iptables on multi-ip assigned NIC, but I don't understand what for do you need 'eth0:1' phrase.
I've always seen the '-i ethN' or '-o ethN' as physical definition of the NIC. The 'ethN:1' is logical one - the packet will be received or send via physical ethN.
So assuming the ethN:1 is acceptable in iptables rule what will be the meaning of it and what will be the difference in comparison with the rule containing ethN:0?
 
Old 06-21-2003, 05:13 AM   #7
Garak
LQ Newbie
 
Registered: Feb 2003
Location: Seattle, WA
Posts: 16

Original Poster
Rep: Reputation: 1
The ethx:x format is for assigning an alias, or a 'virutal' interface. In order for all of this to work I must have multiple WAN side IP addresses. Your assertion was that I did not need mulltiple NICs assigned with real IPs on the WAN side. I was trying to explain why this was necessary.

Since I need multiple real routable IPs on the WAN side, I must be able to assign these to an interface, real or virtual. I tried assigning a virtual interface, eth0:1, instead of putting in another NIC (eth2) at first. I assigned eth0:1 an IP which is the second IP address on the same WAN side NIC. The first IP is assigned to eth0. If I wanted a third IP on the same NIC, I would assign it to eth0:2 for example. The problem with that setup is that iptables does not seem to accept a virtual designation for a NIC in its statements. eth0 is acceptable but eth0:1 is not. Therefore I had no choice but to install another NIC on the WAN side and designate it eth2.

Under normal circumstances it is not necessary to have multiple WAN side IPs for a standard NAT. I have used the statement of:

$IPT -t nat -A POSTROUTING -s $LAN -o $WANIFACE -j SNAT --to-source $WANIP

to NAT all of my systems and get them online. No problems there. However, a NAT can not assign the exact same port to different systems. This is normally not a problem. You can have one system surfing on port 40000 and another on 50000. But in many of the online games I play, the game is written to use a specific port or ports which cannot be changed. With one person playing a game this is still not a problem. When my roomate wants to play the same game with me online, we have two systems that are demanding to use the exact same port. This makes the game impossible to play. Yes, it is stupid that the game programmers did this, but it is not something I can change. The solution is to have two different NATs mapped back to two different private side IPs. That way each private side IP has a complete set of ports to utilize. Therefore we can both play the same game which may require the strict use of port 6152 for example.

The problem is that I can't seem to get two different NATs working at the same time. The iptables documentation says that this should not be a problem but it is. I assign two different IPs to two different WAN side interfaces. In my case eth2 and eth3. Then I write two different iptables statements like thus:

$IPT -t nat -A POSTROUTING -s $LAN1-o $WANIFACE1 -j SNAT --to-source $WANIP1

$IPT -t nat -A POSTROUTING -s $LAN2 -o $WANIFACE2 -j SNAT --to-source $WANIP2

Two different NATs setup on different WAN side IPs mapping back to two different private side IPs. One of the problems I am currently experiencing is that when I set it up like this, I loose connectivity on from the NATs on eth0. To sum up....

I have one NAT (which I am currently running) on eth0. It works fine using a standard SNAT statement. I bring up eth2, assign it a WAN side IP, and write the first statement above to create a second NAT specifically for that one system. The second NAT on eth2 works fine, but then I loose the regular NAT on eth0 for all of the other systems. The iptables documentation says that there is not a problem with overlapping NATs and that the code is smart enough to sort it out. It appears that either the documentation is wrong (in which case I need to figure out how to write a statement which excludes certain IPs in the NAT), or there is some kind of routing type problem (which I have checked over and over again to no avail -- the routing looks fine to be and the WAN side IPs are assigned through DHCP anyway), or there is some sort of limitation of which I am not aware. I just don't know why this is not working and I have not found any documentation on any site which can shed some light on the subject.

Last edited by Garak; 06-21-2003 at 05:39 AM.
 
Old 06-21-2003, 07:17 AM   #8
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 587

Rep: Reputation: 32
Well. Maybe I'm stupid but I think having two NICs it is still possible to get what you want.
Assume that you assign:
- eth0:0 with first public IP 62.x.x.1
- eth0:1 with second public IP 62.x.x.2
- eth1 with local IP 192.0.0.1
and you want redirection
62.x.x.1 <-> 192.0.0.5
62.x.x.2 <-> 192.0.0.6

I think that using rules
iptables -t nat -A PREROUTING -i eth0 -d 68.x.x.1 -j DNAT --to-destination=192.168.0.5
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.5 -j SNAT --to-source=68.x.x.1
iptables -t nat -A PREROUTING -i eth0 -d 68.x.x.2 -j DNAT --to-destination=192.168.0.6
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.6 -j SNAT --to-source=68.x.x.2

you will get what you want.
If the box with IP 192.0.0.5 sends the packet using port 5000 it will leave your router with the address 68.x.x.1:5000
If something arrives to your router with address 68.x.x.1:5000 it will be routed to 192.0.0.5 port 5000.

Am I wrong? If so, where?

Of course the rest of LAN boxes should use "standard" NAT.
So you need to define eth0:2 also with IP let's say 62.x.x.3 and use
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to-source=68.x.x.3
 
Old 06-21-2003, 07:10 PM   #9
Garak
LQ Newbie
 
Registered: Feb 2003
Location: Seattle, WA
Posts: 16

Original Poster
Rep: Reputation: 1
I cannot assign two IPs to the same NIC without using a virtual interface. My ISP will not assign a route through their network unless I use DHCP. The program dhcpd will not allow multiple IPs on eth0. I don't know any other way to get multiple WAN side IPs without another NIC. That really isn't the problem however.

The statements you used are ones that I have tried. The problem is that when I assign more than one IP to the WAN side, only one of the IPs will activate. I have no idea of what is happening so I'll just describe the behavior.

I can assign a WAN side IP (via DHCP) to eth0, eth2, & eth3. No problems there. When I try to use any iptables statement to NAT more than one of these interfaces, only one will NAT. I loose connectivity with the other two. I'm not even sure that this is not some weird routing issue. It could be something strange in iptables for all I know. According to the iptables man page, it is possible to use multiple and even overlapping NATs. But still the problem persists. I've looked over everything many times and it looks like it should work.
 
Old 06-22-2003, 02:22 PM   #10
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 587

Rep: Reputation: 32
Quote:
My ISP will not assign a route through their network unless I use DHCP.
Wow! Very strange that you has to use DHCP to get access to internet. And interesting... I am wondering if it is a standard action of a dhcp daemon. Do you have some info about it? Which stuff has such possibility?
BTW: Does it mean that you cannot statically assign IPs, gateway, dns etc since it will not be working (packet won't be routed) ?
Quote:
I can assign a WAN side IP (via DHCP) to eth0, eth2, & eth3. No problems there. When I try to use any iptables statement to NAT more than one of these interfaces, only one will NAT. I loose connectivity with the other two. I'm not even sure that this is not some weird routing issue. It could be something strange in iptables for all I know. According to the iptables man page, it is possible to use multiple and even overlapping NATs. But still the problem persists.[/B]
This is unusual. What tests did you do? What does it mean 'loose connectivity' ? Can't you even ping from eth0 to eth2? From eth0 or eth2 to the ISP's IP?
 
Old 10-13-2005, 03:14 PM   #11
Kumado
Member
 
Registered: Oct 2003
Location: Ohio , USA
Distribution: up to Suse 10.2
Posts: 63

Rep: Reputation: 19
iptables and the virtual nic

Hi Garak,

I am working on my script now and get the same error. I understand what you mean.

I have eth1:0 as a second nic and iptables gives a warning that it does not like it.

Warning: wierd character in interface `eth1:0' (No aliases, :, ! or *).

Did you come by a resolution?

Thank you,

Mike

Last edited by Kumado; 10-13-2005 at 03:15 PM.
 
Old 10-13-2005, 03:33 PM   #12
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Iptables doesn't currently support virtual interfaces. So for example, eth0:0 and eth0:1 are both recognized as eth0. You need to use some other packet characteristic in order to make routing decisions. As dorian33 was saying, the easiest way is to use the ipaddress of eth0:0 and eth0:1 like this:
Code:
For aliases 
eth0:0 == 10.1.1.1
eth0:1 == 10.2.2.2

Instead of using:
iptables -t nat -A PREROUTING -i eth0:0 -j DNAT --to-destination 192.168.1.1
iptables -t nat -A PREROUTING -i eth0:1 -j DNAT --to-destination 192.168.2.2

Do this:
iptables -t nat -A PREROUTING -i eth0 -d 10.1.1.1 -j DNAT --to-destination 192.168.1.1
iptables -t nat -A PREROUTING -i eth0 -d 10.2.2.2 -j DNAT --to-destination 192.168.2.2
 
Old 10-13-2005, 07:40 PM   #13
Kumado
Member
 
Registered: Oct 2003
Location: Ohio , USA
Distribution: up to Suse 10.2
Posts: 63

Rep: Reputation: 19
Thx Capt,

I kinda figgered that was going to be the deal. I was using a script ( trying to learn that as well ) from another example. I hoped to make it hmmm, portable. Guess the other will have to do )

TTFN

Mike
 
Old 12-19-2011, 05:03 PM   #14
Caesurus
LQ Newbie
 
Registered: Jun 2009
Posts: 3

Rep: Reputation: 0
Different Solution

OK, so since this took me a while to get right, and since I couldn't find a nice clean example of it else where here a easy solution:


Code:
echo 1 > /proc/sys/net/ipv4/ip_forward

# Set up PREROUTING Rule. If destination is the 100 range, map to 172.27.4.x
iptables -t nat -A PREROUTING -d 192.168.100.0/24 -j NETMAP --to 172.27.4.0/24

# Set up so that packets can find their way home again, change the source to our 172 Network IP address
iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -d 172.27.4.0/24 -j NETMAP --to 172.27.1.3
FYI for those debugging iptables, messages go to /var/log/messages:
Code:
iptables -t raw -A PREROUTING <Condition> -j TRACE
for example:
iptables -t raw -A PREROUTING -s 192.168.123.41 -j TRACE
Hope that saves someone some time.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables nat kernelvn Linux - Networking 5 05-03-2005 11:39 AM
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 05:08 AM
iptables and NAT arrruken Linux - Networking 8 10-03-2003 04:17 AM
iptables NAT issue. onina Linux - Networking 1 02-26-2003 04:58 AM
IPtables +NAT daromer Linux - Networking 1 01-07-2002 11:15 AM


All times are GMT -5. The time now is 01:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration