Programming iptables rules for 1:1 NAT
Hello all,
I am trying to program iptable rules for implementing a 1:1 NAT which does the following: 1. Forward all traffic from all ports on a public ip to a private ip 2. Forward traffic from a range of ports (x-->y) on a public ip, to a private ip I did some google searches for the same, and came up with the following. I would appreciate it if someone could validate if this is indeed what I need to be doing. iptables -A FORWARD -t filter -o eth0 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state \ --state ESTABLISHED,RELATED -j ACCEPT Thanks AJ |
This is pretty cool stuff and good info to learn; so I am going to take the 'teach a person to fish versus give them a fish' outlook.
If you are trying to use your Linux box as a gateway, which is what it sounds like, you are going to have to do a bit more. Start looking at the 'nat' table, 'postrouting chain', 'masquerading', and 'ip forwarding'. <-- good google terms howtoforge - nat_iptables <-- place to start |
Alright, I did some research, and came up with this:
Please note that the system has iptable rules already in place, so I need to add mine for 1:1 NAT and not worry about configuring VIFs. iptables -t nat -A PREROUTING -i ${ext_interface} -d ${ext_ip} -j DNAT –to-destination ${int_ip} iptables -t nat -A POSTROUTING -o ${ext_interface} -s ${int_ip} -j SNAT –to-source ${ext_ip} Does anyone see any issues in this? |
Quote:
Quote:
Code:
Just my :twocents:. |
I am a bit confused now ...
For my 1:1 NAT feature, should I be using the PREROUTING/POSTROUTING sample I posted, or use the original FORWARD sample? |
Quote:
|
I am working with only "one" external IP. Essentially, I want to achieve the following ...
1. Have rules in my router, which forward all traffic from my public ip (from all ports), to a private ip which is hidden to the external world (but visible to my router) 2. Have rules in my router, which forward traffic from "specific port range" for my public ip, to a private up which is hidden to the external world (but visible to my router) I do not think I have any restrictions for the outbound packets, except that all public ips should be pingable from this private ip via my router. Also, when I try and program the prerouting/postrouting part, I do not see the rules in my iptables. Is there any step I miss here? |
Quote:
Quote:
Quote:
Code:
iptables -nvL -t nat |
Ok, I am sorry I was not clear, but I provide an option to the user to either give me a port range and a source and destination ip, or just a source and destination ip. Both these count towards my 1-1 NAT user-cases. These are 2 separate cases based on what the user decides to do.
I agree that it might not be possible to do this in 1 command, but I can have branching in my code to make separate calls for either case. How would I go about programming my rules, given this information? |
Quote:
Quote:
Code:
iptables -t nat -A PREROUTING -i ${ext_interface} -d ${ext_ip} \ Code:
iptables -t nat -A PREROUTING -i ${ext_interface} -d ${ext_ip} \ |
Thanks a bunch for your help. I really appreciate it. I will try out these commands.
|
Hi, I tried to program the iptable and then run a simple test of trying to ssh the guest vm (and the guest ip i have), via my public ip. (for thr 1-1 NAT case -- all ports)
eg. (public ip: 192.168.30.43 , guest Ip : 10.1.1.2, external if: eth2 internal if: eth1) iptables -t nat -A PREROUTING -i eth2 -d $publicIp -j DNAT --to-destination $guestIp iptables -t nat -A POSTROUTING -o $eth2 -s $guestIp -j SNAT --to-source $publicIp iptables -P FORWARD DROP iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $eth2 -o $eth1 -d $guestIp -m state --state NEW -j ACCEPT iptables -A FORWARD -i $eth1 -o $eth2 -s $guestIp -m state --state NEW -j ACCEPT Then, I tried something like: aj@aj-laptop:~$ ssh root@192.168.30.43 ssh: connect to host 192.168.30.43 port 22: Connection timed out aj@aj-laptop:~$ I am not really sure as to how to go about debugging this issue. I assume if everything worked fine, I should have been able to ssh into the machine via it's guest ip (10.1.1.2), accessed via the public ip |
Are you sure you don't have any other (potentially conflicting) rules active? Maybe post the output of:
Code:
iptables -nvL --line-numbers Code:
iptables -nvL -t nat --line-numbers Code:
iptables -A FORWARD -j LOG --log-prefix "FORWARD DROP: " |
Re-running. Had used the wrong eth (1 instead of 0)
|
Code:
iptables -t nat -A PREROUTING -i eth2 -d 192.168.30.41 -j DNAT --to-destination 10.1.1.2 Code:
root@r-4-TEST:~# iptables -nvL --line-numbers Code:
root@r-4-TEST:~# iptables -nvL -t nat --line-numbers |
All times are GMT -5. The time now is 12:52 AM. |