Returning internal traffic based on destination IP to another internal IP

opti2k4 · 10-25-2013, 08:19 AM

Hi,

i am using ubuntu as firewall for our internal network. On WAN interface I have public IP and on LAN interface i have internal network. I am hosting mail server on one of our public IP and i don't have internal DNS server nor i want to use hosts file on each client.

The problem is i can't access mail server by using public FQDN because i don't know how to tell iptables when destination IP is my public IP (mail.domain.com) and destination ports are 25,443,80,465,993,995 forward traffic to internal IP of mail server.

Pearlseattle · 10-27-2013, 02:23 PM

Hi

I'm not sure if I understood your issue.
In any case, maybe I already implemented something similar to what you wish to have.

In my case things looked like this:
1) a physical host connected to the Internet to the IP 111.222.111.222.
2) multiple VMs hosted on that physical host, each responsible for specific services like e.g. web (192.168.0.123), email (192.168.0.124), monitoring (192.168.0....), honeypots, bleeding-edge-stuff, etc... .
3) VMs having only internal IPs like 192.168.0.11 (web-vm), 192.168.0.12 (mail-vm), etc... (therefore disconnected from the Internet).

Requirements:
1) I wanted to route e.g. anybody that accessed my external IP 111.222.111.222 on port 80 to the VM responsible for my web service.

On the host my iptables configuration for this is:

Code:

iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.123:80

Btw., before that single rule I have:

Code:

#Allow forwarding of established connections
iptables -I FORWARD 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#Basic forwarding rules
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/16 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o br0 -j ACCEPT
iptables -t nat -A OUTPUT -o br0 -j ACCEPT

#Tell the kernel that ip forwarding is OK
#IPv4
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
#IPv6
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

############Start-Port forwarding
#List these rules with "iptables -t nat --list"

#Allow the host to connect to any VM on any port
iptables -A OUTPUT -o br0 -j ACCEPT -d 192.168.0.0/16 -m conntrack --ctstate NEW

Beware:
the behaviour of iptables has changed some versions ago - this config should definitely work for iptables-versions equal or higher to at least 1.4.16.3.

Cheers!

opti2k4 · 10-27-2013, 02:28 PM

Quote:

Originally Posted by Pearlseattle

Hi

On the host my iptables configuration for this is:

Code:

iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.123:80

Cheers!

This commands forwards port 80 to your VM, but what if you want to access that public domain from inside (DNS request resolves that public IP)? Packet should go to the public interface IP and the iptables should detect to forward that request to port 80. Well this is not working for me with 1 simple prerouting rule so probably some rule is missing to deal with this scenario.

Pearlseattle · 10-27-2013, 02:53 PM

Quote:

...to access that public domain from inside (DNS request resolves that public IP)

Mmmhhh, well, "eth0" is attached to the public domain (public IP number) and then it will be the same as for requests coming externally, no?

I cannot test this without restarting my whole server, so I will not.

opti2k4 · 10-27-2013, 02:55 PM

Hmm you have a point there, it might be true! Thanks!

Pearlseattle · 10-27-2013, 02:56 PM

Welcome

I'm not an expert, but I hope it will work.