LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-18-2014, 06:32 PM   #1
Cidi Rome
LQ Newbie
 
Registered: Dec 2005
Posts: 17

Rep: Reputation: 0
Iptables Port forwarding from inside also


Hi.

I've been reading about this on a few posts but haven't been able to solve the problem.

I have this rule:
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 22 -j DNAT --to 192.168.192.253:22

eth1 is the adapter that gets this outside ip from the modem and it is a dynamic ip.

When I connect from the outside to the public ip it works correctly, but I also want to be able to connect from inside the local network to the public ip and it doesn't work.

I've tried to remove the "-i eth1" but it still doesn't work and anyway I believe that would have some other bad impact on port 22 communications to outside.

Any suggestions?

PS: I've made my example with port 22 but I have a more complex configuration with port ranges and several destinations inside the local network, but I think when I'm able to do this one I can port the configuration to my real case scenario.

Last edited by Cidi Rome; 03-18-2014 at 06:34 PM.
 
Old 03-18-2014, 06:45 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
This is the classic "hairpin NAT" scenario. The reason it doesn't work, is that the NAT target on the inside receives a packet from a local IP address, and hence sends an answer directly to the client. The client, however, expects an answer from the public IP address.

The most common solution to this issue is to have the firewall do source NAT for all traffic originating from the local LAN:
Code:
iptables -t nat -A POSTROUTING -s 192.168.192.0/24 -d 192.168.192.253 -p tcp --dport 22 -j MASQUERADE
You will have to lose the "-i eth1" match in the PREROUTING chain, but you can still filter on IP addresses and interfaces in the FORWARD chain of the filter table (which is really what you should be doing anyway).
 
Old 03-24-2014, 11:26 AM   #3
Cidi Rome
LQ Newbie
 
Registered: Dec 2005
Posts: 17

Original Poster
Rep: Reputation: 0
Hi.

Thank you for the reply, it was useful, but, because I removed the "-i eth1" outgoing connections to the port 22 on external servers are all falling on the redirected machine.

I believe the solution for my problem is hidden in what you said:
Quote:
but you can still filter on IP addresses and interfaces in the FORWARD chain of the filter table (which is really what you should be doing anyway).
but I'm not understanding how to do that... Can you help me.

Best Regards.
 
Old 03-24-2014, 10:44 PM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
You currently have this rule in your nat chain:
Code:
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 22 -j DNAT --to 192.168.192.253:22
It will redirect ALL traffic to TCP port 22 as long as it's entering eth1, regardless of destination address.

As I said, to make the NAT rule work for internal traffic entering another interface, the "-i eth1" has to go. To keep the rule from interfering with SSH traffic in general, add a "-d" match:
Code:
iptables -t nat -I PREROUTING -d <external_IP> -p tcp --dport 22 -j DNAT --to 192.168.192.253:22
That leaves the "hairpin NAT" issue, which is solved by source NATing the packets behind the IP address of the internal interface. My previous example should work, but you could add an interface match to make the rule even more precise. Assuming this is called eth0, this rule should do the trick:
Code:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.192.0/24 -d 192.168.192.253/32 -p tcp --dport 22 -j MASQUERADE
My comment about filtering was related to the interface match you currently have in your PREROUTING rule. If you want to allow/block traffic based on the interface the packets are entering, the filter table is the place to do that.
 
Old 03-25-2014, 05:19 PM   #5
Cidi Rome
LQ Newbie
 
Registered: Dec 2005
Posts: 17

Original Poster
Rep: Reputation: 0
Hi.

I cannot use this
Quote:
iptables -t nat -I PREROUTING -d <external_IP> -p tcp --dport 22 -j DNAT --to 192.168.192.253:22
because my IP is dynamic and I would have to change the rule every time it changes.

What is the workaround, I've thought of that and my reason for using -i what exactly that one.

I had this idea now, but I don't know if it can be used:
Can we use something like "-d !192.168.0.0/16" to include all destinations except the local network areas?

Best Regards.
 
Old 03-25-2014, 05:29 PM   #6
Cidi Rome
LQ Newbie
 
Registered: Dec 2005
Posts: 17

Original Poster
Rep: Reputation: 0
It seems to work ok like this:
Quote:
iptables -t nat -I PREROUTING ! -d 192.168.0.0/16 -p tcp --dport 22 -j DNAT --to 192.168.192.253:22
I will do further testing.

Best Regards.
 
Old 03-25-2014, 05:35 PM   #7
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
no ... but "! -s 192.168.0.0/16" should do the trick if I'm not missing something.. ..

LE: Hmm.. weird that -d works .. maybe I've misunderstood something

Last edited by Smokey_justme; 03-25-2014 at 05:37 PM.
 
Old 03-25-2014, 07:27 PM   #8
Cidi Rome
LQ Newbie
 
Registered: Dec 2005
Posts: 17

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Smokey_justme View Post
no ... but "! -s 192.168.0.0/16" should do the trick if I'm not missing something.. ..

LE: Hmm.. weird that -d works .. maybe I've misunderstood something
No quite...
If the regular usage would be "-d <external_IP>" and I cannot have that because it is variable, I used "-d all ips except the known internal ones" that translates to "! -d 192.168.0.0/16" or the deprecated syntax "-d ! 192.168.0.0/16"

I believe it is like this because the packets that have the destination as the public address have to be redirected, and with this limitation the packets that have not the destination as a local net are not redirected and pass through. If I would put -s as suggested only the packets from the local network would be redirected.
(A little bit confusing...)

I think it is not very conventional, mas seems to work correctly.

Best Regards.
 
Old 03-25-2014, 07:51 PM   #9
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Actually, if you put "! -s ...", everything else except packets incoming from network would be translated (thus letting the ssh server box (.253) to connect to external ssh's).. Isn't that what you want..!?

But yeah, just when I was writing I see why "! -d" works... The only thing is that this should again bring you to step 1.. and disallow connections from the LAN using the public IP .. Does that still work?

LE: Yeah, just ignore me.. I've browsed some docs and it should work, you're right.. Sorry for my posts..

Last edited by Smokey_justme; 03-25-2014 at 08:06 PM.
 
  


Reply

Tags
dnat, masquerade, port forwarding, prerouting


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPtables : ssh port forwarding one port to another port issue routers Linux - Networking 7 08-07-2018 09:41 AM
[SOLVED] iptables and port forwarding - Inside the firewall LostInDaJungle Linux - Networking 2 02-22-2013 08:35 AM
Iptables forwarding from gateway back to the inside network casolorz Linux - Networking 5 02-03-2009 04:18 PM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
Testing Port Forwarding from inside network? humbletech99 Linux - Networking 2 07-08-2006 03:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration