Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-18-2014, 06:32 PM
|
#1
|
LQ Newbie
Registered: Dec 2005
Posts: 17
Rep:
|
Iptables Port forwarding from inside also
Hi.
I've been reading about this on a few posts but haven't been able to solve the problem.
I have this rule:
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 22 -j DNAT --to 192.168.192.253:22
eth1 is the adapter that gets this outside ip from the modem and it is a dynamic ip.
When I connect from the outside to the public ip it works correctly, but I also want to be able to connect from inside the local network to the public ip and it doesn't work.
I've tried to remove the "-i eth1" but it still doesn't work and anyway I believe that would have some other bad impact on port 22 communications to outside.
Any suggestions?
PS: I've made my example with port 22 but I have a more complex configuration with port ranges and several destinations inside the local network, but I think when I'm able to do this one I can port the configuration to my real case scenario.
Last edited by Cidi Rome; 03-18-2014 at 06:34 PM.
|
|
|
03-18-2014, 06:45 PM
|
#2
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
This is the classic "hairpin NAT" scenario. The reason it doesn't work, is that the NAT target on the inside receives a packet from a local IP address, and hence sends an answer directly to the client. The client, however, expects an answer from the public IP address.
The most common solution to this issue is to have the firewall do source NAT for all traffic originating from the local LAN:
Code:
iptables -t nat -A POSTROUTING -s 192.168.192.0/24 -d 192.168.192.253 -p tcp --dport 22 -j MASQUERADE
You will have to lose the "-i eth1" match in the PREROUTING chain, but you can still filter on IP addresses and interfaces in the FORWARD chain of the filter table (which is really what you should be doing anyway).
|
|
|
03-24-2014, 11:26 AM
|
#3
|
LQ Newbie
Registered: Dec 2005
Posts: 17
Original Poster
Rep:
|
Hi.
Thank you for the reply, it was useful, but, because I removed the "-i eth1" outgoing connections to the port 22 on external servers are all falling on the redirected machine.
I believe the solution for my problem is hidden in what you said:
Quote:
but you can still filter on IP addresses and interfaces in the FORWARD chain of the filter table (which is really what you should be doing anyway).
|
but I'm not understanding how to do that... Can you help me.
Best Regards.
|
|
|
03-24-2014, 10:44 PM
|
#4
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
You currently have this rule in your nat chain:
Code:
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 22 -j DNAT --to 192.168.192.253:22
It will redirect ALL traffic to TCP port 22 as long as it's entering eth1, regardless of destination address.
As I said, to make the NAT rule work for internal traffic entering another interface, the "-i eth1" has to go. To keep the rule from interfering with SSH traffic in general, add a "-d" match:
Code:
iptables -t nat -I PREROUTING -d <external_IP> -p tcp --dport 22 -j DNAT --to 192.168.192.253:22
That leaves the "hairpin NAT" issue, which is solved by source NATing the packets behind the IP address of the internal interface. My previous example should work, but you could add an interface match to make the rule even more precise. Assuming this is called eth0, this rule should do the trick:
Code:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.192.0/24 -d 192.168.192.253/32 -p tcp --dport 22 -j MASQUERADE
My comment about filtering was related to the interface match you currently have in your PREROUTING rule. If you want to allow/block traffic based on the interface the packets are entering, the filter table is the place to do that.
|
|
|
03-25-2014, 05:19 PM
|
#5
|
LQ Newbie
Registered: Dec 2005
Posts: 17
Original Poster
Rep:
|
Hi.
I cannot use this
Quote:
iptables -t nat -I PREROUTING -d <external_IP> -p tcp --dport 22 -j DNAT --to 192.168.192.253:22
|
because my IP is dynamic and I would have to change the rule every time it changes.
What is the workaround, I've thought of that and my reason for using -i what exactly that one.
I had this idea now, but I don't know if it can be used:
Can we use something like "-d !192.168.0.0/16" to include all destinations except the local network areas?
Best Regards.
|
|
|
03-25-2014, 05:29 PM
|
#6
|
LQ Newbie
Registered: Dec 2005
Posts: 17
Original Poster
Rep:
|
It seems to work ok like this:
Quote:
iptables -t nat -I PREROUTING ! -d 192.168.0.0/16 -p tcp --dport 22 -j DNAT --to 192.168.192.253:22
|
I will do further testing.
Best Regards.
|
|
|
03-25-2014, 05:35 PM
|
#7
|
Member
Registered: Oct 2009
Distribution: Slackware
Posts: 534
|
no ... but "! -s 192.168.0.0/16" should do the trick if I'm not missing something.. ..
LE: Hmm.. weird that -d works .. maybe I've misunderstood something
Last edited by Smokey_justme; 03-25-2014 at 05:37 PM.
|
|
|
03-25-2014, 07:27 PM
|
#8
|
LQ Newbie
Registered: Dec 2005
Posts: 17
Original Poster
Rep:
|
Quote:
Originally Posted by Smokey_justme
no ... but "! -s 192.168.0.0/16" should do the trick if I'm not missing something.. ..
LE: Hmm.. weird that -d works .. maybe I've misunderstood something
|
No quite...
If the regular usage would be "-d <external_IP>" and I cannot have that because it is variable, I used "-d all ips except the known internal ones" that translates to "! -d 192.168.0.0/16" or the deprecated syntax "-d ! 192.168.0.0/16"
I believe it is like this because the packets that have the destination as the public address have to be redirected, and with this limitation the packets that have not the destination as a local net are not redirected and pass through. If I would put -s as suggested only the packets from the local network would be redirected.
(A little bit confusing...)
I think it is not very conventional, mas seems to work correctly.
Best Regards.
|
|
|
03-25-2014, 07:51 PM
|
#9
|
Member
Registered: Oct 2009
Distribution: Slackware
Posts: 534
|
Actually, if you put "! -s ...", everything else except packets incoming from network would be translated (thus letting the ssh server box (.253) to connect to external ssh's).. Isn't that what you want..!?
But yeah, just when I was writing I see why "! -d" works... The only thing is that this should again bring you to step 1.. and disallow connections from the LAN using the public IP .. Does that still work?
LE: Yeah, just ignore me.. I've browsed some docs and it should work, you're right.. Sorry for my posts..
Last edited by Smokey_justme; 03-25-2014 at 08:06 PM.
|
|
|
All times are GMT -5. The time now is 11:01 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|