LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-31-2014, 01:15 PM   #1
Cybrax
LQ Newbie
 
Registered: Oct 2009
Posts: 24

Rep: Reputation: 0
IPTables: reroute port retaining original ip.


In my IPTables script I have the following lines, in that order, to redirect traffic coming into one system to another inside the lan.

Everything works with the exception that if I check the remote address on the lan system I get the IP of the system forwarding the requests instead of the user making the request.

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 8080 -j ACCEPT

$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 8080:8080 --destination $LAN1_IP -j ACCEPT

$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 8080:8080 -j DNAT --to-destination $LAN1_IP

$IPT -t nat -A PREROUTING -p tcp -i $LOCAL_IFACE --destination-port 8080 -j DNAT --to-destination $LAN1_IP

$IPT -t nat -A POSTROUTING -p tcp -d $LAN1_IP --dport 8080 -j MASQUERADE

Could anyone point me to how I can fix that?
 
Old 12-31-2014, 05:09 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,347

Rep: Reputation: Disabled
Quote:
Originally Posted by Cybrax View Post
Everything works with the exception that if I check the remote address on the lan system I get the IP of the system forwarding the requests instead of the user making the request.
That's because of this rule:
Quote:
Originally Posted by Cybrax View Post
$IPT -t nat -A POSTROUTING -p tcp -d $LAN1_IP --dport 8080 -j MASQUERADE
 
1 members found this post helpful.
Old 12-31-2014, 06:05 PM   #3
Cybrax
LQ Newbie
 
Registered: Oct 2009
Posts: 24

Original Poster
Rep: Reputation: 0
That does indeed resolve the problem but a new one arises

Basically the setup is

_____________________________-----<>--- PC2
WORLD --> INTERNET <-> PC1 --|
_____________________________-----<>--- PC3

PC1 makes sure PC2 and 3 can use the internet using iptables

PC1 also routes port 8080 to PC2 using iptables

Now if i remove the MASQUERADE line as you suggested using http://mydomainname:8080 on PC3 will no longer connect.
 
Old 12-31-2014, 06:52 PM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,347

Rep: Reputation: Disabled
That's correct, because connecting to an external resource NATed to an internal resource from a PC in that same internal network, is a so-called "hairpin NAT" scenario.

This is what happens:
  1. PC3 connects to http://external.domain:8080 (source address: PC3, destination address: Public IP of PC1)
  2. PC1 performs destination NAT and redirects the packet to PC2 (source address: PC3, destination address: PC2)
  3. PC2 receives the packet and responds by sending a packet directly to PC3; as it resides in the same network as PC2, there's no need to send the packet through the router (source address: PC2, destination address: PC3)
  4. PC3 rejects the packet, since it expects a response from the public IP address of PC1, not the local IP address of PC2
If PC2 was placed in a different network zone, the problem would disappear since return traffic would have to go through the router (PC1). That is the recommended and most common solution.

An alternative hack would be to alter the NAT MASQUERADE rule to only handle traffic originating from the inside:
Code:
$IPT -t nat -A POSTROUTING -p tcp -s $LAN1_NET -d $LAN1_IP --dport 8080 -j MASQUERADE
Here, $LAN1_NET would be the network address of the internal network, for instance "192.168.1.0/24".

Yet another hack would be to create an A record in the local DNS server, making "external.domain" resolve to the internal IP of PC2.

Last edited by Ser Olmy; 12-31-2014 at 06:54 PM.
 
2 members found this post helpful.
Old 12-31-2014, 07:21 PM   #5
Cybrax
LQ Newbie
 
Registered: Oct 2009
Posts: 24

Original Poster
Rep: Reputation: 0
Thank you so much for the help.

Quote:
#$IPT -t nat -A POSTROUTING -p tcp -s $LAN1_NET -d $LAN1_IP --dport 8080 -j MASQUERADE
Did not allow me to connect using http://mydomain:8080/

However, I did some experimenting before reading your comment and the following line


Quote:
$IPT -t nat -A POSTROUTING -s $LAN2_IP -p tcp -d $LAN1_IP --dport 8080 -j MASQUERADE
Did allow me to connect using http://mydomain:8080/, be it that the IP was not the originating IP, but form inside the network I can live with that, as long as the outside connections show the users IP.
 
Old 12-31-2014, 07:38 PM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,347

Rep: Reputation: Disabled
(Could you use [code] tags instead of [quote] tags for stuff like iptables commands? Text inside [quote] tags is not included among the quoted text in replies, and has to be copied in manually.)
Quote:
Originally Posted by Cybrax View Post
Thank you so much for the help.
Code:
#$IPT -t nat -A POSTROUTING -p tcp -s $LAN1_NET -d $LAN1_IP --dport 8080 -j MASQUERADE
Did not allow me to connect using http://mydomain:8080/
Then there's something wrong with the $LAN1_IP variable.
Quote:
Originally Posted by Cybrax View Post
However, I did some experimenting before reading your comment and the following line
Code:
$IPT -t nat -A POSTROUTING -s $LAN2_IP -p tcp -d $LAN1_IP --dport 8080 -j MASQUERADE
Did allow me to connect using http://mydomain:8080/,
That rule is identical to the one I suggested, except is specifies a single IP rather than the entire internal network.
Quote:
Originally Posted by Cybrax View Post
be it that the IP was not the originating IP, but form inside the network I can live with that, as long as the outside connections show the users IP.
Yes, that's the disadvantage of source NATing traffic; the original IP address doesn't appear in the logs.

If you go for the DNS A record solution instead, the IP addresses will be unchanged for both internal and external traffic.
 
1 members found this post helpful.
Old 12-31-2014, 07:47 PM   #7
Cybrax
LQ Newbie
 
Registered: Oct 2009
Posts: 24

Original Poster
Rep: Reputation: 0
I copied your code and changed $LAN1_NET to $LOCAL_NET which was my variable, i then changed my own line with $LOCAL_NET and it worked, maybe a weird character in the copy paste weird.

Right now it pretty much works to satisfaction.

Thank you I have learned something.
 
Old 03-20-2015, 05:43 AM   #8
Cybrax
LQ Newbie
 
Registered: Oct 2009
Posts: 24

Original Poster
Rep: Reputation: 0
THis issue was marked as solved since it was working great but today a new problem arised:

I was routing port 8080 from one machine to another which worked great, but today I receieved a link to another website outside my network on port 8080.

To my surprise instead of loading the site it redirected me to my own internal server on 8080.

What would I need to do to retain my routing scheme but not route to the machine if the target is not inside the network?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPtables : ssh port forwarding one port to another port issue routers Linux - Networking 7 08-07-2018 08:41 AM
Iptables reroute to multicast UnixL Linux - Networking 0 12-21-2011 02:49 PM
simple Iptables. Linux receives internet but can reroute to computer in router edotom Linux - Networking 2 11-01-2011 01:16 AM
Convert many files to individual .bz2 files retaining original name? touser Linux - Newbie 5 03-29-2010 12:58 AM
IPTables Reroute Outing Traffic Through VPN Usogi Linux - Networking 6 04-11-2008 01:29 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration