LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-05-2016, 04:41 PM   #1
me4ka86
LQ Newbie
 
Registered: May 2016
Posts: 6

Rep: Reputation: Disabled
Need help with iptables routing


Hello guys,

i am facing some difficulties creating some iptables rules. I would appreciate some help

Diagram

So this is the diagram. I have 2 servers and one VM. On server 1 i have 2 public ips. I use the main for the server itself but the second one is free. On server 2 i have just one ip. I want the VM to have public IP so basically I want to route all traffic from 1.1.1.2 to vm machine(4.4.4.5) on server2. So for example if i open putty and give address 1.1.1.2 port 22 i am logging directly to 4.4.4.5 port 22. On the other side i want 4.4.4.5 to route to 1.1.1.2 and then to internet. The idea being VM1 to operate with 1.1.1.2 as if it is its own IP. I would appreciate some help with the iptables rules. Thanks
 
Old 05-05-2016, 11:29 PM   #2
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware, Manjaro
Posts: 8,911
Blog Entries: 14

Rep: Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085
Hi: & Welcome to Linux Questions-

Configuring and managing iptables is not my area of expertise; sorry:-

You'll need the assistance from members here that have that experience. So until they chime in hang in there and try some of these links. You should mention what distribution you are running.
Good Luck to you-

http://www.thegeekstuff.com/2011/06/...ules-examples/
http://www.cyberciti.biz/tips/linux-...-examples.html

https://www.digitalocean.com/communi...s-and-commands
https://wiki.archlinux.org/index.php/iptables
 
1 members found this post helpful.
Old 05-06-2016, 02:17 AM   #3
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 7
Posts: 907

Rep: Reputation: 74
Quote:
Originally Posted by me4ka86 View Post
Hello guys,

i am facing some difficulties creating some iptables rules. I would appreciate some help

Diagram

So this is the diagram. I have 2 servers and one VM. On server 1 i have 2 public ips. I use the main for the server itself but the second one is free. On server 2 i have just one ip. I want the VM to have public IP so basically I want to route all traffic from 1.1.1.2 to vm machine(4.4.4.5) on server2. So for example if i open putty and give address 1.1.1.2 port 22 i am logging directly to 4.4.4.5 port 22. On the other side i want 4.4.4.5 to route to 1.1.1.2 and then to internet. The idea being VM1 to operate with 1.1.1.2 as if it is its own IP. I would appreciate some help with the iptables rules. Thanks
There are several things to take into consideration. On the one hand, it's the NAT. You're going to need to use SNAT for the private LANs.

Is server1 going to be used as a router for the entire network?

You also need to take into consideration routing (you probably need to use static routes), which you don't set up in iptables, but with the ip command (or route, which is slightly deprecated).
 
Old 05-06-2016, 02:18 AM   #4
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 7
Posts: 907

Rep: Reputation: 74
What do you mean by saying that on server 2 you have only one ip?
From the diagram, I'd infer that you have 2 IPs (2.2.2.2 and 4.4.4.4), and you should have a third IP for the 3.3.3.3 network. And probably another interface? Or a second ip on the same interface for the private LAN?

Last edited by vincix; 05-06-2016 at 02:21 AM.
 
Old 05-06-2016, 03:25 AM   #5
me4ka86
LQ Newbie
 
Registered: May 2016
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks for the answer. I checked out the links as many others during the last 3 days. I have some partial success, but overall not working.
 
Old 05-06-2016, 03:31 AM   #6
me4ka86
LQ Newbie
 
Registered: May 2016
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by vincix View Post
There are several things to take into consideration. On the one hand, it's the NAT. You're going to need to use SNAT for the private LANs.

Is server1 going to be used as a router for the entire network?

You also need to take into consideration routing (you probably need to use static routes), which you don't set up in iptables, but with the ip command (or route, which is slightly deprecated).
Yes, the second ip is going to be used as router.

the idea being

i make ssh/http request to 1.1.1.2 and 4.4.4.5 answers the request
also if i check out my external public ip from 4.4.4.5 via "wget http://ipinfo.io/ip -qO -" for example i want to get 1.1.1.2, so all traffic to internet is routed via 1.1.1.2
 
Old 05-06-2016, 03:34 AM   #7
me4ka86
LQ Newbie
 
Registered: May 2016
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by vincix View Post
What do you mean by saying that on server 2 you have only one ip?
From the diagram, I'd infer that you have 2 IPs (2.2.2.2 and 4.4.4.4), and you should have a third IP for the 3.3.3.3 network. And probably another interface? Or a second ip on the same interface for the private LAN?
2.2.2.2 is public address of server2
3.3.3.3 is shown as address on eth0 on server2. i guess i am assigned by dhcp from host
4.4.4.4 is bridge i use in order to connect to vm

btw all machines are debian
 
Old 05-06-2016, 04:30 AM   #8
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 7
Posts: 907

Rep: Reputation: 74
Quote:
Originally Posted by me4ka86 View Post
2.2.2.2 is public address of server2
3.3.3.3 is shown as address on eth0 on server2. i guess i am assigned by dhcp from host
4.4.4.4 is bridge i use in order to connect to vm

btw all machines are debian
All right, so what are you going to use 1.1.1.1 for then? On the diagram it says that it's the main ip, but from what you're saying, it's seems to be the secondary ip.

Or is it secondary only in a conventional way, as it's eth0:0?

Last edited by vincix; 05-06-2016 at 04:32 AM.
 
Old 05-06-2016, 09:43 PM   #9
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware, Manjaro
Posts: 8,911
Blog Entries: 14

Rep: Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085
Quote:
Originally Posted by me4ka86 View Post
Thanks for the answer. I checked out the links as many others during the last 3 days. I have some partial success, but overall not working.
You're Welcome-

vincix:
Thanks for joining the thread-
 
Old 05-07-2016, 10:17 AM   #10
me4ka86
LQ Newbie
 
Registered: May 2016
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by vincix View Post
All right, so what are you going to use 1.1.1.1 for then? On the diagram it says that it's the main ip, but from what you're saying, it's seems to be the secondary ip.

Or is it secondary only in a conventional way, as it's eth0:0?

1.1.1.1 is the main public address on eth0. i want to use it for http for example
1.1.1.2 is on eth0:0 and it is secondary/spare. this is the one i want to use on the vm hosted on server2
 
Old 05-09-2016, 08:56 AM   #11
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,186
Blog Entries: 3

Rep: Reputation: 187Reputation: 187
Seems simple enough. You are going to have to DNAT 1.1.1.2:22 to 4.4.4.5:22 on Server1.

DNAT will take place in the PREROUTE rules on Server1
Code:
iptables -t nat -A PREROUTE -i eth0 -m tcp -p tcp --dport 22 -j DNAT --to-destination 4.4.4.5
And make sure you have the proper rule in your FORWARD rules on Server1 (I am hoping you have a rule for ESTABLISHED,RELATED already)
Code:
 iptables -A FORWARD -i eth0 -m tcp -p tcp -d 4.4.4.5 --dport 22 -m conntrack --ctstate NEW -j ACCEPT
You are also going to need a FORWARDing rule on Server2. I'll let you figure out how you want that rule to look.


And you are going to need the postroute rule for return traffic also on Server1
Code:
iptables -t nat -A POSTROUTE -o eth0 -m tcp -p tcp -s 4.4.4.5 --sport 22 -j SNAT --to-source 1.1.1.2
You are going to have to ensure that Server1 knows how to get to VM1 via route.

Please keep in mind the above is only from memory so you might want to double check the rules to ensure they will work properly in your environment. There maybe mistakes in them I have not verified them myself.
 
Old 05-09-2016, 09:12 AM   #12
me4ka86
LQ Newbie
 
Registered: May 2016
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by lazydog View Post
Seems simple enough. You are going to have to DNAT 1.1.1.2:22 to 4.4.4.5:22 on Server1.

DNAT will take place in the PREROUTE rules on Server1
Code:
iptables -t nat -A PREROUTE -i eth0 -m tcp -p tcp --dport 22 -j DNAT --to-destination 4.4.4.5
And make sure you have the proper rule in your FORWARD rules on Server1 (I am hoping you have a rule for ESTABLISHED,RELATED already)
Code:
 iptables -A FORWARD -i eth0 -m tcp -p tcp -d 4.4.4.5 --dport 22 -m conntrack --ctstate NEW -j ACCEPT
You are also going to need a FORWARDing rule on Server2. I'll let you figure out how you want that rule to look.


And you are going to need the postroute rule for return traffic also on Server1
Code:
iptables -t nat -A POSTROUTE -o eth0 -m tcp -p tcp -s 4.4.4.5 --sport 22 -j SNAT --to-source 1.1.1.2
You are going to have to ensure that Server1 knows how to get to VM1 via route.

Please keep in mind the above is only from memory so you might want to double check the rules to ensure they will work properly in your environment. There maybe mistakes in them I have not verified them myself.
Thanks for the answer with examples! Isnt that overly simplified though? How does 1.1.1.2 know where 4.4.4.5 is? Should we first DNAT to server2 and then server2 DNAT to 4.4.4.5?
 
Old 05-09-2016, 09:47 AM   #13
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,186
Blog Entries: 3

Rep: Reputation: 187Reputation: 187
Quote:
Originally Posted by me4ka86 View Post
Thanks for the answer with examples! Isnt that overly simplified though? How does 1.1.1.2 know where 4.4.4.5 is? Should we first DNAT to server2 and then server2 DNAT to 4.4.4.5?
Yes, it simply works. As to double DNAT I try and stay away from that. Less problems when troubleshooting. and once you are in the internal network everything should already know how to get to ever other node on the network.

If you will re-read my post I stated there towards the end that you have to ensure Server1 knows how to reach VM1. This can be done with routing. Add a route for 4.4.4.0/24 (assuming that this network is a class C) to Seerver1 pointing to Server2 Now Server1 knows how to get to VM1.
 
Old 06-07-2016, 06:01 PM   #14
griswold27
LQ Newbie
 
Registered: Jun 2016
Posts: 3

Rep: Reputation: Disabled
Hi all.
Can someone help me on this:
I have 3 virtual machines with ubuntu; that is 3 computers.
Left is pcA 10.0.0.4 eth0. It has default route to 10.0.0.1.
Then pcB which is router. eth0 192.168.0.105, and i created virtual interface eth0:left 10.0.0.1.
Right is 192.168.0.106 pcC. It doesnt have a route to network 10.0.0.0/24.
I want to ssh from pcC to pcA , actually to router which i want to conect me to pcA (port fowrading and DNAT)
so, from pcC type: ssh 192.168.0.105 and connect to pcA.

iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i eth0:left -o eth0 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0:left -p tcp --dport 22 -j ACCEPT
(or this instead: iptables -A FORWARD -p tcp -d 10.0.0.4 --dport 22 -j ACCEPT)

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.4:22
echo 1 > /proc/sys/net/ipv4/ip_forward

It wont work, unless : iptables -P FORWARD ACCEPT
So i guess something is not ok with FORWARD chains...

I'v lost 3 hours on this already..

tnx in advance

Last edited by griswold27; 06-07-2016 at 06:02 PM.
 
Old 06-07-2016, 11:03 PM   #15
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware, Manjaro
Posts: 8,911
Blog Entries: 14

Rep: Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085
Quote:
Originally Posted by griswold27 View Post
Hi all.
Can someone help me on this:
I have 3 virtual machines with ubuntu; that is 3 computers.
Left is pcA 10.0.0.4 eth0. It has default route to 10.0.0.1.
Then pcB which is router. eth0 192.168.0.105, and i created virtual interface eth0:left 10.0.0.1.
Right is 192.168.0.106 pcC. It doesnt have a route to network 10.0.0.0/24.
I want to ssh from pcC to pcA , actually to router which i want to conect me to pcA (port fowrading and DNAT)
so, from pcC type: ssh 192.168.0.105 and connect to pcA.

iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i eth0:left -o eth0 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0:left -p tcp --dport 22 -j ACCEPT
(or this instead: iptables -A FORWARD -p tcp -d 10.0.0.4 --dport 22 -j ACCEPT)

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.4:22
echo 1 > /proc/sys/net/ipv4/ip_forward

It wont work, unless : iptables -P FORWARD ACCEPT
So i guess something is not ok with FORWARD chains...

I'v lost 3 hours on this already..

tnx in advance

Welcome to LQ griswold27.

-::-Rather than take over/use me3ka86 thread for your issue it would be better for you to start your own thread.-::-
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables and routing jessjames Linux - Networking 1 08-07-2009 06:30 PM
iptables routing Jaidan Linux - Networking 1 10-09-2007 04:59 PM
routing by iptables ali_dd15 Linux - Networking 14 10-14-2005 06:38 AM
iptables routing CJ_Grobler Linux - Security 1 06-14-2005 03:13 AM
More Help routing with iptables LAR12345 Linux - Networking 2 02-02-2003 11:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration