[Wylug-help] IP Forwarding with IP tables

Adam Greenwood adam at greenwood-peace.org.uk
Thu Oct 13 20:54:17 BST 2005 

James Holden wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Gary Stainburn wrote:
>  
>
>>Hi folks.
>>
>>probably a FAQ but I'm struggling.
>>I have an internet connection linked to eth1 and a LAN connected to eth0
>>
>>I want to set up simple 1-to-1 NATing thus:
>>
>>x.y.z.141   == 10.1.1.141
>>x.y.z.142   == 10.1.1.142
>>x.y.z.143   == 10.1.1.143
>>
>>so that incoming traffic to .141 goes to the right place.  This bit I've 
>>sorted. but the problem I've got is how do I get the outgoing to appear 
>>to come from the correct IP address and not the normal IP addres of 
>>eth1 
>>    
>>
>
>If you're trying to NAT to many machines on the inside, and those
>machines need to run the same services, then you'll need to NAT the
>destination port too. For instance:
>
>x.y.z.141 port 2022 == 10.1.1.141 port 22
>x.y.z.141 port 3022 == 10.1.1.142 port 22
>
>This is what you would do if you wanted to SSH to two different machines
>inside the firewall.
>
>  
>
That's port forwarding, if you really have multiple IP addresses on your 
outside interface, you don't need that, as each port 22 is on a 
different address and is a unique IP address/port pair. If you have 3 
IPs on a box you have 3 port 22s. NAT should be simpler than port 
forwarding, but I've never done it on a Linux box.

Gary, are you using DNAT to nat inbound to the machines on the LAN? I'm 
curious about this as I'll need to do it myself in a few weeks.

I thought that DNAT automatically dealt with the other half of the 
connection for you, in the iptables man page it says:

DNAT
       This target is only valid in the nat table, in the PREROUTING 
and  OUT-
       PUT  chains,  and  user-defined chains which are only called from 
those
       chains.  It specifies that the destination address of the packet 
should
       be  modified  (and  all  future packets in this connection will 
also be
       mangled), and rules should cease being examined.  It takes one 
type  of
       option:
        ...

So you should just need to do something like:

|iptables -t nat -A PREROUTING -i eth1 -d 10.1.1.141 -j DNAT 
--to-destination x.y.z.1

|I didn't think you needed to do SNAT explicilty on the way out, eg:
|
||iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.141 -j SNAT 
--to-source x.y.z.1|

(Obviously those examples will NAT everything, you might want to add 
some destination protocol and port specs to the DNAT so only the ports 
you need are available).

Can you tell what is happening, ie are packets getting back through the 
gateway OK, and are showing up at client end with the wrong source 
address as it hasn't been rewritten? There should be no problem with the 
packets getting out, they will have the correct destination address, but 
if the NAT on the way out isn't working will appear to come from 
10.1.1.x so won't look like part of the same TCP connection when they 
get back to the client machine. If they aren't getting out at all it's 
probably not a NAT problem.

Someone who knows IP Tables will be able to help more - I'm working this 
out from scratch because I'm interested.

Cheers,

Adam

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.wylug.org.uk/pipermail/wylug-help/attachments/20051013/33023a4f/attachment.html

More information about the Wylug-help mailing list