IP masquerading multiple public IP's to multiple private servers - not working
Hi -
I've seen a number of solutions for using iptables to set up IP masquerading with multiple public IP's to mutiple servers with private addresses. I've tried some of them, but I can't get any working. I'm using virtual interfaces for the extra public IP's and SNAT/DNAT in iptables to get the traffic inside. The result I get is that all traffic on any of the IP's or ports just gets directed to the gateway instead of getting forwarded to the respective servers. I'm a complete iptables noob, so maybe I've just put the rules in the wrong order?! Here's some info:
Internal addresses:
192.168.42.0/24
Public Addresses:
12.170.114.32/27
IP Masquerading Router interfaces:
eth1 - 12.170.114.35
eth1:1 - 12.170.114.36
eth1:2 - 12.170.114.37
eth1:3 - 12.170.114.38
eth1:4 - 12.170.114.39
eth1:5 - 12.170.114.40
eth1:6 - 12.170.114.41
eth0 - 192.168.42.110
Here's my (abridged) iptables config:
$IPTABLES -P INPUT ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -d 12.170.114.41 --dport 22 -j DNAT --to 192.168.42.122:22
$IPTABLES -t nat -A POSTROUTING -s 192.168.42.122 -p tcp --sport 22 -o eth1 -j SNAT --to-source 12.170.114.41
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -d 12.170.114.36 --dport 25 -j DNAT --to 192.168.42.115:25
$IPTABLES -t nat -A POSTROUTING -s 192.168.42.115 -p tcp --sport 25 -o eth1 -j SNAT --to-source 12.170.114.36
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Thanks!
Noah
I've seen a number of solutions for using iptables to set up IP masquerading with multiple public IP's to mutiple servers with private addresses. I've tried some of them, but I can't get any working. I'm using virtual interfaces for the extra public IP's and SNAT/DNAT in iptables to get the traffic inside. The result I get is that all traffic on any of the IP's or ports just gets directed to the gateway instead of getting forwarded to the respective servers. I'm a complete iptables noob, so maybe I've just put the rules in the wrong order?! Here's some info:
Internal addresses:
192.168.42.0/24
Public Addresses:
12.170.114.32/27
IP Masquerading Router interfaces:
eth1 - 12.170.114.35
eth1:1 - 12.170.114.36
eth1:2 - 12.170.114.37
eth1:3 - 12.170.114.38
eth1:4 - 12.170.114.39
eth1:5 - 12.170.114.40
eth1:6 - 12.170.114.41
eth0 - 192.168.42.110
Here's my (abridged) iptables config:
$IPTABLES -P INPUT ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -d 12.170.114.41 --dport 22 -j DNAT --to 192.168.42.122:22
$IPTABLES -t nat -A POSTROUTING -s 192.168.42.122 -p tcp --sport 22 -o eth1 -j SNAT --to-source 12.170.114.41
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -d 12.170.114.36 --dport 25 -j DNAT --to 192.168.42.115:25
$IPTABLES -t nat -A POSTROUTING -s 192.168.42.115 -p tcp --sport 25 -o eth1 -j SNAT --to-source 12.170.114.36
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Thanks!
Noah
> I'm using virtual interfaces for the extra public IP's and SNAT/DNAT in iptables to get the traffic inside. The result
> I get is that all traffic on any of the IP's
Well that's what a static NAT translation does. Port forwarding only works when you aren't using static NAT translations. With multiple outside IP's static NAT is what one ordinarily want's to use. Do you have some special requirements that make it unsitable?
> I get is that all traffic on any of the IP's
Well that's what a static NAT translation does. Port forwarding only works when you aren't using static NAT translations. With multiple outside IP's static NAT is what one ordinarily want's to use. Do you have some special requirements that make it unsitable?
ASKER
Thanks pablouruguay and jlevie -
> Well that's what a static NAT translation does. Port forwarding only works when you aren't using static NAT translations.
> With multiple outside IP's static NAT is what one ordinarily want's to use.
I have no special attachment to the solution I was trying, it was just what I'd found when searching through google and other experts exchange posts.
> Do you have some special requirements that
> make it unsitable?
Not special, really - I just want to be able to use iptables on my router to provide firewall for my servers. So, i have 12.170.114.35 for all the workstations on my NAT, and 12.170.114.36 as my mail server, with only ports 22, 25, 110, 143, and 993 accessible from the internet. If there is another good way to do this, I am certainly open to it. I know I can just put all my servers out in front of the nat and do separate firewalls on all of the servers, but from an administrative perspective, I'd rather not have to deal with that.
Anybody have a solution for what I'm trying to do? I know how to do it with our Cisco router, but it is on the brink of failure, and I need a backup plan.
TIA.
> Well that's what a static NAT translation does. Port forwarding only works when you aren't using static NAT translations.
> With multiple outside IP's static NAT is what one ordinarily want's to use.
I have no special attachment to the solution I was trying, it was just what I'd found when searching through google and other experts exchange posts.
> Do you have some special requirements that
> make it unsitable?
Not special, really - I just want to be able to use iptables on my router to provide firewall for my servers. So, i have 12.170.114.35 for all the workstations on my NAT, and 12.170.114.36 as my mail server, with only ports 22, 25, 110, 143, and 993 accessible from the internet. If there is another good way to do this, I am certainly open to it. I know I can just put all my servers out in front of the nat and do separate firewalls on all of the servers, but from an administrative perspective, I'd rather not have to deal with that.
Anybody have a solution for what I'm trying to do? I know how to do it with our Cisco router, but it is on the brink of failure, and I need a backup plan.
TIA.
> I know I can just put all my servers out in front of the nat and do separate firewalls on all of the servers,
I wouldn't do it that way. I'd place one firewall next to the border router and set up static NAT's for the interior servers. I'd also limit what ports I allow in to only be those that I intend to be accessible from the Internet.
You can see the firewall rule set that I use at http://www.entrophy-free.net/tools/iptables.gw. It would need extending to define the static NAT translations and you'd want to modify the INPUT rules a bit.
I wouldn't do it that way. I'd place one firewall next to the border router and set up static NAT's for the interior servers. I'd also limit what ports I allow in to only be those that I intend to be accessible from the Internet.
You can see the firewall rule set that I use at http://www.entrophy-free.net/tools/iptables.gw. It would need extending to define the static NAT translations and you'd want to modify the INPUT rules a bit.
jlevie the file is
iptables-gw :)
the correct link is
http://www.entrophy-free.net/tools/iptables-gw
iptables-gw :)
the correct link is
http://www.entrophy-free.net/tools/iptables-gw
Oops... I gotta remember to "think, type, think, submit"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Chireru, jlevie and pablouruguay!
Chireru - that was definitely it - I just had to let new connections get forwarded into the NAT.
Thanks!
Chireru - that was definitely it - I just had to let new connections get forwarded into the NAT.
Thanks!
Glad to hear it.
It was a problem that I started running into when using seperate tables. One of the hardest thing is figuring out exactly what tables and chains the traffic is encountering, and where it is getting dropped. LOG rules really help to this affect. I make use of the log-prefix tag, which puts a note in the log entries to remind me of what rule it is catching on. This makes it a lot easier to troubleshoot:
IPTABLES -A FORWARD -j LOG --log-prefix "my identifier"
It was a problem that I started running into when using seperate tables. One of the hardest thing is figuring out exactly what tables and chains the traffic is encountering, and where it is getting dropped. LOG rules really help to this affect. I make use of the log-prefix tag, which puts a note in the log entries to remind me of what rule it is catching on. This makes it a lot easier to troubleshoot:
IPTABLES -A FORWARD -j LOG --log-prefix "my identifier"
iptables -t nat -A POSTROUTING -s 192.168.1.10 -d 0.0.0.0/0 -j SNAT --to-source 200.40.228.70