Solved

IP masquerading multiple public IP's to multiple private servers - not working

Posted on 2004-08-03
9
727 Views
Last Modified: 2010-03-18
Hi -

I've seen a number of solutions for using iptables to set up IP masquerading with multiple public IP's to mutiple servers with private addresses. I've tried some of them, but I can't get any working. I'm using virtual interfaces for the extra public IP's and SNAT/DNAT in iptables to get the traffic inside. The result I get is that all traffic on any of the IP's or ports just gets directed to the gateway instead of getting forwarded to the respective servers. I'm a complete iptables noob, so maybe I've just put the rules in the wrong order?!  Here's some info:

Internal addresses:
192.168.42.0/24
Public Addresses:
12.170.114.32/27

IP Masquerading Router interfaces:
eth1 - 12.170.114.35
eth1:1 - 12.170.114.36
eth1:2 - 12.170.114.37
eth1:3 - 12.170.114.38
eth1:4 - 12.170.114.39
eth1:5 - 12.170.114.40
eth1:6 - 12.170.114.41
eth0 - 192.168.42.110

Here's my (abridged) iptables config:

$IPTABLES -P INPUT ACCEPT

$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -d 12.170.114.41 --dport 22 -j DNAT --to 192.168.42.122:22
$IPTABLES -t nat -A POSTROUTING -s 192.168.42.122 -p tcp --sport 22 -o eth1 -j SNAT --to-source 12.170.114.41

$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -d 12.170.114.36 --dport 25 -j DNAT --to 192.168.42.115:25
$IPTABLES -t nat -A POSTROUTING -s 192.168.42.115 -p tcp --sport 25 -o eth1 -j SNAT --to-source 12.170.114.36

$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Thanks!
Noah
0
Comment
Question by:noahisaac
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 11711314
i have this for makje iptables and work great


iptables -t nat -A POSTROUTING -s 192.168.1.10 -d 0.0.0.0/0 -j SNAT --to-source 200.40.228.70
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11711479
> I'm using virtual interfaces for the extra public IP's and SNAT/DNAT in iptables to get the traffic inside. The result
> I get is that all traffic on any of the IP's

Well that's what a static NAT translation does. Port forwarding only works when you aren't using static NAT translations. With multiple outside IP's static NAT is what one ordinarily want's to use. Do you have some special requirements that make it unsitable?
0
 

Author Comment

by:noahisaac
ID: 11715949
Thanks pablouruguay and jlevie -

> Well that's what a static NAT translation does. Port forwarding only works when you aren't using static NAT translations.
> With multiple outside IP's static NAT is what one ordinarily want's to use.

I have no special attachment to the solution I was trying, it was just what I'd found when searching through google and other experts exchange posts.


> Do you have some special requirements that
> make it unsitable?

Not special, really - I just want to be able to use iptables on my router to provide firewall for my servers.  So, i have 12.170.114.35 for all the workstations on my NAT, and 12.170.114.36 as my mail server, with only ports 22, 25, 110, 143, and 993 accessible from the internet.  If there is another good way to do this, I am certainly open to it.  I know I can just put all my servers out in front of the nat and do separate firewalls on all of the servers, but from an administrative perspective, I'd rather not have to deal with that.

Anybody have a solution for what I'm trying to do?   I know how to do it with our Cisco router, but it is on the brink of failure, and I need a backup plan.

TIA.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11716872
> I know I can just put all my servers out in front of the nat and do separate firewalls on all of the servers,

I wouldn't do it that way. I'd place one firewall next to the border router and set up static NAT's for the interior servers. I'd also limit what ports I allow in to only be those that I intend to be accessible from the Internet.

You can see the firewall rule set that I use at http://www.entrophy-free.net/tools/iptables.gw. It would need extending to define the static NAT translations and you'd want to modify the INPUT rules a bit.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 14

Expert Comment

by:pablouruguay
ID: 11717468
jlevie the file is

iptables-gw      :)

the correct link is

http://www.entrophy-free.net/tools/iptables-gw
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11720910
Oops... I gotta remember to "think, type, think, submit"
0
 
LVL 5

Accepted Solution

by:
Chireru earned 500 total points
ID: 11758137
Your problem is this line:

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

Understand that a packet passing through your firewall will encounter several tables, and must be allowed at all of them in order to pass the filter.  The first table is "mangle", which is not mentioned, so it allows it through, then "nat" where the connection is DNAT'd, then "filter" (any iptables line without a -t [table] will default to filter), where the FORWARD chain drops it because the connection is not already established.

To get into the FORWARD chain, it must be destined for the other side of the firewall, through an already-existing connection, or through a DNAT rule.  Replace it with these rules:
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state INVALID -j LOG
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state INVALID -j DROP

This is safe because in order to get into the FORWARD chain, the traffic must either belong to an open connection, or is a new connection, ordered into the chain by a DNAT rule.
0
 

Author Comment

by:noahisaac
ID: 11776695
Thanks Chireru, jlevie and pablouruguay!

Chireru - that was definitely it - I just had to let new connections get forwarded into the NAT.

Thanks!
0
 
LVL 5

Expert Comment

by:Chireru
ID: 11777462
Glad to hear it.

It was a problem that I started running into when using seperate tables.  One of the hardest thing is figuring out exactly what tables and chains the traffic is encountering, and where it is getting dropped.  LOG rules really help to this affect.  I make use of the log-prefix tag, which puts a note in the log entries to remind me of what rule it is catching on.  This makes it a lot easier to troubleshoot:

IPTABLES -A FORWARD -j LOG --log-prefix "my identifier"
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now