Sidra_net
asked on
IPTABLES for real IP NATing
I have a Linux box runing IPTABLES to do MASQUERADE between Internet and LAN. My ISP provided me with 5 real IPs. I'm using one of these real IP to share it to my network users (192.168.1.0/24). The linux box has many tools like Firewall, P2P service blocking, Bandwidth monitor (NTOP and iftop)...etc.
For some reasons, one of my users requires a real IP, How to give him this IP while in same time his traffic still pass through the linux box and subject to Linux box tools listed above?
For some reasons, one of my users requires a real IP, How to give him this IP while in same time his traffic still pass through the linux box and subject to Linux box tools listed above?
ASKER
Dear rindi,
I mean by "real IP" as public IP.
Shorewall is a great utility for IPTABLES, but I rather to stick with IPTABLES pure rules to define my own script.
I mean by "real IP" as public IP.
Shorewall is a great utility for IPTABLES, but I rather to stick with IPTABLES pure rules to define my own script.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Blaz is right
to enable the external to internal, the rules would be
-A PREROUTING -t nat -i $ext_if -d public_IP_2 -j DNAT --to internal_special_user_IP
-A FORWARD -i $ext_if -d internal_special_user_IP -j ACCEPT
and just a point: all POSTROUTING rules need "-t nat" added after the POSTROUTING to work
However, to make the exposed computer more secure, I would only expose these ports I need instead all the computer, like in
# HTTP
-A PREROUTING -t nat -i $ext_if -d public_IP_2 -p tcp --dport 80 -j DNAT --to internal_special_user_IP:8 0
# SSH
-A PREROUTING -t nat -i $ext_if -d public_IP_2 -p tcp --dport 22 -j DNAT --to internal_special_user_IP:2 2
-A FORWARD -i $ext_if -d internal_special_user_IP -j ACCEPT
hope this help
to enable the external to internal, the rules would be
-A PREROUTING -t nat -i $ext_if -d public_IP_2 -j DNAT --to internal_special_user_IP
-A FORWARD -i $ext_if -d internal_special_user_IP -j ACCEPT
and just a point: all POSTROUTING rules need "-t nat" added after the POSTROUTING to work
However, to make the exposed computer more secure, I would only expose these ports I need instead all the computer, like in
# HTTP
-A PREROUTING -t nat -i $ext_if -d public_IP_2 -p tcp --dport 80 -j DNAT --to internal_special_user_IP:8
# SSH
-A PREROUTING -t nat -i $ext_if -d public_IP_2 -p tcp --dport 22 -j DNAT --to internal_special_user_IP:2
-A FORWARD -i $ext_if -d internal_special_user_IP -j ACCEPT
hope this help
you are fast guys :)
two ways:
either "real routing" or "one to one" nat
mentioned above
regards
marcin
two ways:
either "real routing" or "one to one" nat
mentioned above
regards
marcin
>I think there are other ways still to do what you want,
I might throw the proxy arp hat into the ring...
>but I would stick with one-to-one NAT and put the user's computer into the DMZ so your LAN is still fully protected.
Agreed, unless there are specific compelling contradictory reasons.
Cheers,
-Jon
I might throw the proxy arp hat into the ring...
>but I would stick with one-to-one NAT and put the user's computer into the DMZ so your LAN is still fully protected.
Agreed, unless there are specific compelling contradictory reasons.
Cheers,
-Jon
>>but I would stick with one-to-one NAT and put the user's computer into the DMZ so your LAN is still fully protected.
>
>Agreed, unless there are specific compelling contradictory reasons.
And a good reason NOT to do the DMZ would be if this user should have any access to your LAN - like file and printer sharing, access to internal servers etc.
>
>Agreed, unless there are specific compelling contradictory reasons.
And a good reason NOT to do the DMZ would be if this user should have any access to your LAN - like file and printer sharing, access to internal servers etc.
even in such case, you can open the DMZ *only* for that computer, and *only* for the service it need to access
this is still more secure than sit the computer on the LAN side, since if the computer gets compromised, it still does not have full access to the LAN, but only on selected protocols that are (or should be) monitored
this is still more secure than sit the computer on the LAN side, since if the computer gets compromised, it still does not have full access to the LAN, but only on selected protocols that are (or should be) monitored
Another way to solve this is to use Linux's Bridging features:
http://linux-net.osdl.org/index.php/Bridge
This has the advantage compared to NAT that machine is configured with its public IP address and therefore applications running on that machine know what that is, something that not all programs can sort out when they go through a NAT.
http://linux-net.osdl.org/index.php/Bridge
This has the advantage compared to NAT that machine is configured with its public IP address and therefore applications running on that machine know what that is, something that not all programs can sort out when they go through a NAT.
Do the following, assuming your Real IP addresses lie on eth0 and your clients are behind eth1
/sbin/arp -Ds REAL_IP eth1 pub
/sbin/ip route add REAL_IP via PRIVATE_IP dev eth0
Where REAL_IP is the IP you want to give to your client that currently has PRIVATE_IP.
Set the REAL_IP on your with subnet mask 255.255.255.255 on your client's PC.
Obviously make sure you are not using this IP on your linux router.
See if this works for you.
/sbin/arp -Ds REAL_IP eth1 pub
/sbin/ip route add REAL_IP via PRIVATE_IP dev eth0
Where REAL_IP is the IP you want to give to your client that currently has PRIVATE_IP.
Set the REAL_IP on your with subnet mask 255.255.255.255 on your client's PC.
Obviously make sure you are not using this IP on your linux router.
See if this works for you.
http://www.shorewall.net/