IPTABLES for real IP NATing

I have a Linux box runing IPTABLES to do MASQUERADE between Internet and LAN. My ISP provided me with 5 real IPs. I'm using one of these real IP to share it to my network users ( The linux box has many tools like Firewall, P2P service blocking, Bandwidth monitor (NTOP and iftop)...etc.

For some reasons, one of my users requires a real IP, How to give him this IP while in same time his traffic still pass through the linux box and subject to Linux box tools listed above?

Who is Participating?
Gabriel OrozcoSolution ArchitectCommented:
You can do this in some ways

First the most easy and more used:
an one-to-one nat.
add the public ip address to the external interfase of your firewall
add a rule to iptables to redirect all traffic from internet to that ip, to the internal, standard ip address of the user
add another rule to activate forward from the internet interfase to that internal ip address
the normal forward from inside to outside will do the server part.

This has the BIG disadvanteage of exposing your internal network (LAN) to the internet via the exposed machine. if such computer will not be fully protected, I would not recommend this.

Other way to do this that can help is to add another lan card to your linux firewall and create a "Demilitarized Zone (a.k.a. DMZ)" and connect the exposed machine to that lan card. This has many security advantages, but will limit your user to interact with internal (LAN) users, since tecnically his/her computer is outside in the wild, but traffic still traverse the firewall.

The other way is to create a bridge firewall and allow the user to have an external ip. this needs your linux firewall to be configured as a normal routed firewall and also as a bridge. this is pretty difficult.

Other way to do this is to add another firewall acting as a bridge, before your own linux firewall. it will still filter traffic, and you can connect that user to the internal part of such firewall.

I think there are other ways still to do what you want, but I would stick with one-to-one NAT and put the user's computer into the DMZ so your LAN is still fully protected.

Shorewall do this also... but you need only two iptables rules in your current firewall to permit DMZ traffic ;)
What exactly do you mean with "real IP"? Is it just a static IP inside your private network, or is it a public IP? You could use shorewall to set up your iptables, it is easier to get going than setting up pure iptables, and there are some good examples, I think if I remember properly, including a similar setup as yours. Shorewall isn't another firewall, it is just a frontend to make it easier to setup iptables.

Sidra_netAuthor Commented:
Dear rindi,

I mean by "real IP" as public IP.

Shorewall is a great utility for IPTABLES, but I rather to stick with IPTABLES pure rules to define my own script.

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

I believe that one-to-one NAT does not necessarily expose the machine. Although differently NATed the traffic to/from the internal machine can be (and should be) treated (firewalled) as any other traffic. The machine does not need to be in DMZ.

So currently in nat table you have a rule like:


If you have a static public IP it is recomended to do SNAT instead of MASQUERADE:

-A POSTROUTING -o $ext_if -j SNAT --to-source public_IP_1

And to assign a certain machine its own public IP you add another rule before:

-A POSTROUTING -s internal_special_user_IP  -o $ext_if -j SNAT --to-source public_IP_2
-A POSTROUTING -o $ext_if -j SNAT --to-source public_IP_1

As Redimido already suggested you also have to add public_IP_2 to the external interface.

This rule alone will cause, that any outgoing traffic (and reverse traffic) from internal_special_user will use public_IP_2. Otherwise he will be subject to all limitations and security as other users.

You didn't specify what kind of special traffic will this user be having if any (like inbound connections). Any further rules depend on that.
Gabriel OrozcoSolution ArchitectCommented:
Blaz is right

to enable the external to internal, the rules would be
-A PREROUTING -t nat -i $ext_if -d public_IP_2  -j DNAT --to internal_special_user_IP
-A FORWARD -i $ext_if  -d internal_special_user_IP -j ACCEPT

and just a point: all POSTROUTING rules need "-t nat" added after the POSTROUTING to work

However, to make the exposed computer more secure, I would only expose these ports I need instead all the computer, like in

-A PREROUTING -t nat -i $ext_if -d public_IP_2  -p tcp --dport 80 -j DNAT --to internal_special_user_IP:80
-A PREROUTING -t nat -i $ext_if -d public_IP_2  -p tcp --dport 22 -j DNAT --to internal_special_user_IP:22
-A FORWARD -i $ext_if  -d internal_special_user_IP -j ACCEPT

hope this help
you are fast guys :)

two ways:
either "real routing" or "one to one" nat

mentioned above

>I think there are other ways still to do what you want,

I might throw the proxy arp hat into the ring...

>but I would stick with one-to-one NAT and put the user's computer into the DMZ so your LAN is still fully protected.

Agreed, unless there are specific compelling contradictory reasons.

>>but I would stick with one-to-one NAT and put the user's computer into the DMZ so your LAN is still fully protected.
>Agreed, unless there are specific compelling contradictory reasons.

And a good reason NOT to do the DMZ would be if this user should have any access to your LAN - like file and printer sharing, access to internal servers etc.
Gabriel OrozcoSolution ArchitectCommented:
even in such case, you can open the DMZ *only* for that computer, and *only* for the service it need to access

this is still more secure than sit the computer on the LAN side, since if the computer gets compromised, it still does not have full access to the LAN, but only on selected protocols that are (or should be) monitored
Another way to solve this is to use Linux's Bridging features:

This has the advantage compared to NAT that machine is configured with its public IP address and therefore applications running on that machine know what that is, something that not all programs can sort out when they go through a NAT.
Do the following, assuming your Real IP addresses lie on eth0 and your clients are behind eth1

/sbin/arp -Ds REAL_IP eth1 pub
/sbin/ip route add REAL_IP via PRIVATE_IP dev eth0

Where REAL_IP is the IP you want to give to your client that currently has PRIVATE_IP.

Set the REAL_IP on your with subnet mask on your client's PC.
Obviously make sure you are not using this IP on your linux router.

See if this works for you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.