IPTABLES for real IP NATing

Posted on 2006-05-24
Last Modified: 2007-11-27
I have a Linux box runing IPTABLES to do MASQUERADE between Internet and LAN. My ISP provided me with 5 real IPs. I'm using one of these real IP to share it to my network users ( The linux box has many tools like Firewall, P2P service blocking, Bandwidth monitor (NTOP and iftop)...etc.

For some reasons, one of my users requires a real IP, How to give him this IP while in same time his traffic still pass through the linux box and subject to Linux box tools listed above?

Question by:Sidra_net
    LVL 87

    Expert Comment

    What exactly do you mean with "real IP"? Is it just a static IP inside your private network, or is it a public IP? You could use shorewall to set up your iptables, it is easier to get going than setting up pure iptables, and there are some good examples, I think if I remember properly, including a similar setup as yours. Shorewall isn't another firewall, it is just a frontend to make it easier to setup iptables.

    Author Comment

    Dear rindi,

    I mean by "real IP" as public IP.

    Shorewall is a great utility for IPTABLES, but I rather to stick with IPTABLES pure rules to define my own script.

    LVL 19

    Accepted Solution

    You can do this in some ways

    First the most easy and more used:
    an one-to-one nat.
    add the public ip address to the external interfase of your firewall
    add a rule to iptables to redirect all traffic from internet to that ip, to the internal, standard ip address of the user
    add another rule to activate forward from the internet interfase to that internal ip address
    the normal forward from inside to outside will do the server part.

    This has the BIG disadvanteage of exposing your internal network (LAN) to the internet via the exposed machine. if such computer will not be fully protected, I would not recommend this.

    Other way to do this that can help is to add another lan card to your linux firewall and create a "Demilitarized Zone (a.k.a. DMZ)" and connect the exposed machine to that lan card. This has many security advantages, but will limit your user to interact with internal (LAN) users, since tecnically his/her computer is outside in the wild, but traffic still traverse the firewall.

    The other way is to create a bridge firewall and allow the user to have an external ip. this needs your linux firewall to be configured as a normal routed firewall and also as a bridge. this is pretty difficult.

    Other way to do this is to add another firewall acting as a bridge, before your own linux firewall. it will still filter traffic, and you can connect that user to the internal part of such firewall.

    I think there are other ways still to do what you want, but I would stick with one-to-one NAT and put the user's computer into the DMZ so your LAN is still fully protected.

    Shorewall do this also... but you need only two iptables rules in your current firewall to permit DMZ traffic ;)
    LVL 16

    Assisted Solution

    I believe that one-to-one NAT does not necessarily expose the machine. Although differently NATed the traffic to/from the internal machine can be (and should be) treated (firewalled) as any other traffic. The machine does not need to be in DMZ.

    So currently in nat table you have a rule like:


    If you have a static public IP it is recomended to do SNAT instead of MASQUERADE:

    -A POSTROUTING -o $ext_if -j SNAT --to-source public_IP_1

    And to assign a certain machine its own public IP you add another rule before:

    -A POSTROUTING -s internal_special_user_IP  -o $ext_if -j SNAT --to-source public_IP_2
    -A POSTROUTING -o $ext_if -j SNAT --to-source public_IP_1

    As Redimido already suggested you also have to add public_IP_2 to the external interface.

    This rule alone will cause, that any outgoing traffic (and reverse traffic) from internal_special_user will use public_IP_2. Otherwise he will be subject to all limitations and security as other users.

    You didn't specify what kind of special traffic will this user be having if any (like inbound connections). Any further rules depend on that.
    LVL 19

    Expert Comment

    Blaz is right

    to enable the external to internal, the rules would be
    -A PREROUTING -t nat -i $ext_if -d public_IP_2  -j DNAT --to internal_special_user_IP
    -A FORWARD -i $ext_if  -d internal_special_user_IP -j ACCEPT

    and just a point: all POSTROUTING rules need "-t nat" added after the POSTROUTING to work

    However, to make the exposed computer more secure, I would only expose these ports I need instead all the computer, like in

    # HTTP
    -A PREROUTING -t nat -i $ext_if -d public_IP_2  -p tcp --dport 80 -j DNAT --to internal_special_user_IP:80
    # SSH
    -A PREROUTING -t nat -i $ext_if -d public_IP_2  -p tcp --dport 22 -j DNAT --to internal_special_user_IP:22
    -A FORWARD -i $ext_if  -d internal_special_user_IP -j ACCEPT

    hope this help
    LVL 2

    Expert Comment

    you are fast guys :)

    two ways:
    either "real routing" or "one to one" nat

    mentioned above

    LVL 16

    Expert Comment

    >I think there are other ways still to do what you want,

    I might throw the proxy arp hat into the ring...

    >but I would stick with one-to-one NAT and put the user's computer into the DMZ so your LAN is still fully protected.

    Agreed, unless there are specific compelling contradictory reasons.

    LVL 16

    Expert Comment

    >>but I would stick with one-to-one NAT and put the user's computer into the DMZ so your LAN is still fully protected.
    >Agreed, unless there are specific compelling contradictory reasons.

    And a good reason NOT to do the DMZ would be if this user should have any access to your LAN - like file and printer sharing, access to internal servers etc.
    LVL 19

    Expert Comment

    even in such case, you can open the DMZ *only* for that computer, and *only* for the service it need to access

    this is still more secure than sit the computer on the LAN side, since if the computer gets compromised, it still does not have full access to the LAN, but only on selected protocols that are (or should be) monitored
    LVL 1

    Expert Comment

    Another way to solve this is to use Linux's Bridging features:

    This has the advantage compared to NAT that machine is configured with its public IP address and therefore applications running on that machine know what that is, something that not all programs can sort out when they go through a NAT.
    LVL 3

    Expert Comment

    Do the following, assuming your Real IP addresses lie on eth0 and your clients are behind eth1

    /sbin/arp -Ds REAL_IP eth1 pub
    /sbin/ip route add REAL_IP via PRIVATE_IP dev eth0

    Where REAL_IP is the IP you want to give to your client that currently has PRIVATE_IP.

    Set the REAL_IP on your with subnet mask on your client's PC.
    Obviously make sure you are not using this IP on your linux router.

    See if this works for you.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now