dr34m3rs
asked on
Linux NAT the easy way
Experts,
I'd like to use a linux box as a network address translator, but for external IP addresses, and preferably without the use of IPTables
I like to use APF, but they (advanced policy firewall) don't seem to have the functionality I'm interested in.
I'm only interested in one thing, passing all data intended for ip:port -> alternate_ip:port and back again
So:
4.4.4.4 -> connects to my linux box on 5.5.5.5:400 -> is network address translated and all packets intended for 5.5.5.5:400 are sent to -> 6.6.6.6:500 <> then from 6.6.6.6:500 -> the response is sent to 5.5.5.5:400 -> back to 4.4.4.4:[on incoming port]
So exactly like a NAT on a local router, only internet based.
I'm familiar with nginx, pound, apache methods, but they are much more complicated than what I want.
I want simple. Because simple works on any IP and any port with any service.
I'm a Perl guy, so if there is a Perl method I'd be interested too.
Thanks for any help!
I'd like to use a linux box as a network address translator, but for external IP addresses, and preferably without the use of IPTables
I like to use APF, but they (advanced policy firewall) don't seem to have the functionality I'm interested in.
I'm only interested in one thing, passing all data intended for ip:port -> alternate_ip:port and back again
So:
4.4.4.4 -> connects to my linux box on 5.5.5.5:400 -> is network address translated and all packets intended for 5.5.5.5:400 are sent to -> 6.6.6.6:500 <> then from 6.6.6.6:500 -> the response is sent to 5.5.5.5:400 -> back to 4.4.4.4:[on incoming port]
So exactly like a NAT on a local router, only internet based.
I'm familiar with nginx, pound, apache methods, but they are much more complicated than what I want.
I want simple. Because simple works on any IP and any port with any service.
I'm a Perl guy, so if there is a Perl method I'd be interested too.
Thanks for any help!
ASKER
Would I be able to use custom IPTables rules with APF? Since APF configures IPTables? Or would my custom rules be overwritten when APF is restarted?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cool, thanks for your help and advice in this matter. Really appreciate it.
I'm considering all aspects of this and will do a little research on my own.
I use APF because it's very easy to setup and I've not had time to learn the iptables syntax. I don't generally do anything fancy with my firewall rules. APF rocks because you can setup allow / deny lists and it works beautifully with custom scripts and a program called "brute force defender" which basically just scans logs and blocks brute force attacks to ports using APF.
I use APF for closing everything but the ports needed by services I use.
I did a quick scan of google before going out for the night and found some references to custom iptables - so we'll see how that goes.
I'm considering all aspects of this and will do a little research on my own.
I use APF because it's very easy to setup and I've not had time to learn the iptables syntax. I don't generally do anything fancy with my firewall rules. APF rocks because you can setup allow / deny lists and it works beautifully with custom scripts and a program called "brute force defender" which basically just scans logs and blocks brute force attacks to ports using APF.
I use APF for closing everything but the ports needed by services I use.
I did a quick scan of google before going out for the night and found some references to custom iptables - so we'll see how that goes.
Hi,
The "easy" way could be using a GUI to configure iptables... check this: http://www.fwbuilder.org/
-regards-
The "easy" way could be using a GUI to configure iptables... check this: http://www.fwbuilder.org/
-regards-
ASKER
hvillanu: Thanks for the idea, but no gui on my linux boxes. Could do webmin or something I suppose.
And an idea I had was: if APF does reset the custom iptables, I could just write a custom start script that adds them at boot and upon manual restarts...
And an idea I had was: if APF does reset the custom iptables, I could just write a custom start script that adds them at boot and upon manual restarts...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Alright, I had some time and googled:
APF uses a preroute.rules file and you can do things like
$IPT -t nat -I PREROUTING -p tcp --dport 3625 -j REDIRECT --to-port 25
$IPT -t nat -I PREROUTING -p tcp --dport 3636 -j REDIRECT --to-port 8443
Although the above example is port related and not ip:port combo, I'm confident I'll be able to find my answer. If I run into issues I'll ask another question here in the correct area.
Thanks for all the help Paper and Villa
APF uses a preroute.rules file and you can do things like
$IPT -t nat -I PREROUTING -p tcp --dport 3625 -j REDIRECT --to-port 25
$IPT -t nat -I PREROUTING -p tcp --dport 3636 -j REDIRECT --to-port 8443
Although the above example is port related and not ip:port combo, I'm confident I'll be able to find my answer. If I run into issues I'll ask another question here in the correct area.
Thanks for all the help Paper and Villa
ASKER
Thanks again!
ASKER
Followup:
Fooling around with this I was able to determine the following:
This works on CentOS 6 64-bit linux running Advanced Policy Firewall (APF)
1) Turn on IP forwarding
# echo 1 >/proc/sys/net/ipv4/ip_for ward
2) Place the following rule into your /etc/apf/preroute.rules file:
$IPT -t nat -A PREROUTING -p tcp --dport PORTNUMBER-i eth0 -j DNAT --to-destination X.X.X.X:PORT
# PORTNUMBER = the port number on your eth0 interface (incoming)
# eth0 = the interface you'd like to use
# x.x.x.x:port (your ip:port) example = 10.0.0.10:81 (can be intranet or internet it seems)
3) Place the following rule into your /etc/apf/postroute.rules file:
$IPT -t nat -A POSTROUTING -j MASQUERADE
4) Restart APF and look for any errors near the top of the output near
"loading preroute.rules"
# apf --restart
Hope this helps someone out as much as it has helped me!
Fooling around with this I was able to determine the following:
This works on CentOS 6 64-bit linux running Advanced Policy Firewall (APF)
1) Turn on IP forwarding
# echo 1 >/proc/sys/net/ipv4/ip_for
2) Place the following rule into your /etc/apf/preroute.rules file:
$IPT -t nat -A PREROUTING -p tcp --dport PORTNUMBER-i eth0 -j DNAT --to-destination X.X.X.X:PORT
# PORTNUMBER = the port number on your eth0 interface (incoming)
# eth0 = the interface you'd like to use
# x.x.x.x:port (your ip:port) example = 10.0.0.10:81 (can be intranet or internet it seems)
3) Place the following rule into your /etc/apf/postroute.rules file:
$IPT -t nat -A POSTROUTING -j MASQUERADE
4) Restart APF and look for any errors near the top of the output near
"loading preroute.rules"
# apf --restart
Hope this helps someone out as much as it has helped me!
This is easily achieved with iptables, but I know you said you prefer not to use it. Any specific reason for that? I can't think of anything to do this that would give you less headaches than a few iptables rules.
iptables IS the easy way, and many experts here can help with that.