Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Linux NAT the easy way

Posted on 2011-09-13
10
Medium Priority
?
475 Views
Last Modified: 2012-05-12
Experts,

I'd like to use a linux box as a network address translator, but for external IP addresses, and preferably without the use of IPTables

I like to use APF, but they (advanced policy firewall) don't seem to have the functionality I'm interested in.

I'm only interested in one thing, passing all data intended for ip:port -> alternate_ip:port and back again

So:

4.4.4.4 -> connects to my linux box on 5.5.5.5:400 -> is network address translated and all packets intended for 5.5.5.5:400 are sent to -> 6.6.6.6:500 <> then from 6.6.6.6:500 -> the response is sent to 5.5.5.5:400 -> back to 4.4.4.4:[on incoming port]

So exactly like a NAT on a local router, only internet based.

I'm familiar with nginx, pound, apache methods, but they are much more complicated than what I want.

I want simple. Because simple works on any IP and any port with any service.

I'm a Perl guy, so if there is a Perl method I'd be interested too.

Thanks for any help!
0
Comment
Question by:dr34m3rs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
10 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36533130
NAT does not forward ports, that is what PAT is for.

This is easily achieved with iptables, but I know you said you prefer not to use it.  Any specific reason for that?  I can't think of anything to do this that would give you less headaches than a few iptables rules.

iptables IS the easy way, and many experts here can help with that.
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 36533151
Would I be able to use custom IPTables rules with APF? Since APF configures IPTables? Or would my custom rules be overwritten when APF is restarted?
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 1600 total points
ID: 36533225
Hmm that's quite possible, I wouldn't be the least bit surprised if it did.  APF probably wants complete control to avoid manual errors and maybe flushes the table and rewrites it via cron.  That's just a guess though, I've never used APF.

Are you just using APF for "simple" things like blocking all incoming ports except maybe 80 and 443 ?

If so, and you switched to managing iptables directly, once you setup a single rule to say allow TCP/80, you can just copy the entire rule and change the port to say 443.  Basically what I'm saying is, if you need just basic firewalling then the rules are easy and there are TONS of links out there, along with lots of experts here ;)
0
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

 
LVL 1

Author Comment

by:dr34m3rs
ID: 36533372
Cool, thanks for your help and advice in this matter. Really appreciate it.

I'm considering all aspects of this and will do a little research on my own.

I use APF because it's very easy to setup and I've not had time to learn the iptables syntax. I don't generally do anything fancy with my firewall rules. APF rocks because you can setup allow / deny lists and it works beautifully with custom scripts and a program called "brute force defender" which basically just scans logs and blocks brute force attacks to ports using APF.

I use APF for closing everything but the ports needed by services I use.

I did a quick scan of google before going out for the night and found some references to custom iptables - so we'll see how that goes.

0
 
LVL 5

Expert Comment

by:hvillanu
ID: 36533413
Hi,
The "easy" way could be using a GUI to configure iptables... check this: http://www.fwbuilder.org/
-regards-
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 36533923
hvillanu: Thanks for the idea, but no gui on my linux boxes. Could do webmin or something I suppose.

And an idea I had was: if APF does reset the custom iptables, I could just write a custom start script that adds them at boot and upon manual restarts...
0
 
LVL 5

Assisted Solution

by:hvillanu
hvillanu earned 400 total points
ID: 36533966
Hi,

Well you can " construct/built/test " the Script on a Linux with KDE, Gnome, or whatever you like, then export to script, and finally run it on Production with iptables-restore or shell to import it.
Webmin it's ok too, but I prefer fwbuilder.
-regards-
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 36537662
Alright, I had some time and googled:

APF uses a preroute.rules file and you can do things like

$IPT -t nat -I PREROUTING -p tcp --dport 3625 -j REDIRECT --to-port 25
$IPT -t nat -I PREROUTING -p tcp --dport 3636 -j REDIRECT --to-port 8443

Although the above example is port related and not ip:port combo, I'm confident I'll be able to find my answer. If I run into issues I'll ask another question here in the correct area.

Thanks for all the help Paper and Villa
0
 
LVL 1

Author Closing Comment

by:dr34m3rs
ID: 36537673
Thanks again!
0
 
LVL 1

Author Comment

by:dr34m3rs
ID: 36539322
Followup:

Fooling around with this I was able to determine the following:

This works on CentOS 6 64-bit linux running Advanced Policy Firewall (APF)

1) Turn on IP forwarding
# echo 1 >/proc/sys/net/ipv4/ip_forward

2) Place the following rule into your /etc/apf/preroute.rules file:

$IPT -t nat -A PREROUTING -p tcp --dport PORTNUMBER-i eth0 -j DNAT --to-destination X.X.X.X:PORT

# PORTNUMBER = the port number on your eth0 interface (incoming)
# eth0 = the interface you'd like to use
# x.x.x.x:port (your ip:port) example = 10.0.0.10:81 (can be intranet or internet it seems)

3) Place the following rule into your /etc/apf/postroute.rules file:

$IPT -t nat -A POSTROUTING -j MASQUERADE


4) Restart APF and look for any errors near the top of the output near
"loading preroute.rules"

# apf --restart



Hope this helps someone out as much as it has helped me!
0

Featured Post

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question