Transitioning from one DNAT gateway to another

Transitioning from one DNAT gateway to another

[Joe Haynes]

Hello to the list.

I apologize if this subject has been covered
elsewhere, but I have yet to locate instructions
on how to to this (redirections to appropriate
sites would be much appreciated).

Our network is currently attached to the internet via
a wavelan link (with a dedicated IP). We are transitioning
over to a T-1 line that has a new IP address.

What we would like to do is run a gateway off each single
external address and redirect specific ports to a single
internal server (we want to run both while we wait for
DNS updates).

Currently, we redirect port 80 on our external IP to an internal
webserver (also on port 80) using this line:
$IPT -t nat -A PREROUTING -i $INTERNET_DEV -d $INTERNET_IP -p tcp --dport
80 -d $INTERNET_IP -j DNAT --to 192.168.1.5

We'd like to do the same thing off the new gateway that's
linked to the T-1 line.

The problem I've run into is the responses that have come
through the new gateway end up getting sent back out
the old gateway.

Is there a way to redirect packets to the internal server using
PREROUTE and then change the source addresses using POSTROUTE so
the responses from the internal server come back through
the correct gateway?

Thank you,

Joe Haynes
Helena Montana

Re: Transitioning from one DNAT gateway to another

[Joe Haynes]

I think I answered my own question. I was able to SNAT
on connections that were directed toward an internal
server using this command:

iptables -t nat -A POSTROUTING -o $DMZ_DEV -j SNAT --to $DMZ_IP

So, when a packet for port 80 comes into the firewall,
it is redirected toward a server in the DMZ. Then, SNAT
is used so the responses back from the web server come back
out through the current gateway instead of the gateway
used by the DMZ server.

I apologize for finding out on my own what should have been
obvious from the start.

-jph


Joe Haynes said:
> Hello to the list.
>
> I apologize if this subject has been covered
> elsewhere, but I have yet to locate instructions
> on how to to this (redirections to appropriate
> sites would be much appreciated).
>
> Our network is currently attached to the internet via
> a wavelan link (with a dedicated IP). We are transitioning
> over to a T-1 line that has a new IP address.
>
> What we would like to do is run a gateway off each single
> external address and redirect specific ports to a single
> internal server (we want to run both while we wait for
> DNS updates).
>
> Currently, we redirect port 80 on our external IP to an internal
> webserver (also on port 80) using this line:
> $IPT -t nat -A PREROUTING -i $INTERNET_DEV -d $INTERNET_IP -p tcp
> --dport 80 -d $INTERNET_IP -j DNAT --to 192.168.1.5
>
> We'd like to do the same thing off the new gateway that's
> linked to the T-1 line.
>
> The problem I've run into is the responses that have come
> through the new gateway end up getting sent back out
> the old gateway.
>
> Is there a way to redirect packets to the internal server using
> PREROUTE and then change the source addresses using POSTROUTE so
> the responses from the internal server come back through
> the correct gateway?
>
> Thank you,
>
> Joe Haynes
> Helena Montana

Re: Transitioning from one DNAT gateway to another

[Joel Newkirk]

On Thursday 20 February 2003 07:42 pm, Joe Haynes wrote:
> Hello to the list.
>
> I apologize if this subject has been covered
> elsewhere, but I have yet to locate instructions
> on how to to this (redirections to appropriate
> sites would be much appreciated).
>
> Our network is currently attached to the internet via
> a wavelan link (with a dedicated IP). We are transitioning
> over to a T-1 line that has a new IP address.
>
> What we would like to do is run a gateway off each single
> external address and redirect specific ports to a single
> internal server (we want to run both while we wait for
> DNS updates).
>
> Currently, we redirect port 80 on our external IP to an internal
> webserver (also on port 80) using this line:
> $IPT -t nat -A PREROUTING -i $INTERNET_DEV -d $INTERNET_IP -p tcp
> --dport 80 -d $INTERNET_IP -j DNAT --to 192.168.1.5
>
> We'd like to do the same thing off the new gateway that's
> linked to the T-1 line.
>
> The problem I've run into is the responses that have come
> through the new gateway end up getting sent back out
> the old gateway.
>
> Is there a way to redirect packets to the internal server using
> PREROUTE and then change the source addresses using POSTROUTE so
> the responses from the internal server come back through
> the correct gateway?

You should do this in routing.  Read up at 
http://lartc.org/howto/lartc.rpdb.multiple-links.html#AEN266 which is 
the specific part of the Linux Advanced Routing and Traffic Control 
howto that deals with "Split Access", where you have incoming requests 
on two different links that have to be answered back out the same link.

Essentially you set up two default routes each in it's own table, and set 
routing rules that route traffic with a particular source IP to use the 
appropriate routing table.  Traffic inbound gets DNATted to the server, 
and when it returns gets unDNATted to present source IP matching the 
original destination IP of the request, then routing takes over and 
sends it out the appropriate link.

j

> Thank you,
>
> Joe Haynes
> Helena Montana

Re: Transitioning from one DNAT gateway to another

[Joel Newkirk]

Sorry, I missed that the gateways were yours, I was thinking that you 
were referring to the gateways at the provider and that you had a 
single-point connection locally to both.

j

On Friday 21 February 2003 12:08 am, Joe Haynes wrote:
> I think I answered my own question. I was able to SNAT
> on connections that were directed toward an internal
> server using this command:
>
> iptables -t nat -A POSTROUTING -o $DMZ_DEV -j SNAT --to $DMZ_IP
>
> So, when a packet for port 80 comes into the firewall,
> it is redirected toward a server in the DMZ. Then, SNAT
> is used so the responses back from the web server come back
> out through the current gateway instead of the gateway
> used by the DMZ server.
>
> I apologize for finding out on my own what should have been
> obvious from the start.
>
> -jph
>
> Joe Haynes said:
> > Hello to the list.
> >
> > I apologize if this subject has been covered
> > elsewhere, but I have yet to locate instructions
> > on how to to this (redirections to appropriate
> > sites would be much appreciated).
> >
> > Our network is currently attached to the internet via
> > a wavelan link (with a dedicated IP). We are transitioning
> > over to a T-1 line that has a new IP address.
> >
> > What we would like to do is run a gateway off each single
> > external address and redirect specific ports to a single
> > internal server (we want to run both while we wait for
> > DNS updates).
> >
> > Currently, we redirect port 80 on our external IP to an internal
> > webserver (also on port 80) using this line:
> > $IPT -t nat -A PREROUTING -i $INTERNET_DEV -d $INTERNET_IP -p tcp
> > --dport 80 -d $INTERNET_IP -j DNAT --to 192.168.1.5
> >
> > We'd like to do the same thing off the new gateway that's
> > linked to the T-1 line.
> >
> > The problem I've run into is the responses that have come
> > through the new gateway end up getting sent back out
> > the old gateway.
> >
> > Is there a way to redirect packets to the internal server using
> > PREROUTE and then change the source addresses using POSTROUTE so
> > the responses from the internal server come back through
> > the correct gateway?
> >
> > Thank you,
> >
> > Joe Haynes
> > Helena Montana