NAT & FORWARDING

NAT & FORWARDING

[Srinivasa Hebbar]

Hello,

I believe that the NAT PREROUTING and POSTROUTING will 
always takes place for all the incoming/outgoing packets
irrespective of whether the packet is destined to the node or not.

I have a situation that if the dest. IP address of the packet is
for the local node, then apply NAT rule, otherwise it should simply
forward the packet according to the routing table.

How can I achieve the above?

Any help is very much appreciated.

Regards,
S. Hebbar.

Re: NAT & FORWARDING

[John A. Sullivan III]

On Thu, 2004-01-29 at 09:23, Srinivasa Hebbar wrote:
> Hello,
> 
> I believe that the NAT PREROUTING and POSTROUTING will 
> always takes place for all the incoming/outgoing packets
> irrespective of whether the packet is destined to the node or not.
> 
> I have a situation that if the dest. IP address of the packet is
> for the local node, then apply NAT rule, otherwise it should simply
> forward the packet according to the routing table.
> 
> How can I achieve the above?
> 
> Any help is very much appreciated.
> 
> Regards,
> S. Hebbar.

Could you give a little more information, please.  That would help us
understand why you would want to NAT a packet destined for the local
node itself and why one would not simply NAT only if the destination
address matched the local node.  Thanks - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: NAT & FORWARDING

[Srinivasa Hebbar]

Dear John,

Your solution works fine for me.
Actually, I want to know how I can build a NAT rule 
which will have "and" condition.

My box has atleast 50 interfaces and I want to do NAT on
all interfaces except "eth0" and "xpeth0"

So I want some thing like, 

iptables -t nat -A PREROUTING  -i ! (eth0 && xpeth0)  -p tcp --dport 3021 -j 
ACCEPT

But, the iptables doesn't take the above syntax.

Could you give me some hint how to solve the above probelm.
One solution is to add the rule for all other 48 interfaces
to accept the connection on port 3021. I can't use wildcards because each 
interface name is different.

Regards,
S. Hebbar.


> On Thu, 2004-01-29 at 09:23, Srinivasa Hebbar wrote:
> > Hello,
> >
> > I believe that the NAT PREROUTING and POSTROUTING will
> > always takes place for all the incoming/outgoing packets
> > irrespective of whether the packet is destined to the node or not.
> >
> > I have a situation that if the dest. IP address of the packet is
> > for the local node, then apply NAT rule, otherwise it should simply
> > forward the packet according to the routing table.
> >
> > How can I achieve the above?
> >
> > Any help is very much appreciated.
> >
> > Regards,
> > S. Hebbar.
>
> Could you give a little more information, please.  That would help us
> understand why you would want to NAT a packet destined for the local
> node itself and why one would not simply NAT only if the destination
> address matched the local node.  Thanks - John

Re: NAT & FORWARDING

[John A. Sullivan III]

Strange, I just took a quick look at the iptables man page and didn't
see it but I thought there was a RETURN target.  You may want to look
into that.  As I recall, you would just create a rule that if the packet
matched -i eth0 -j RETURN and it would not continue traversing the
current chain.  You would also add the same type rule for -i xpeth0.

On Thu, 2004-01-29 at 23:50, Srinivasa Hebbar wrote:
> Dear John,
> 
> Your solution works fine for me.
> Actually, I want to know how I can build a NAT rule 
> which will have "and" condition.
> 
> My box has atleast 50 interfaces and I want to do NAT on
> all interfaces except "eth0" and "xpeth0"
> 
> So I want some thing like, 
> 
> iptables -t nat -A PREROUTING  -i ! (eth0 && xpeth0)  -p tcp --dport 3021 -j 
> ACCEPT
> 
> But, the iptables doesn't take the above syntax.
> 
> Could you give me some hint how to solve the above probelm.
> One solution is to add the rule for all other 48 interfaces
> to accept the connection on port 3021. I can't use wildcards because each 
> interface name is different.
> 
> Regards,
> S. Hebbar.
> 
> 
> > On Thu, 2004-01-29 at 09:23, Srinivasa Hebbar wrote:
> > > Hello,
> > >
> > > I believe that the NAT PREROUTING and POSTROUTING will
> > > always takes place for all the incoming/outgoing packets
> > > irrespective of whether the packet is destined to the node or not.
> > >
> > > I have a situation that if the dest. IP address of the packet is
> > > for the local node, then apply NAT rule, otherwise it should simply
> > > forward the packet according to the routing table.
> > >
> > > How can I achieve the above?
> > >
> > > Any help is very much appreciated.
> > >
> > > Regards,
> > > S. Hebbar.
> >
> > Could you give a little more information, please.  That would help us
> > understand why you would want to NAT a packet destined for the local
> > node itself and why one would not simply NAT only if the destination
> > address matched the local node.  Thanks - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: NAT & FORWARDING

[Henrik Nordstrom]

On Thu, 29 Jan 2004, Srinivasa Hebbar wrote:

> I have a situation that if the dest. IP address of the packet is
> for the local node, then apply NAT rule, otherwise it should simply
> forward the packet according to the routing table.
> 
> How can I achieve the above?

You need to know which addresses are local. Other than this it is just to 
do it. DNAT is done in PREROUTING and can change the destination freely.

If you want to be able to NAT sessions initiated by the local node then 
you need to enable NAT of local sessions in the kernel build.

Regards
Henrik

Re: NAT & FORWARDING

[Patrick McHardy]

Henrik Nordstrom wrote:
> On Thu, 29 Jan 2004, Srinivasa Hebbar wrote:
> 
> 
>>I have a situation that if the dest. IP address of the packet is
>>for the local node, then apply NAT rule, otherwise it should simply
>>forward the packet according to the routing table.
>>
>>How can I achieve the above?
> 
> 
> You need to know which addresses are local. Other than this it is just to 
> do it. DNAT is done in PREROUTING and can change the destination freely.

The addrtype match was written out of a similar need, it matches
what routing thinks of an address. It can be found in
patch-o-matic/extra.

Best regards,
Patrick



> 
> If you want to be able to NAT sessions initiated by the local node then 
> you need to enable NAT of local sessions in the kernel build.
> 
> Regards
> Henrik
> 

Re: NAT & FORWARDING

[Henrik Nordstrom]

On Fri, 30 Jan 2004, Srinivasa Hebbar wrote:

> Your solution works fine for me.
> Actually, I want to know how I can build a NAT rule 
> which will have "and" condition.
>
> My box has atleast 50 interfaces and I want to do NAT on
> all interfaces except "eth0" and "xpeth0"

AND is a little tricky for the built-in matches, but what you can do is to 
use a custom chain and RETURN.

iptables -t nat -N NAT3021
iptables -t nat -A NAT3021 -i eth0 -j RETURN
iptables -t nat -A NAT3021 -i xpeth0 -j RETURN
iptables -t nat -A NAT3021 -j DNAT ....
iptables -t nat -A PREROUTING -p tcp --dport 3021 -j NAT3021

Regards
Henrik

NAT & forwarding

[Alexander Newald]

Hello,

I have some problems with the fullowing:

I have one box (123.123.123.123) from with I would like to forward all 
traffic comeing to this box to another (12.12.12.12). This should be 
transparent for the clients. So if I do a http or ftp request to 
123.123.123.123 the answer (webpage, ftp login) comes from 12.12.12.12.

I like to have this but not for ssh (so I can login to 123.123.123.123).

I thought that I should do

iptables -t nat -I PREROUTING -d 123.123.123.123 -s 0/0 -j DNAT --to 
12.12.12.12

on 123.123.123.123

But it dosn't work. Do I need to setup something on 12.12.12.12?

Thanks,

Alexander Newald