From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@lists.netfilter.org
Subject: Re: DNAT and local hosts
Date: Tue, 08 May 2007 10:34:30 +0200 [thread overview]
Message-ID: <46403616.60103@plouf.fr.eu.org> (raw)
In-Reply-To: <C3FA62B1A90D7440B9B6C7C31895994F03663A32@zadbn02100.vodacom.corp>
Hello,
Pieter De Wit a écrit :
>
> C1 --.
> |
> |-FW--- internet
> |
> C2 --'
>
> Ok - for this email, I will give C1 192.168.0.10 and C2 192.168.0.11.
> The Firewall (FW) has two ethernet connections, eth0 and eth1. eth1 is
> used to an adsl modem in bridged mode, which creates ppp0. Lets say for
> this email, ppp0 get 1.2.3.4.
>
> Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is
> a rule that allows connections to ppp0 on port 1234 and DNAT's them to
> C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection
> refused" since there is no "server" listening on the firewall's
> ppp0,port 1234.
>
> How can I solve this ? I need FW to DNAT "local/C2" connections back to
> C1.
Here is the FGA (Frequently Given Answer) to your FAQ (Frequently Asked
Question).
1) NAT the incoming connections on the LAN interface based on the
destination address and port. If ppp0 gets a different address at each
PPP session, this rule must be created at the beginning (and deleted at
the end) of the PPP session, for instance using the /etc/ppp/ip-up and
/etc/ppp/ip-down scripts :
iptables -t nat PREROUTING -i eth0 -d 1.2.3.4 -p tcp --dport 1234 \
-j DNAT --to-destination 192.168.0.10
2) Allow forwarded traffic from LAN to LAN, if blocked by default :
iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
3) NAT or MASQUERADE the source address of the redirected connections,
so the replies from C1 are routed back to the firewall and can be
properly un-DNATed before they reach C2 :
iptables -t nat POSTROUTING -o eth0 -d 192.168.0.10 \
-p tcp --dport 1234 -j SNAT --to-source <eth0_address>
or :
iptables -t nat POSTROUTING -o eth0 -d 192.168.0.10 \
-p tcp --dport 1234 -j MASQUERADE
Note that if C2 runs Linux too, an alternative is to create a single
DNAT rule on it in order to divert locally generated traffic sent to
1.2.3.4:1234 :
iptables -t nat OUTPUT -d 1.2.3.4 -p tcp --dport 1234 \
-j DNAT --to-destination 192.168.0.10
Note : there is no INPUT chain in the 'nat' table because it is
traversed after the routing decision, so it is too late to change the
destination.
next prev parent reply other threads:[~2007-05-08 8:34 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-07 15:54 DNAT and local hosts Pieter De Wit
2007-05-07 16:01 ` Jan Engelhardt
2007-05-07 19:54 ` Pieter De Wit
2007-05-08 6:05 ` Ray Leach
2007-05-08 6:09 ` Pieter De Wit
2007-05-08 6:36 ` Ray Leach
2007-05-08 6:38 ` Pieter De Wit
2007-05-08 8:39 ` Jan Engelhardt
2007-05-08 8:43 ` Jan Engelhardt
2007-05-08 8:34 ` Pascal Hambourg [this message]
2007-05-08 9:03 ` Pascal Hambourg
-- strict thread matches above, loose matches on Subject: below --
2007-05-07 15:49 Pieter De Wit
2007-05-07 15:49 Pieter De Wit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46403616.60103@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.