DNAT and local hosts

DNAT and local hosts

[Pieter De Wit]

Hello Guys,
 
I have the following setup:
 
C1 --.
     |
     |-FW--- internet
     |
C2 --'

Ok - for this email, I will give C1 192.168.0.10 and C2 192.168.0.11.
The Firewall (FW) has two ethernet connections, eth0 and eth1. eth1 is
used to an adsl modem in bridged mode, which creates ppp0. Lets say for
this email, ppp0 get 1.2.3.4.

Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is
a rule that allows connections to ppp0 on port 1234 and DNAT's them to
C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection
refused" since there is no "server" listening on the firewall's
ppp0,port 1234.

How can I solve this ? I need FW to DNAT "local/C2" connections back to
C1.

Thanks,

Pieter
“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

Re: DNAT and local hosts

[Jan Engelhardt]

On May 7 2007 17:54, Pieter De Wit wrote:
>
>Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is
>a rule that allows connections to ppp0 on port 1234 and DNAT's them to
>C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection
>refused" since there is no "server" listening on the firewall's
>ppp0,port 1234.

*BEEP* *BUZZ* *ERROR*. You have a direct connection between C1 and C2.


Jan
-- 

RE: DNAT and local hosts

[Pieter De Wit]

*BEEP* *BUZZ* I know - but it's for a closed source app that I need to do this - and it takes the address from the server, the protocol doesn't carry it it :)


-----Original Message-----
From: Jan Engelhardt [mailto:jengelh@linux01.gwdg.de]
Sent: Mon 2007/05/07 18:01
To: Pieter De Wit
Cc: netfilter@lists.netfilter.org
Subject: Re: DNAT and local hosts
 

On May 7 2007 17:54, Pieter De Wit wrote:
>
>Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is
>a rule that allows connections to ppp0 on port 1234 and DNAT's them to
>C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection
>refused" since there is no "server" listening on the firewall's
>ppp0,port 1234.

*BEEP* *BUZZ* *ERROR*. You have a direct connection between C1 and C2.


Jan
-- 

“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

Re: DNAT and local hosts

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1325 bytes --]

Pieter De Wit wrote:
> *BEEP* *BUZZ* I know - but it's for a closed source app that I need to do this - and it takes the address from the server, the protocol doesn't carry it it :)
> 
> 
> -----Original Message-----
> From: Jan Engelhardt [mailto:jengelh@linux01.gwdg.de]
> Sent: Mon 2007/05/07 18:01
> To: Pieter De Wit
> Cc: netfilter@lists.netfilter.org
> Subject: Re: DNAT and local hosts
>  
> 
> On May 7 2007 17:54, Pieter De Wit wrote:
>> Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is
>> a rule that allows connections to ppp0 on port 1234 and DNAT's them to
>> C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection
>> refused" since there is no "server" listening on the firewall's
>> ppp0,port 1234.
> 
> *BEEP* *BUZZ* *ERROR*. You have a direct connection between C1 and C2.
> 
> 
> Jan

There is no routing between C1 and C2, so your firewall never sees the 
traffic between the 2.

Put C1 and C2 on two seperate physical networks and connect them through 
firewall to get routing to happen, then you can use iptables to do 
NATing between them.

Else put two interfaces into your firewall, give each interface an ip 
address in the same subnet, configure bridging between the two, put C1 
on the end of one interface and C2 on the other if, then look into ebtables.

RE: DNAT and local hosts

[Pieter De Wit]

Thought so - the other way is to run portfwd and use it to forward the
port "back to C1" - it would have helped if they had an input chain on
-t nat :)

Thanks any ways 

-----Original Message-----
From: Ray Leach [mailto:spoons@rchq.co.za] 
Sent: 2007/05/08 08:05
To: Pieter De Wit
Cc: Jan Engelhardt; netfilter@lists.netfilter.org
Subject: Re: DNAT and local hosts

Pieter De Wit wrote:
> *BEEP* *BUZZ* I know - but it's for a closed source app that I need to

> do this - and it takes the address from the server, the protocol 
> doesn't carry it it :)
> 
> 
> -----Original Message-----
> From: Jan Engelhardt [mailto:jengelh@linux01.gwdg.de]
> Sent: Mon 2007/05/07 18:01
> To: Pieter De Wit
> Cc: netfilter@lists.netfilter.org
> Subject: Re: DNAT and local hosts
>  
> 
> On May 7 2007 17:54, Pieter De Wit wrote:
>> Now, all connections are routed out via FW:ppp0 and at NAT'ed. There 
>> is a rule that allows connections to ppp0 on port 1234 and DNAT's 
>> them to C1. When C2 makes a connection to 1.2.3.4:1234 it fails with 
>> "Connection refused" since there is no "server" listening on the 
>> firewall's ppp0,port 1234.
> 
> *BEEP* *BUZZ* *ERROR*. You have a direct connection between C1 and C2.
> 
> 
> Jan

There is no routing between C1 and C2, so your firewall never sees the
traffic between the 2.

Put C1 and C2 on two seperate physical networks and connect them through
firewall to get routing to happen, then you can use iptables to do
NATing between them.

Else put two interfaces into your firewall, give each interface an ip
address in the same subnet, configure bridging between the two, put C1
on the end of one interface and C2 on the other if, then look into
ebtables.
“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

Re: DNAT and local hosts

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 2082 bytes --]

Pieter De Wit wrote:
> Thought so - the other way is to run portfwd and use it to forward the
> port "back to C1" - it would have helped if they had an input chain on
> -t nat :)
> 
> Thanks any ways 
> 
> -----Original Message-----
> From: Ray Leach [mailto:spoons@rchq.co.za] 
> Sent: 2007/05/08 08:05
> To: Pieter De Wit
> Cc: Jan Engelhardt; netfilter@lists.netfilter.org
> Subject: Re: DNAT and local hosts
> 
> Pieter De Wit wrote:
>> *BEEP* *BUZZ* I know - but it's for a closed source app that I need to
> 
>> do this - and it takes the address from the server, the protocol 
>> doesn't carry it it :)
>>
>>
>> -----Original Message-----
>> From: Jan Engelhardt [mailto:jengelh@linux01.gwdg.de]
>> Sent: Mon 2007/05/07 18:01
>> To: Pieter De Wit
>> Cc: netfilter@lists.netfilter.org
>> Subject: Re: DNAT and local hosts
>>  
>>
>> On May 7 2007 17:54, Pieter De Wit wrote:
>>> Now, all connections are routed out via FW:ppp0 and at NAT'ed. There 
>>> is a rule that allows connections to ppp0 on port 1234 and DNAT's 
>>> them to C1. When C2 makes a connection to 1.2.3.4:1234 it fails with 
>>> "Connection refused" since there is no "server" listening on the 
>>> firewall's ppp0,port 1234.
>> *BEEP* *BUZZ* *ERROR*. You have a direct connection between C1 and C2.
>>
>>
>> Jan
> 
> There is no routing between C1 and C2, so your firewall never sees the
> traffic between the 2.
> 
> Put C1 and C2 on two seperate physical networks and connect them through
> firewall to get routing to happen, then you can use iptables to do
> NATing between them.
> 
> Else put two interfaces into your firewall, give each interface an ip
> address in the same subnet, configure bridging between the two, put C1
> on the end of one interface and C2 on the other if, then look into
> ebtables.
> “This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
> 
> 
> 

INPUT on -t nat wouldn't help you here since the destination is not the 
firewall ...

RE: DNAT and local hosts

[Pieter De Wit]

It is...the destination is the ppp0 interface... 

*snip*

INPUT on -t nat wouldn't help you here since the destination is not the
firewall ...
“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

RE: DNAT and local hosts

[Jan Engelhardt]

On May 8 2007 08:38, Pieter De Wit wrote:
>
>It is...the destination is the ppp0 interface... 

But *only* for the first packet.

>*snip*
>
>INPUT on -t nat wouldn't help you here since the destination is not the
>firewall ...
>This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

Jan
-- 

Re: DNAT and local hosts

[Jan Engelhardt]

On May 8 2007 08:05, Ray Leach wrote:
>> On May 7 2007 17:54, Pieter De Wit wrote:
>> > Now, all connections are routed out via FW:ppp0 and at NAT'ed. There
>> > is
>> > a rule that allows connections to ppp0 on port 1234 and DNAT's them to
>> > C1. When C2 makes a connection to 1.2.3.4:1234 it fails with
>> > "Connection
>> > refused" since there is no "server" listening on the firewall's
>> > ppp0,port 1234.
>> 
>> *BEEP* *BUZZ* *ERROR*. You have a direct connection between C1 and C2.
>
> There is no routing between C1 and C2, so your firewall never sees the traffic
> between the 2.
>
> Put C1 and C2 on two seperate physical networks and connect them through
> firewall to get routing to happen, then you can use iptables to do NATing
> between them.
>
> Else put two interfaces into your firewall, give each interface an ip address
> in the same subnet, configure bridging between the two, put C1 on the end of
> one interface and C2 on the other if, then look into ebtables.

Else always route to the gateway. As in...

@client:
* uncofigure the main interface
* redo it with `ip a a 192.168.2.100/32 peer 192.168.2.1`
(the server keeps using 192.168.2.1/24)

(assuming 192.168.1.100 <-> 192.168.1.1/192.168.2.1 <-> 192.168.2.100)


Jan
-- 

Re: DNAT and local hosts

[Pascal Hambourg]

Hello,

Pieter De Wit a écrit :
>  
> C1 --.
>      |
>      |-FW--- internet
>      |
> C2 --'
> 
> Ok - for this email, I will give C1 192.168.0.10 and C2 192.168.0.11.
> The Firewall (FW) has two ethernet connections, eth0 and eth1. eth1 is
> used to an adsl modem in bridged mode, which creates ppp0. Lets say for
> this email, ppp0 get 1.2.3.4.
> 
> Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is
> a rule that allows connections to ppp0 on port 1234 and DNAT's them to
> C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection
> refused" since there is no "server" listening on the firewall's
> ppp0,port 1234.
> 
> How can I solve this ? I need FW to DNAT "local/C2" connections back to
> C1.

Here is the FGA (Frequently Given Answer) to your FAQ (Frequently Asked 
Question).

1) NAT the incoming connections on the LAN interface based on the 
destination address and port. If ppp0 gets a different address at each 
PPP session, this rule must be created at the beginning (and deleted at 
the end) of the PPP session, for instance using the /etc/ppp/ip-up and 
/etc/ppp/ip-down scripts :

iptables -t nat PREROUTING -i eth0 -d 1.2.3.4 -p tcp --dport 1234 \
   -j DNAT --to-destination 192.168.0.10

2) Allow forwarded traffic from LAN to LAN, if blocked by default :

iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT

3) NAT or MASQUERADE the source address of the redirected connections, 
so the replies from C1 are routed back to the firewall and can be 
properly un-DNATed before they reach C2 :

iptables -t nat POSTROUTING -o eth0 -d 192.168.0.10 \
   -p tcp --dport 1234 -j SNAT --to-source <eth0_address>

or :

iptables -t nat POSTROUTING -o eth0 -d 192.168.0.10 \
   -p tcp --dport 1234 -j MASQUERADE

Note that if C2 runs Linux too, an alternative is to create a single 
DNAT rule on it in order to divert locally generated traffic sent to 
1.2.3.4:1234 :

iptables -t nat OUTPUT -d 1.2.3.4 -p tcp --dport 1234 \
   -j DNAT --to-destination 192.168.0.10

Note : there is no INPUT chain in the 'nat' table because it is 
traversed after the routing decision, so it is too late to change the 
destination.

Re: DNAT and local hosts

[Pascal Hambourg]

Pascal Hambourg a écrit :
> 
> 3) NAT or MASQUERADE the source address of the redirected connections, 
> so the replies from C1 are routed back to the firewall and can be 
> properly un-DNATed before they reach C2 :
> 
> iptables -t nat POSTROUTING -o eth0 -d 192.168.0.10 \
>   -p tcp --dport 1234 -j SNAT --to-source <eth0_address>

Oops, I forgot "-s 192.168.0.0/24" in order to avoid hiding 
unnecessarily the source address of external connections to C2.

> or :
> 
> iptables -t nat POSTROUTING -o eth0 -d 192.168.0.10 \
>   -p tcp --dport 1234 -j MASQUERADE

Same here.

DNAT and local hosts

[Pieter De Wit]

Hello Guys,
 
I have the following setup:
 
C1 --.
     |
     |-FW--- internet
     |
C2 --'

Ok - for this email, I will give C1 192.168.0.10 and C2 192.168.0.11.
The Firewall (FW) has two ethernet connections, eth0 and eth1. eth1 is
used to an adsl modem in bridged mode, which creates ppp0. Lets say for
this email, ppp0 get 1.2.3.4.

Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is
a rule that allows connections to ppp0 on port 1234 and DNAT's them to
C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection
refused" since there is no "server" listening on the firewall's
ppp0,port 1234.

How can I solve this ? I need FW to DNAT "local/C2" connections back to
C1.

Thanks,

Pieter
“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

DNAT and local hosts

[Pieter De Wit]

Hello Guys,
 
I have the following setup:
 
C1 --.
     |
     |-FW--- internet
     |
C2 --'

Ok - for this email, I will give C1 192.168.0.10 and C2 192.168.0.11.
The Firewall (FW) has two ethernet connections, eth0 and eth1. eth1 is
used to an adsl modem in bridged mode, which creates ppp0. Lets say for
this email, ppp0 get 1.2.3.4.

Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is
a rule that allows connections to ppp0 on port 1234 and DNAT's them to
C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection
refused" since there is no "server" listening on the firewall's
ppp0,port 1234.

How can I solve this ? I need FW to DNAT "local/C2" connections back to
C1.

Thanks,

Pieter
“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "