[LARTC] port forwarding to different servers with nat

[LARTC] port forwarding to different servers with nat

[Ben]

Hey guys, here's a basic problem I cannot seem to figure out. I've got a 
box doing NAT for some servers and masquarading for a bunch of other 
desktops. The way I have it working, I need to the give my NAT box one 
IP number for the masquarding, and then one additional IP number for each 
server it NATs for. That's a waste; I'd like to give the NAT box one IP 
for all servers, and then forward to the correct server based on port. 
(Yes, that implies none of the servers can run services on the same port, 
and I'm fine with that.)

It seems like this should be a pretty common scenario, but I haven't been 
able to get it working and I haven't seen any examples online. I'm sure 
*somebody* has it working.... would that person please share the wealth?


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] port forwarding to different servers with nat

[Lawrence MacIntyre]

[-- Attachment #1: Type: text/plain, Size: 1327 bytes --]

So for example, you want one machine (call it fred) to have a web server
on port 80, and another (call it wilma) to have a web server on port
8080?

Simply forward port 80 to fred:80 and port 8080 to wilma:80. 
Alternately, you can run wilma's webserver on port 8080 and forward port
8080 to wilma:8080.

On Thu, 2003-09-04 at 13:05, Ben wrote:
> Hey guys, here's a basic problem I cannot seem to figure out. I've got a 
> box doing NAT for some servers and masquarading for a bunch of other 
> desktops. The way I have it working, I need to the give my NAT box one 
> IP number for the masquarding, and then one additional IP number for each 
> server it NATs for. That's a waste; I'd like to give the NAT box one IP 
> for all servers, and then forward to the correct server based on port. 
> (Yes, that implies none of the servers can run services on the same port, 
> and I'm fine with that.)
> 
> It seems like this should be a pretty common scenario, but I haven't been 
> able to get it working and I haven't seen any examples online. I'm sure 
> *somebody* has it working.... would that person please share the wealth?
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [LARTC] port forwarding to different servers with nat

[Ben]

Okay. So let's say it's fred and wilma, sharing the external dns name
"external". So I would forward to fred and wilma like so:

iptables -t nat -A PREROUTING -d external -p tcp --dport 80 -j DNAT --to fred
iptables -t nat -A PREROUTING -d external -p tcp --dport 8080 -j DNAT --to wilma

That makes sense to me. But how do the return packets get rewritten?

iptables -t nat -A POSTROUTING -s wilma -j SNAT --to external
iptables -t nat -A POSTROUTING -s fred -j SNAT --to external

...seems wrong. Or does it work just fine? (I can't test it right now, 
unfortuantely....)

On Thu, 4 Sep 2003, Lawrence MacIntyre wrote:

> So for example, you want one machine (call it fred) to have a web server
> on port 80, and another (call it wilma) to have a web server on port
> 8080?
> 
> Simply forward port 80 to fred:80 and port 8080 to wilma:80. 
> Alternately, you can run wilma's webserver on port 8080 and forward port
> 8080 to wilma:8080.
> 
> On Thu, 2003-09-04 at 13:05, Ben wrote:
> > Hey guys, here's a basic problem I cannot seem to figure out. I've got a 
> > box doing NAT for some servers and masquarading for a bunch of other 
> > desktops. The way I have it working, I need to the give my NAT box one 
> > IP number for the masquarding, and then one additional IP number for each 
> > server it NATs for. That's a waste; I'd like to give the NAT box one IP 
> > for all servers, and then forward to the correct server based on port. 
> > (Yes, that implies none of the servers can run services on the same port, 
> > and I'm fine with that.)
> > 
> > It seems like this should be a pretty common scenario, but I haven't been 
> > able to get it working and I haven't seen any examples online. I'm sure 
> > *somebody* has it working.... would that person please share the wealth?
> > 
> > 
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] port forwarding to different servers with nat

[trepo]

    If you are in control of the clients accessing the servers, then
Lawrence MacIntyre <lpz@ornl.gov> is right... otherwise not. The
clients --unless configured otherwise-- will always look for the requested
services on the standard ports (i.e. http on port 80), so if you have
multiple servers running the same service, you are out of luck. The router
doing DNAT has no way of telling which server it has to forward to, as all
requests come in with the same destination IP and the same port.

    The case with different services is easier to solve: you set up your
iptables rulesets to forward the service ports to the appropriate machine.

iptables -t nat -A PREROUTING -p tcp --dport {service-port} -j DNAT --to
{server-ip:port}

You may replace 'tcp' with 'udp', depending on the protocol used (see the
iptables manpage).

> But how do the return packets get rewritten?
>
> iptables -t nat -A POSTROUTING -s wilma -j SNAT --to external
> iptables -t nat -A POSTROUTING -s fred -j SNAT --to external
>
> ...seems wrong. Or does it work just fine? (I can't test it right now,
> unfortuantely....)

No, that's right. The return packets are sent to the requester's address,
which has never got rewritten along the way... (not at your box, at least
:) )

Please correct me if I'm wrong.
----------------------------------------------------------------
trepo@azet.sk

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] port forwarding to different servers with nat

[Dancer Vesperman]

On Fri, 2003-09-05 at 03:28, Ben wrote:
> Okay. So let's say it's fred and wilma, sharing the external dns name
> "external". So I would forward to fred and wilma like so:
> 
> iptables -t nat -A PREROUTING -d external -p tcp --dport 80 -j DNAT --to fred
> iptables -t nat -A PREROUTING -d external -p tcp --dport 8080 -j DNAT --to wilma
> 
> That makes sense to me. But how do the return packets get rewritten?

It just works, so long as the packets are traversing the same path to
get back to the originating peer.

A <-> B <-> C

B DNATs packets to C. As long as the returning packets from C pass back
through B to A, it all works. If routes exist such that C can
communicate with A without passing through B, then it all falls down.


> On Thu, 4 Sep 2003, Lawrence MacIntyre wrote:
> 
> > So for example, you want one machine (call it fred) to have a web server
> > on port 80, and another (call it wilma) to have a web server on port
> > 8080?
> > 
> > Simply forward port 80 to fred:80 and port 8080 to wilma:80. 
> > Alternately, you can run wilma's webserver on port 8080 and forward port
> > 8080 to wilma:8080.
> > 
> > On Thu, 2003-09-04 at 13:05, Ben wrote:
> > > Hey guys, here's a basic problem I cannot seem to figure out. I've got a 
> > > box doing NAT for some servers and masquarading for a bunch of other 
> > > desktops. The way I have it working, I need to the give my NAT box one 
> > > IP number for the masquarding, and then one additional IP number for each 
> > > server it NATs for. That's a waste; I'd like to give the NAT box one IP 
> > > for all servers, and then forward to the correct server based on port. 
> > > (Yes, that implies none of the servers can run services on the same port, 
> > > and I'm fine with that.)
> > > 
> > > It seems like this should be a pretty common scenario, but I haven't been 
> > > able to get it working and I haven't seen any examples online. I'm sure 
> > > *somebody* has it working.... would that person please share the wealth?
> > > 
> > > 
> > > _______________________________________________
> > > LARTC mailing list / LARTC@mailman.ds9a.nl
> > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> > 
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-- 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] port forwarding to different servers with nat

[Lawrence MacIntyre]

[-- Attachment #1: Type: text/plain, Size: 1912 bytes --]

Trepo:

If you will read my post again, you will note that one webserver is
reachable via the normal port 80, and the other by the less-normal port
8080.  Some services work well this way, http and ssh are good
examples.  

On Thu, 2003-09-04 at 18:35, trepo wrote:
>     If you are in control of the clients accessing the servers, then
> Lawrence MacIntyre <lpz@ornl.gov> is right... otherwise not. The
> clients --unless configured otherwise-- will always look for the requested
> services on the standard ports (i.e. http on port 80), so if you have
> multiple servers running the same service, you are out of luck. The router
> doing DNAT has no way of telling which server it has to forward to, as all
> requests come in with the same destination IP and the same port.
> 
>     The case with different services is easier to solve: you set up your
> iptables rulesets to forward the service ports to the appropriate machine.
> 
> iptables -t nat -A PREROUTING -p tcp --dport {service-port} -j DNAT --to
> {server-ip:port}
> 
> You may replace 'tcp' with 'udp', depending on the protocol used (see the
> iptables manpage).
> 
> > But how do the return packets get rewritten?
> >
> > iptables -t nat -A POSTROUTING -s wilma -j SNAT --to external
> > iptables -t nat -A POSTROUTING -s fred -j SNAT --to external
> >
> > ...seems wrong. Or does it work just fine? (I can't test it right now,
> > unfortuantely....)
> 
> No, that's right. The return packets are sent to the requester's address,
> which has never got rewritten along the way... (not at your box, at least
> :) )
> 
> Please correct me if I'm wrong.
> ----------------------------------------------------------------
> trepo@azet.sk
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]