From: Andrew Beverley <andy@andybev.com>
To: mabra@manfbraun.de
Cc: netfilter@vger.kernel.org
Subject: Re: IPTABLES:Let external address appear as an internal address
Date: Fri, 31 Aug 2012 18:36:19 +0100 [thread overview]
Message-ID: <1346434579.2200.4.camel@andylaptop> (raw)
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAOosgHnoPqdNlUO2DUrQ/DfCgAAAEAAAACcGGLxSfBNPu0OwD65yae8BAAAAAA==@manfbraun.de>
On Fri, 2012-08-31 at 13:11 +0200, mabra@manfbraun.de wrote:
> [usining debian squeeze, iptables, monit monitoring program].
> [eth1: internet==$EXTIF, eth0: local==$INTIF]
> [192.168.6.254 ist the LAN port of the firewall at eth0]
>
> The problem is this: The monit daemon is configured to accepts
> packtes on the internal address only and I think, this is right.
> Usually nearly nothing internal should accepts packets from outside.
> The daemon cannot be bind to a specific interface, but just by
> ip address and mask. Internally, everything works fine [http requests
> from inside 192.168.26.0/24 are working]. To allow to redirect packtes
> from outside to this daemon, I wrote this two filters, where the
> incoming external trafiic should use port 9995:
>
> $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTADDR --dport 9995 \
> -j DNAT --to-destination 192.168.6.254:2812
>
> $IPTABLES -t nat -A POSTROUTING -p tcp -d 192.168.6.254 --dport 2812 \
> -j SNAT --to-source 192.168.6.254:3000
>
> The deamon gets accessed, but denies the request, because it's seen
> source address is not from the LAN, but the external client ip address.
> So my SNAT does not seem to work.
I may have misunderstood, in which case a diagram would be useful, but
is the monit daemon on the same machine as the iptables rules? If so,
SNAT will have no effect, as it only works on the POSTROUTING table (as
packets leave the machine). It will therefore have no effect on packets
to process on the local machine.
Off the top of my head, I'm not sure of the solution you could use. You
might want to look at the IFB interface to see if that can be used in
any way.
Andy
next prev parent reply other threads:[~2012-08-31 17:36 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-31 11:11 IPTABLES:Let external address appear as an internal address mabra
2012-08-31 17:36 ` Andrew Beverley [this message]
2012-08-31 23:05 ` mabra
2012-09-01 15:14 ` Andrew Beverley
2012-09-02 11:48 ` mabra
2012-09-02 13:25 ` Andrew Beverley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1346434579.2200.4.camel@andylaptop \
--to=andy@andybev.com \
--cc=mabra@manfbraun.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).