Routing traffic between 2 iptables machines

Routing traffic between 2 iptables machines

[Sajesh Singh]

Iptables gurus,
               I have been trying to implement a solution using 2 iptables boxes as routers for traffic between two hosts on two different networks. I have four different machine that I would like to have traffic routed between:

Machine 1 - Client A  - IP : A.A.A.A
Machine 2 -  iptables Machine A  - IP: B.B.B.B (One interface only)
Machine 3 - iptables Macine B - IP: C.C.C.C (One interface only)
Machine 4 - Client B - IP: D.D.D.D

What I would like to accomplish is to have traffic from Client A route traffic through iptables Machine A which then sends the traffic to iptables Machine B when then forwards the traffic to Client B and the reverse as well. I would also like for the IP address of Client A to be visible to Client B.

I have tried various scenarios with PREROUTING (DNAT) and FORWARDING rules with  no success. The connection either seems to hang to or I get error stating no route to host. Also forwarding is enabled on each of the iptables machine. Below are the rules that I have tried to use:

Firewall rules from Machine 2 - Iptables Machine A
# Generated by iptables-save v1.4.12 on Fri Jun  1 12:26:55 2012
*nat
:PREROUTING ACCEPT [142418:19715843]
:INPUT ACCEPT [21:8744]
:OUTPUT ACCEPT [8437:405020]
:POSTROUTING ACCEPT [8439:405588]
-A PREROUTING -d D.D.D.D/32 -j DNAT --to-destination C.C.C.C
COMMIT
# Completed on Fri Jun  1 12:26:55 2012
# Generated by iptables-save v1.4.12 on Fri Jun  1 12:26:55 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [43:4084]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A FORWARD -d C.C.C.C/32 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jun  1 12:26:55 2012


Firewall rules from Machine 3 - Iptables Machine B 
# Generated by iptables-save v1.4.12 on Fri Jun  1 12:27:51 2012
*nat
:PREROUTING ACCEPT [53576:4590151]
:INPUT ACCEPT [11:4620]
:OUTPUT ACCEPT [64:4512]
:POSTROUTING ACCEPT [65:5012]
-A PREROUTING -d A.A.A.A/32 -j DNAT --to-destination B.B.B.B 
COMMIT
# Completed on Fri Jun  1 12:27:51 2012
# Generated by iptables-save v1.4.12 on Fri Jun  1 12:27:51 2012
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48:4544]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A FORWARD -d B.B.B.B/32 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jun  1 12:27:51 2012 

Any help is appreciated.

Regards,

Sajesh 

Re: Routing traffic between 2 iptables machines

[Neal Murphy]

On Friday 01 June 2012 14:37:46 Sajesh Singh wrote:
> Iptables gurus,
>                I have been trying to implement a solution using 2 iptables
> boxes as routers for traffic between two hosts on two different networks.
> I have four different machine that I would like to have traffic routed
> between:
> 
> Machine 1 - Client A  - IP : A.A.A.A
> Machine 2 -  iptables Machine A  - IP: B.B.B.B (One interface only)
> Machine 3 - iptables Macine B - IP: C.C.C.C (One interface only)
> Machine 4 - Client B - IP: D.D.D.D
> 
> What I would like to accomplish is to have traffic from Client A route
> traffic through iptables Machine A which then sends the traffic to
> iptables Machine B when then forwards the traffic to Client B and the
> reverse as well. I would also like for the IP address of Client A to be
> visible to Client B.
> 
> I have tried various scenarios with PREROUTING (DNAT) and FORWARDING rules
> with  no success. The connection either seems to hang to or I get error
> stating no route to host. Also forwarding is enabled on each of the
> iptables machine. Below are the rules that I have tried to use:
> 
> Firewall rules from Machine 2 - Iptables Machine A
> # Generated by iptables-save v1.4.12 on Fri Jun  1 12:26:55 2012
> *nat
> 
> :PREROUTING ACCEPT [142418:19715843]
> :INPUT ACCEPT [21:8744]
> :OUTPUT ACCEPT [8437:405020]
> :POSTROUTING ACCEPT [8439:405588]
> 
> -A PREROUTING -d D.D.D.D/32 -j DNAT --to-destination C.C.C.C
> COMMIT
> # Completed on Fri Jun  1 12:26:55 2012
> # Generated by iptables-save v1.4.12 on Fri Jun  1 12:26:55 2012
> *filter
> 
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [43:4084]
> :RH-Firewall-1-INPUT - [0:0]
> 
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A FORWARD -d C.C.C.C/32 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Fri Jun  1 12:26:55 2012
> 
> 
> Firewall rules from Machine 3 - Iptables Machine B
> # Generated by iptables-save v1.4.12 on Fri Jun  1 12:27:51 2012
> *nat
> 
> :PREROUTING ACCEPT [53576:4590151]
> :INPUT ACCEPT [11:4620]
> :OUTPUT ACCEPT [64:4512]
> :POSTROUTING ACCEPT [65:5012]
> 
> -A PREROUTING -d A.A.A.A/32 -j DNAT --to-destination B.B.B.B
> COMMIT
> # Completed on Fri Jun  1 12:27:51 2012
> # Generated by iptables-save v1.4.12 on Fri Jun  1 12:27:51 2012
> *filter
> 
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [48:4544]
> :RH-Firewall-1-INPUT - [0:0]
> 
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A FORWARD -d B.B.B.B/32 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Fri Jun  1 12:27:51 2012

This isn't *really* a netfilter problem. Unless it's an 'academic' exercise.

If you must NAT, I believe you have to SNAT as well as DNAT. This will be very 
similar to what you would have to do if A.A.A.A and D.D.D.D are in the same 
address space (same LAN addresses).

The theory is that packets from A.A.A.A to D.D.D.D have to be changed to 
appear as though they come from B.B.B.B and are destined for C.C.C.C. In the 
reverse direction, packets to B.B.B.B have to be changed to appear as though 
they come from D.D.D.D and are addressed to A.A.A.A. Similar changes must be 
made for the other end. 

On host B.B.B.B for outgoing packets from A.A.A.A, you have to
  - SNAT A.A.A.A to B.B.B.B
  - DNAT D.D.D.D to C.C.C.C
and for incoming packets to A.A.A.A, you have to
  - SNAT C.C.C.C to D.D.D.D
  - DNAT B.B.B.B to A.A.A.A
and you have to forward ports of desired NEW packets to A.A.A.A.

On host C.C.C.C for outgoing packets from D.D.D.D, you have to
  - SNAT D.D.D.D to C.C.C.C
  - DNAT A.A.A.A to B.B.B.B
and for incoming packets to D.D.D.D, you have to
  - SNAT B.B.B.B to A.A.A.A
  - DNAT C.C.C.C to D.D.D.D
and you have to forward ports of desired NEW packets to D.D.D.D. This should 
allow communication between A.A.A.A and D.D.D.D.

I don't know how conntracking and other netfilter magic comes into play; some 
of this may be handled automatically for you.

Be aware this scheme won't properly handle packets for other nodes behind 
B.B.B.B and C.C.C.C unless B.B.B.B and C.C.C.C are IP addresses dedicated to 
communication between A.A.A.A and D.D.D.D. That is, if B.B.B.B is a secondary 
address to the primary address of, say, E.E.E.E, and C.C.C.C is a secondary 
address to the primary address of, say, F.F.F.F, then your NAT rules must 
apply only to A.A.A.A/D.D.D.D and D.D.D.D/A.A.A.A traffic on both ends; all 
other traffic must use the primary E.E.E.E and F.F.F.F addresses.

If you merely want A.A.A.A to be able to communicate with D.D.D.D and cannot 
acquire extra IP addresses, it would be far easier to do if you set up an 
IPSEC or OPENVPN tunnel (if encryption is needed) or a plain GRE or other 
tunnel (if encryption is not needed) between A.A.A.A and D.D.D.D (or between 
B.B.B.B and C.C.C.C if you use policy routing and/or netfilter rules to 
restrict traffic entering the tunnels to that between A.A.A.A and D.D.D.D).

Lucian Gheorghe's "Linux Firewall and QoS" (ISBN 1-904811-65-S, Packt 
Publishing) has a very good primer on this sort of thing. If you search, you 
can find a downloadable PDF. I found one, then bought a printed copy; I still 
think it's a very good reference even though it may be somewhat dated and is 
worth every penny I spent.

RE: Routing traffic between 2 iptables machines

[Sajesh Singh]

>>This isn't *really* a netfilter problem. Unless it's an 'academic' exercise.

Wouldn't say that it is a purely academic exercise as I try to ensure that traffic traverses the 2 machines running iptables to ensure that application that was developed using the netfilter queuing mechanism works as expected.

-Sajesh-