Redirect back to internal network

Redirect back to internal network

[Henrique Netfilter]

Good afternoon,

I앐 trying to redirect connections to an external address back to an
internal address, like this:

A = Any internal machine (192.168.X.X)
B = Internal Server           (192.168.X.4)
C = Firewall Internal Address     (192.168.X.1)
D = Firewall External Address    (10.X.X.1)
E = Router Internal Address       (10.X.X.10)
F = Router Internet Address       (YYY.YY.Y.YY)


A =================> |            |
 |            |
                                        | C      D |
----------------------------------- | E      F |
B <================= |            |
 |            |

I want, when machines A asks for port 80 in F, the firewall (iptables)
C/D redirects it back to B (access must not be done using a proxy).

Here압 what I았e tried:

-A PREROUTING -s 192.168.X.X -d YYY.YY.Y.YY -p tcp -m tcp --dport 80
-j DNAT --to-destination 192.168.X.4

Checked TCPDump, and here압 what I았e got:

IP 192.168.X.X.1365 > 192.168.X.4.80
IP 10.X.X.1.4972 > 192.168.X.4.80
IP 192.168.X.4.80 > 10.X.X.1.4972

Apparently it did work. But once my web server answers, the answer is
not sent back to the machines in my internal network.

Anyone that can give me some light into it?

Thank you

Henrique

Re: Redirect back to internal network

[Grant Taylor]

On 11/07/08 11:06, Henrique Netfilter wrote:
> I´m trying to redirect connections to an external address back to an
> internal address, like this:

(With out having read the rest of your message...)

Look for the reply I just made to Simon's message with the subject 
"Altering firewall rules to enable NAT Reflection".  I think that will 
help you.



Grant. . . .

Re: Redirect back to internal network

[Henrique Netfilter]

Thanks Grant.

It actually worked, but only when I also added my PREROUTING DNAT rule.
So the final solution is like this:

iptables -t nat -I PREROUTING -i <internal_network_interface> -d
<Internet_Address> -j DNAT --to <Internal_Server_Address>

iptables -t nat -I POSTROUTING -o <internal_network_interface> -s
<LAN_address> -d <Internal_Server_Address> -j SNAT --to
<internal_network_IP>

Thanks once again.

2008/11/7 Grant Taylor <gtaylor@riverviewtech.net>:
> On 11/07/08 11:06, Henrique Netfilter wrote:
>>
>> I´m trying to redirect connections to an external address back to an
>> internal address, like this:
>
> (With out having read the rest of your message...)
>
> Look for the reply I just made to Simon's message with the subject "Altering
> firewall rules to enable NAT Reflection".  I think that will help you.
>
>
>
> Grant. . . .
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Redirect back to internal network

[Grant Taylor]

On 11/07/08 14:02, Henrique Netfilter wrote:
> It actually worked, but only when I also added my PREROUTING DNAT 
> rule. So the final solution is like this:

*nod*

You have to have both the PREROUTING rule to DNAT the traffic to the new 
destination /and/ the POSTROUTING rule to cause the destination to send 
the reply traffic back through your router.

> iptables -t nat -I PREROUTING -i <internal_network_interface> -d 
> <Internet_Address> -j DNAT --to <Internal_Server_Address>
> 
> iptables -t nat -I POSTROUTING -o <internal_network_interface> -s 
> <LAN_address> -d <Internal_Server_Address> -j SNAT --to 
> <internal_network_IP>
> 
> Thanks once again.

You are welcome.

I'm glad that it worked the way that you needed it to.  :)



Grant. . . .

Re: Redirect back to internal network

[Grant Taylor]

On 11/07/08 11:06, Henrique Netfilter wrote:
> Apparently it did work. But once my web server answers, the answer is 
> not sent back to the machines in my internal network.
> 
> Anyone that can give me some light into it?

Now that things are working, I'll explain why it was not working before.

lan.C is the internal IP of the LAN client.
lan.R is the internal IP of the router.
www.R is the external IP of the router.
www.S is the external IP of the server.
lan.S is the internal IP of the server.

The client sends the request packet with a source IP of 'lan.C' and a 
destination IP of 'www.S'.

The router receives the packet with a source IP of 'lan.C' and a 
destination IP of 'www.S'.  The router knows that any traffic going to 
'www.S' (port 80) is to be redirected to the internal server 'lan.S'. 
So the router NATs the destination address and sends a new packet with a 
source IP of 'lan.C' and a destination IP of 'lan.S'.

The server receives the packet with a source IP of 'lan.C' and a 
destination IP of 'lan.S'.  The server will process the request and 
reply with a new packet.  The server sends a new packet back to the 
client with a source address of 'lan.S' and a destination IP of 'lan.C'.

The client receives a reply packet with a source IP of 'lan.S' and a 
destination IP of 'lan.C'.  This reply packet does not match any packet 
that the client knows about so it disregards (it may also tell the 
server to reset the connection).

This is the simple premise of what I refer to as the "TCP Triangle".

You can see from the above and the rules in my other email that the 
router will have to SNAT / MASQUERADE any traffic /from the lan/ that is 
being redirected to the server.  This way the server will reply back to 
the router which will then reply back to the client.

A short packet flow will look like this:

lan.C -> www.S    # Client sends the request

lan.C -> lan.S    # Router DNAT's the request
lan.R -> lan.S    # Router SNAT's the request

lan.R -> lan.S    # Server receives the request
lan.S -> lan.R    # Server sends to the reply

lan.S -> lan.C    # Router (un)DNAT's the reply
www.S -> lan.C    # Router (un)SNAT's the reply

www.S -> lan.C    # Client receives the reply



Grant. . . .