Re: Altering firewall rules to enable NAT Reflection

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

Grant Taylor a écrit :
> 
> What you want to do is have a very similar rule to DNAT any outbound 
> traffic (coming in the internal interface to go out the external 
> interface) that is destined to the IP and / or port of the service 
> DNATed over to the internal IP / port as well.  I.e.
> 
>    iptables -t nat -A PREROUTING -i eth1 -d $PUBLIC_IP -p tcp --dport 
> 443 -j DNAT --to-destination $PRIVATE_IP

And make sure that traffic forwarded from eth1 to eth1 is ACCEPTed in 
the filter/FORWARD chain.

> Now to prevent what I call a "TCP Triangle" you will need to SNAT the 
> internal traffic that is being redirected back to the $PRIVATE_IP so 
> that replies pass back through the router and back to the original 
> client rather than the $PRIVATE_IP replying directly to the original 
> client.  (See 'Julian's TCP Triangle' page 
> "http://jengelh.medozas.de/images/dnat-mistake.png" for a diagram.)
> 
>    iptables -t nat -A POSTROUTING -o eth1 -s $PRIVATE_LAN/$NM -d 
> $PRIVATE_IP -j MASQUERADE
> 
> Note:  You can use either the MASQUERADE or SNAT target depending on 
> your preferences or what ever is compiled in to your kernel.  I chose 
> MASQUERADE so I did not have to take your routers internal IP in to 
> account in the rule(s) above.

Note both SNAT and MASQUERADE hide the real source address from the 
server, which may be annoying for logging or access control purposes. 
Source NAT is not required to avoid the "routing triangle" if the server 
itself can route the return traffic to the NAT router. This can be 
achieved with advanced routing on Linux. Alternatively, the router may 
use the NETMAP target instead of SNAT or MASQUERADE to do a 1-to-1 
mapping of the source address range into another range, so the original 
source address can be retrieved.