* I can't make forwarding
@ 2010-02-16 11:19 Patrick Chemla
2010-02-16 14:05 ` Patrick Chemla
2010-02-16 15:38 ` Mart Frauenlob
0 siblings, 2 replies; 5+ messages in thread
From: Patrick Chemla @ 2010-02-16 11:19 UTC (permalink / raw)
To: netfilter
Hi,
I have problems to setup a NAT router using iptables.
My NAT Router is running Fedora 11.
I have 2 interfaces, eth0 10.0.0.1 is internal, eth1 172.25.2.2 is external.
I have 10 external public addresses coming to the interface eth1 that I
want to forward to 10 internal computers on eth0.
When I try to ping or access an external web server from the NAT server
itself, it works very fine. I see on the remote server the external
address of the NAT router itself.
When I try to ping or wget an external web server from an internal
10.0.0.151 computer, using TCPDUMP both on the foreign server interface
and on the eth1 of the NAT router, I see that packets reach the
external server with the right IP 192.114.84.144, I see that the
external server send back something, but I can't get it back on the eth1
tcpdump.
Here is my iptables:
============
iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1664 208K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo *
0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
Chain FORWARD (policy ACCEPT 3499 packets, 213K bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth0 eth1
10.0.0.151 192.114.84.144 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0
192.114.84.144 10.0.0.151 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
466 71467 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0
Here is my NAT table:
=============
iptables -n -t nat -L -v
Chain PREROUTING (policy ACCEPT 915 packets, 129K bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- eth1 *
192.114.84.144 0.0.0.0/0 to:10.0.0.151
Chain POSTROUTING (policy ACCEPT 75 packets, 6372 bytes)
pkts bytes target prot opt in out source
destination
16 960 SNAT all -- * eth1
10.0.0.151 0.0.0.0/0 to:192.114.84.144
Chain OUTPUT (policy ACCEPT 36 packets, 3998 bytes)
pkts bytes target prot opt in out source
destination
I think I ACCEPT and FORWARD all, I have both SNAT and DNAT, but I
missed something.
Help will be welcome.
Patrick
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: I can't make forwarding
2010-02-16 11:19 I can't make forwarding Patrick Chemla
@ 2010-02-16 14:05 ` Patrick Chemla
2010-02-16 15:38 ` Mart Frauenlob
1 sibling, 0 replies; 5+ messages in thread
From: Patrick Chemla @ 2010-02-16 14:05 UTC (permalink / raw)
To: netfilter
Hi,
I tried more and doing this I can access to internet from a computer in
the local network:
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
But the computer is viewed with the NAT router external local IP.
I need to have internal computers viewed with a different IP external
address.
Patrick
Le 16/02/2010 13:19, Patrick Chemla a écrit :
> Hi,
>
> I have problems to setup a NAT router using iptables.
>
> My NAT Router is running Fedora 11.
>
> I have 2 interfaces, eth0 10.0.0.1 is internal, eth1 172.25.2.2 is
> external.
>
> I have 10 external public addresses coming to the interface eth1 that
> I want to forward to 10 internal computers on eth0.
>
> When I try to ping or access an external web server from the NAT
> server itself, it works very fine. I see on the remote server the
> external address of the NAT router itself.
> When I try to ping or wget an external web server from an internal
> 10.0.0.151 computer, using TCPDUMP both on the foreign server
> interface and on the eth1 of the NAT router, I see that packets reach
> the external server with the right IP 192.114.84.144, I see that the
> external server send back something, but I can't get it back on the
> eth1 tcpdump.
>
> Here is my iptables:
> ============
> iptables -n -L -v
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 1664 208K ACCEPT all -- * *
> 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
> 0 0 ACCEPT icmp -- * *
> 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- lo *
> 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT tcp -- * *
> 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
>
> Chain FORWARD (policy ACCEPT 3499 packets, 213K bytes)
> pkts bytes target prot opt in out
> source destination
> 0 0 ACCEPT all -- eth0 eth1
> 10.0.0.151 192.114.84.144 state NEW,RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth1 eth0
> 192.114.84.144 10.0.0.151 state NEW,RELATED,ESTABLISHED
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 466 71467 ACCEPT all -- * *
> 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
> 0 0 ACCEPT icmp -- * *
> 0.0.0.0/0 0.0.0.0/0
>
> Here is my NAT table:
> =============
> iptables -n -t nat -L -v
> Chain PREROUTING (policy ACCEPT 915 packets, 129K bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DNAT tcp -- eth1 *
> 192.114.84.144 0.0.0.0/0 to:10.0.0.151
>
> Chain POSTROUTING (policy ACCEPT 75 packets, 6372 bytes)
> pkts bytes target prot opt in out source
> destination
> 16 960 SNAT all -- * eth1
> 10.0.0.151 0.0.0.0/0 to:192.114.84.144
>
> Chain OUTPUT (policy ACCEPT 36 packets, 3998 bytes)
> pkts bytes target prot opt in out source
> destination
>
>
> I think I ACCEPT and FORWARD all, I have both SNAT and DNAT, but I
> missed something.
>
> Help will be welcome.
>
> Patrick
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: I can't make forwarding
2010-02-16 11:19 I can't make forwarding Patrick Chemla
2010-02-16 14:05 ` Patrick Chemla
@ 2010-02-16 15:38 ` Mart Frauenlob
2010-03-03 8:36 ` Multiple IPs to 2 interfaces problem with default route Patrick Chemla
1 sibling, 1 reply; 5+ messages in thread
From: Mart Frauenlob @ 2010-02-16 15:38 UTC (permalink / raw)
Cc: netfilter, patrick.chemla
On 16.02.2010 12:34, netfilter-owner@vger.kernel.org wrote:
> Hi,
>
> I have problems to setup a NAT router using iptables.
>
> My NAT Router is running Fedora 11.
>
> I have 2 interfaces, eth0 10.0.0.1 is internal, eth1 172.25.2.2 is
> external.
>
> I have 10 external public addresses coming to the interface eth1 that I
> want to forward to 10 internal computers on eth0.
>
> When I try to ping or access an external web server from the NAT server
> itself, it works very fine. I see on the remote server the external
> address of the NAT router itself.
> When I try to ping or wget an external web server from an internal
> 10.0.0.151 computer, using TCPDUMP both on the foreign server interface
> and on the eth1 of the NAT router, I see that packets reach the
> external server with the right IP 192.114.84.144, I see that the
> external server send back something, but I can't get it back on the eth1
> tcpdump.
>
> Here is my iptables:
> ============
> iptables -n -L -v
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 1664 208K ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
> 0 0 ACCEPT icmp -- * *
> 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- lo *
> 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT tcp -- * *
> 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
>
> Chain FORWARD (policy ACCEPT 3499 packets, 213K bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- eth0 eth1
> 10.0.0.151 192.114.84.144 state NEW,RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth1 eth0
> 192.114.84.144 10.0.0.151 state NEW,RELATED,ESTABLISHED
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 466 71467 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
> 0 0 ACCEPT icmp -- * *
> 0.0.0.0/0 0.0.0.0/0
Why have all the ACCEPT rules, if the policy of all chains is ACCEPT?
Use at least a DROP policy in INPUT and FORWARD chain.
EXT_IF=eth1
INT_IF=eth0
INT_IP01=10.0.0.151
iptables -A FORWARD -o $INT_IF -d $INT_IP01 -m state ... -p ... -j ACCEPT
iptables -A FORWARD -i $INT_IF -s $INT_IP ... -j ACCEPT
>
> Here is my NAT table:
> =============
> iptables -n -t nat -L -v
> Chain PREROUTING (policy ACCEPT 915 packets, 129K bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DNAT tcp -- eth1 *
> 192.114.84.144 0.0.0.0/0 to:10.0.0.151
>
> Chain POSTROUTING (policy ACCEPT 75 packets, 6372 bytes)
> pkts bytes target prot opt in out source
> destination
> 16 960 SNAT all -- * eth1
> 10.0.0.151 0.0.0.0/0 to:192.114.84.144
>
> Chain OUTPUT (policy ACCEPT 36 packets, 3998 bytes)
> pkts bytes target prot opt in out source
> destination
>
>
> I think I ACCEPT and FORWARD all, I have both SNAT and DNAT, but I
> missed something.
>
> Help will be welcome.
>
> Patrick
ok, lets work this out:
goal 1: I want a request coming from the internet - towards a specific
ip of the external interface of the gateway, to be redirected to a
certain ip inside my internal network.
EXT_IF=eth1
EXT_IP01=192.114.84.144
INT_IP01=10.0.0.151
iptables -t nat -A PREROUTING -i $EXT_IF -d $EXT_IP01 -j DNAT
--to-destination $INT_IP01
This will map external request to the internal server, traffic coming
back will re-translated by itself.
Repeat for every external/internal IP pair...
goal 2: All traffic originating from a certain internal ip - should
leave the external interface with a certain ip.
iptables -t nat -A POSTROUTING -o $EXT_IF -s $INT_IP01 -j SNAT
--to-source $EXT_IP01
Repeat for every internal/external IP pair...
Writing all those stuff in the nat table, one might prefer assigning the
external IPs to the servers and route the traffic through.
Best regards
Mart
^ permalink raw reply [flat|nested] 5+ messages in thread
* Multiple IPs to 2 interfaces problem with default route
2010-02-16 15:38 ` Mart Frauenlob
@ 2010-03-03 8:36 ` Patrick Chemla
2010-03-04 2:19 ` Sven-Haegar Koch
0 siblings, 1 reply; 5+ messages in thread
From: Patrick Chemla @ 2010-03-03 8:36 UTC (permalink / raw)
To: netfilter
Hi,
I have set up a Fedora 11 NAT server to NAT outgoing traffic to 2
interfaces to 2 ISPs.
My internal interface is eth0, the 2 external interfaces are eth1 for
ISP1 and eth2 for ISP2, each one with a pool of IP addresses.
I wrote a script who create for each internal server the corresponding
NAT fonction :
interface= outgoing interface for the wanted ISP
public_ip= public IP address affected to this server on the ISP network
server_ip= internal server local ip address
/sbin/iptables -t nat -A PREROUTING -p tcp -i $interface -s
$public_ip/32 -j DNAT --to-destination $server_ip
/sbin/iptables -t nat -A POSTROUTING -s $server_ip/32 -j SNAT -o
$interface --to-source $public_ip
It works very fine with one interface, but when I try to activate the
second interface, I think I get a problem with the default route.
When I started the interfaces, eth1 got a public IP and a default
gateway. This default gateway is the default gateway for all the server.
eth2 has his own public IP, own gateway.
I tried to remove the default gateway, thinking the route will be
according to the NAT setup, but no more packet can get out of the server.
But I need to split packets to interfaces eth1 and eth2 according to the
public IP of the internal server, not according to a default route
always pointing to eth1.
How can I set up these routes?
Patrick
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Multiple IPs to 2 interfaces problem with default route
2010-03-03 8:36 ` Multiple IPs to 2 interfaces problem with default route Patrick Chemla
@ 2010-03-04 2:19 ` Sven-Haegar Koch
0 siblings, 0 replies; 5+ messages in thread
From: Sven-Haegar Koch @ 2010-03-04 2:19 UTC (permalink / raw)
To: Patrick Chemla; +Cc: netfilter
On Wed, 3 Mar 2010, Patrick Chemla wrote:
> I have set up a Fedora 11 NAT server to NAT outgoing traffic to 2 interfaces
> to 2 ISPs.
> It works very fine with one interface, but when I try to activate the second
> interface, I think I get a problem with the default route.
>
> When I started the interfaces, eth1 got a public IP and a default gateway.
> This default gateway is the default gateway for all the server. eth2 has his
> own public IP, own gateway.
>
> I tried to remove the default gateway, thinking the route will be according to
> the NAT setup, but no more packet can get out of the server.
>
> But I need to split packets to interfaces eth1 and eth2 according to the
> public IP of the internal server, not according to a default route always
> pointing to eth1.
>
> How can I set up these routes?
Look for "source based routing" or "policy routing" - this hasn't got
much to do with NAT or netfilter.
Something like
http://lartc.org/howto/lartc.rpdb.html
may help you.
c'ya
sven-haegar
--
Three may keep a secret, if two of them are dead.
- Ben F.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-03-04 2:19 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-16 11:19 I can't make forwarding Patrick Chemla
2010-02-16 14:05 ` Patrick Chemla
2010-02-16 15:38 ` Mart Frauenlob
2010-03-03 8:36 ` Multiple IPs to 2 interfaces problem with default route Patrick Chemla
2010-03-04 2:19 ` Sven-Haegar Koch
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).