Re: DNAT and local hosts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Pieter De Wit a écrit :
C1 --. 
     |
     |-FW--- internet
     |
C2 --'

Ok - for this email, I will give C1 192.168.0.10 and C2 192.168.0.11.
The Firewall (FW) has two ethernet connections, eth0 and eth1. eth1 is
used to an adsl modem in bridged mode, which creates ppp0. Lets say for
this email, ppp0 get 1.2.3.4.

Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is
a rule that allows connections to ppp0 on port 1234 and DNAT's them to
C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection
refused" since there is no "server" listening on the firewall's
ppp0,port 1234.

How can I solve this ? I need FW to DNAT "local/C2" connections back to
C1.
Here is the FGA (Frequently Given Answer) to your FAQ (Frequently Asked Question).
1) NAT the incoming connections on the LAN interface based on the destination address and port. If ppp0 gets a different address at each PPP session, this rule must be created at the beginning (and deleted at the end) of the PPP session, for instance using the /etc/ppp/ip-up and /etc/ppp/ip-down scripts : 

iptables -t nat PREROUTING -i eth0 -d 1.2.3.4 -p tcp --dport 1234 \
  -j DNAT --to-destination 192.168.0.10

2) Allow forwarded traffic from LAN to LAN, if blocked by default :

iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
3) NAT or MASQUERADE the source address of the redirected connections, so the replies from C1 are routed back to the firewall and can be properly un-DNATed before they reach C2 : 

iptables -t nat POSTROUTING -o eth0 -d 192.168.0.10 \
  -p tcp --dport 1234 -j SNAT --to-source <eth0_address>

or :

iptables -t nat POSTROUTING -o eth0 -d 192.168.0.10 \
  -p tcp --dport 1234 -j MASQUERADE
Note that if C2 runs Linux too, an alternative is to create a single DNAT rule on it in order to divert locally generated traffic sent to 1.2.3.4:1234 : 

iptables -t nat OUTPUT -d 1.2.3.4 -p tcp --dport 1234 \
  -j DNAT --to-destination 192.168.0.10
Note : there is no INPUT chain in the 'nat' table because it is traversed after the routing decision, so it is too late to change the destination.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux