On Friday 01 June 2012 14:37:46 Sajesh Singh wrote: > Iptables gurus, > I have been trying to implement a solution using 2 iptables > boxes as routers for traffic between two hosts on two different networks. > I have four different machine that I would like to have traffic routed > between: > > Machine 1 - Client A - IP : A.A.A.A > Machine 2 - iptables Machine A - IP: B.B.B.B (One interface only) > Machine 3 - iptables Macine B - IP: C.C.C.C (One interface only) > Machine 4 - Client B - IP: D.D.D.D > > What I would like to accomplish is to have traffic from Client A route > traffic through iptables Machine A which then sends the traffic to > iptables Machine B when then forwards the traffic to Client B and the > reverse as well. I would also like for the IP address of Client A to be > visible to Client B. > > I have tried various scenarios with PREROUTING (DNAT) and FORWARDING rules > with no success. The connection either seems to hang to or I get error > stating no route to host. Also forwarding is enabled on each of the > iptables machine. Below are the rules that I have tried to use: > > Firewall rules from Machine 2 - Iptables Machine A > # Generated by iptables-save v1.4.12 on Fri Jun 1 12:26:55 2012 > *nat > > :PREROUTING ACCEPT [142418:19715843] > :INPUT ACCEPT [21:8744] > :OUTPUT ACCEPT [8437:405020] > :POSTROUTING ACCEPT [8439:405588] > > -A PREROUTING -d D.D.D.D/32 -j DNAT --to-destination C.C.C.C > COMMIT > # Completed on Fri Jun 1 12:26:55 2012 > # Generated by iptables-save v1.4.12 on Fri Jun 1 12:26:55 2012 > *filter > > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [43:4084] > :RH-Firewall-1-INPUT - [0:0] > > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A FORWARD -d C.C.C.C/32 -j ACCEPT > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j > ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > # Completed on Fri Jun 1 12:26:55 2012 > > > Firewall rules from Machine 3 - Iptables Machine B > # Generated by iptables-save v1.4.12 on Fri Jun 1 12:27:51 2012 > *nat > > :PREROUTING ACCEPT [53576:4590151] > :INPUT ACCEPT [11:4620] > :OUTPUT ACCEPT [64:4512] > :POSTROUTING ACCEPT [65:5012] > > -A PREROUTING -d A.A.A.A/32 -j DNAT --to-destination B.B.B.B > COMMIT > # Completed on Fri Jun 1 12:27:51 2012 > # Generated by iptables-save v1.4.12 on Fri Jun 1 12:27:51 2012 > *filter > > :INPUT DROP [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [48:4544] > :RH-Firewall-1-INPUT - [0:0] > > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A FORWARD -d B.B.B.B/32 -j ACCEPT > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j > ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > # Completed on Fri Jun 1 12:27:51 2012 This isn't *really* a netfilter problem. Unless it's an 'academic' exercise. If you must NAT, I believe you have to SNAT as well as DNAT. This will be very similar to what you would have to do if A.A.A.A and D.D.D.D are in the same address space (same LAN addresses). The theory is that packets from A.A.A.A to D.D.D.D have to be changed to appear as though they come from B.B.B.B and are destined for C.C.C.C. In the reverse direction, packets to B.B.B.B have to be changed to appear as though they come from D.D.D.D and are addressed to A.A.A.A. Similar changes must be made for the other end. On host B.B.B.B for outgoing packets from A.A.A.A, you have to - SNAT A.A.A.A to B.B.B.B - DNAT D.D.D.D to C.C.C.C and for incoming packets to A.A.A.A, you have to - SNAT C.C.C.C to D.D.D.D - DNAT B.B.B.B to A.A.A.A and you have to forward ports of desired NEW packets to A.A.A.A. On host C.C.C.C for outgoing packets from D.D.D.D, you have to - SNAT D.D.D.D to C.C.C.C - DNAT A.A.A.A to B.B.B.B and for incoming packets to D.D.D.D, you have to - SNAT B.B.B.B to A.A.A.A - DNAT C.C.C.C to D.D.D.D and you have to forward ports of desired NEW packets to D.D.D.D. This should allow communication between A.A.A.A and D.D.D.D. I don't know how conntracking and other netfilter magic comes into play; some of this may be handled automatically for you. Be aware this scheme won't properly handle packets for other nodes behind B.B.B.B and C.C.C.C unless B.B.B.B and C.C.C.C are IP addresses dedicated to communication between A.A.A.A and D.D.D.D. That is, if B.B.B.B is a secondary address to the primary address of, say, E.E.E.E, and C.C.C.C is a secondary address to the primary address of, say, F.F.F.F, then your NAT rules must apply only to A.A.A.A/D.D.D.D and D.D.D.D/A.A.A.A traffic on both ends; all other traffic must use the primary E.E.E.E and F.F.F.F addresses. If you merely want A.A.A.A to be able to communicate with D.D.D.D and cannot acquire extra IP addresses, it would be far easier to do if you set up an IPSEC or OPENVPN tunnel (if encryption is needed) or a plain GRE or other tunnel (if encryption is not needed) between A.A.A.A and D.D.D.D (or between B.B.B.B and C.C.C.C if you use policy routing and/or netfilter rules to restrict traffic entering the tunnels to that between A.A.A.A and D.D.D.D). Lucian Gheorghe's "Linux Firewall and QoS" (ISBN 1-904811-65-S, Packt Publishing) has a very good primer on this sort of thing. If you search, you can find a downloadable PDF. I found one, then bought a printed copy; I still think it's a very good reference even though it may be somewhat dated and is worth every penny I spent. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
