[tlug] iptables and port-forwarding concerns

[Godwin Stewart <gstewart@example.com>]

Hi again,

OK, here's another excuse for Josh to have a good laugh while someone points
out what an idiot I am :)

First a bit of background info.

The IP range I've assigned to my LAN is 192.168.0.0/23. The local IP address
of the box facing the 'net is 192.168.1.1, it's doing IP masquerading for
the other boxen in the LAN, its 'net-facing interface is ppp0 and the
LAN-facing interface is eth0. Its name is 'spider'.

The box on the LAN which needs ports facing the 'net is the laptop with
local IP address 192.168.0.3 and it's called 'fly'. It's running KPhone
(VoIP SIP phone to screw France Telecom out of as much cash as possible
while talking with a client in Paris over the 'net for free-as-in-beer) and
needs to be reachable from the outside on TCP (or UDP, I forget which but it
doesn't matter for now, let's assume TCP) ports 10000 through 10100.

The following assumptions are what I've already tried - unsuccessfully - so
I must be missing something somewhere, and I hope I'll be set straight.

There are no rules at all in the nat table except:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

 ...which, with a few other things elsewhere, gets the IP masquerading
working.

Spider needs to be told that anything coming in through ppp0 on tcp ports
10000 through 10100 needs to be relayed directly to the corresponding ports
on fly, so I'd have to insert this rule in spider's nat table:

iptables -t nat -I POSTROUTING 1 -i ppp0 -p tcp --dports 10000:10100 \ 
  -j DNAT --to-destination 192.168.0.3

Also, spider needs to know that anything coming from tcp ports 10000-10100
on fly and going outside needs to go out from the same ports on spider:

iptables -t nat -I PREROUTING 1 -i eth0 -p tcp -s 192.168.0.3 \
  -d ! 192.168.0.0/23 --dports 10000:10100 \
  -j SNAT --from-destination my.pub.lic.ip


Four questions:

1) Does this look right so far?

2) How is this going to interact with IP masquerading and should the
   "-j DNAT" rule appear before the "-j MASQUERADE" rule or after?

3) spider runs its own software, including Apache, an MTA, BIND and a few
   other odds and ends. What happens if one of these applications tries to
   open a connection with a remote host from a TCP port in the range
   forwarded to fly, are packets coming back going to be directed to fly or
   is the IP routing in the Linux kernel (2.4.25) smarter than that?

4) Given that I have a static public IP address, is IP masquerading the
   right solution for distributing the Internet connection to the LAN or
   should I be looking at full NAT instead in the first place?

Thanks in advance.

-- 
G. Stewart   --   gstewart@example.com -- gstewart@example.com
Registered Linux user #284683 (Slackware 9.0, Linux 2.6.5)
--------------------------------------------------------------
In most countries selling harmful things like drugs is punishable.
Then how come people can sell Microsoft software and go unpunished?
        -- Hasse Skrifvars

Attachment: pgp00053.pgp
Description: PGP signature