Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] iptables and port-forwarding concerns



Quoth Godwin Stewart (Thu 2004-04-22 12:19:00AM +0200):

> OK, here's another excuse for Josh to have a good laugh while someone points
> out what an idiot I am :)

Heh. I have never seriously thought you an idiot. I just get my jollies by
poking fun at you when you give me a huge opening! ;)

> The IP range I've assigned to my LAN is 192.168.0.0/23. The local IP address
> of the box facing the 'net is 192.168.1.1, it's doing IP masquerading for
> the other boxen in the LAN, its 'net-facing interface is ppp0 and the
> LAN-facing interface is eth0. Its name is 'spider'.

OK, 23 of the 32 bits in your address are denoting the network portion (yes
kids, that is how CIDR notation works), so you have the IP addresses
192.168.0.0 - 192.168.1.1 in your subnet, right? Just making sure *I* am
not making a stupid mistake! :)

> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Right, don't MASQUERADE, first of all. Try this instead:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <IP>

where <IP> is ppp0's static IP. (Sorry, I forgot the '-t nat' in my
previous post.)

> Spider needs to be told that anything coming in through ppp0 on tcp ports
> 10000 through 10100 needs to be relayed directly to the corresponding ports
> on fly, so I'd have to insert this rule in spider's nat table:
> 
> iptables -t nat -I POSTROUTING 1 -i ppp0 -p tcp --dports 10000:10100 \ 
>   -j DNAT --to-destination 192.168.0.3
>
> Also, spider needs to know that anything coming from tcp ports 10000-10100
> on fly and going outside needs to go out from the same ports on spider:
> 
> iptables -t nat -I PREROUTING 1 -i eth0 -p tcp -s 192.168.0.3 \
>   -d ! 192.168.0.0/23 --dports 10000:10100 \
>   -j SNAT --from-destination my.pub.lic.ip

You have things backwards. DNAT *must* be done pre-routing, with --from:

iptables -t nat -I PREROUTING 1 -i eth0 -p tcp -s 192.168.0.3 \
  -d ! 192.168.0.0/23 -j DNAT --from 192.168.0.3:10000-10100

...and SNAT is post-routing, with --to:

iptables -t nat -I POSTROUTING 1 -o ppp0 -p tcp -s 192.168.0.3 \
  -j SNAT --to my.pub.lic.ip:10000-10100

This is not complete, but hopefully it corrects your misconceptions
enough to get you started. This will help:

http://www.stearns.org/iptables/NAT-HOWTO.txt

> Four questions:
> 
> 1) Does this look right so far?

See above. :)

> 2) How is this going to interact with IP masquerading and should the
>    "-j DNAT" rule appear before the "-j MASQUERADE" rule or after?

Get rid of masquerading altogether and do SNAT.

> 3) spider runs its own software, including Apache, an MTA, BIND and a few
>    other odds and ends. What happens if one of these applications tries to
>    open a connection with a remote host from a TCP port in the range
>    forwarded to fly, are packets coming back going to be directed to fly or
>    is the IP routing in the Linux kernel (2.4.25) smarter than that?

Bugger if I know. :)

> 4) Given that I have a static public IP address, is IP masquerading the
>    right solution for distributing the Internet connection to the LAN or
>    should I be looking at full NAT instead in the first place?

Quoth the iptables(8) man page:

MASQUERADE
    This  target  is only valid in the nat table, in the POSTROUTING chain.
    It should only be used with dynamically assigned  IP  (dialup)  connec-
    tions: if you have a static IP address, you should use the SNAT target.

-- 
Josh Glover

GPG keyID 0xDE8A3103 (C3E4 FA9E 1E07 BBDB 6D8B  07AB 2BF1 67A1 DE8A 3103)
gpg --keyserver pgp.mit.edu --recv-keys DE8A3103

Attachment: pgp00055.pgp
Description: PGP signature


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links