[olug] iptables behind router

Daniel Linder dan at linder.org
Thu Sep 16 15:41:09 UTC 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

William,

I think this might be a solution to your problem with wanting to have a
linux box do some of the port forwarding to a secondary machine on the
internal network.  Basically, we're going to use DNAT and SNAT together
without having to mess with the DHCP and/or default gateways of your other
workstations.

1: Setup the "DNAT" so the packets coming in get redirected to the proper
system.
Packet flow: Internet -> router -> DMZ'd Linux Server -> Second Linux Server
On the DMZ'd Linux server, we will only need a single IP address/port (I
think).  Enter the following iptables entry:

iptables -t nat -A PREROUTING --dport $PortToForward -j DNAT
- --to-destination $RealServer

($PortToForward = the port coming from the Internet to send to "Second
Linux Server", and $RealServer is the internal IP address of the Second
Linux Server)

This will take a packet and re-write it's header so that the destination
address is $RealServer -- this also leavs the source IP address alone.

2: Setup the "SNAT" so the packets look like they came from the "DMZ'd
Linux Server" initially so the "Second Linux Server" will send the packet
back to un-do the DNAT/SNAT changes.

iptables -t nat -A POSTROUTING --dport $PortToForward -j SNAT --to-source
$NATLinuxServer

($NATLinuxServer = the DMZ'd Linux servers internal IP address, and
$PortToForward is the same as above.)

Here is a an example.  Assume the following:
Flow: Internet -> router -> DMZ'd Linux Server -> Second Linux Server
DMZ'd Linux Server: $NATLinuxServer="192.168.0.20"
Second Linux Server: $RealServer="192.168.0.30"
Port to forward: $PortToForward="5555"

# NAT the destination of the original packet...
iptables -t nat -A PREROUTING --dport $PortToForward -j DNAT
- --to-destination $RealServer

# NAT the source of the original packet...
iptables -t nat -A POSTROUTING --dport $PortToForward -j SNAT --to-source
$NATLinuxSefver


# I think you'll have to turn on ip_forwarding for this to work
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Packets that come in from the Internet on port 5555 will go through the
"router" first and be directed to the "DMZ'd Linux Server".  The linux
server will see a source IP/port of the Internet machine, and the
destination IP/port will be 192.168.0.20/5555.

When the PREROUTING table on the "DMZ'd Linux Server" sees the packet
enter, it checks that the destination port is 5555, then it will change
the destination address (DNAT) to the other server (192.168.0.30).

The "FORWARD" table takes over here, and then hands the packet over to the
"POSTROUTING" table for final processing.

When the POSTROUTING table sees that it is a destination port of 5555, it
will change the apparent source (SNAT) to the IP address of itself.  It
then puts the packet back on the wire (lan/network/switch/hub/etc).

At this point the packet has a source of 192.168.0.20, and a destination
of 192.168.0.30.  The .30 server picks up the packet, lets the process on
port 5555 do it's magic, and then send the reply back to the 192.168.0.20
server.

The 192.168.0.20 server sees the packet coming back, and changes back the
source and destination IP addresses to what they were when it came in.

The router then sees a reply packet with a source of 192.168.0.20 and a
destination of the original Internet IP addres.  It then sends the packet
out to the original requesting system...

The benefit with this setup is that you don't need to have multiple IP
address segments or multiple DMZ systes to get this level of port
forwarding to work.  For those of us on a limited budget, it saves on
purchasing a new switch/hub/nic, etc.  Saving money is always a nice
thing!

The downfall with this is that the service on the second linux server is
dependant on the DMZ'd linux server routing packets to it properly.  If
this were a business doing this, you'd want to make sure there was enough
redundacy in the DMZ'd system to keep their risks very low.

Dan

Note 1: The task of remembering the original source/destination IP
addresses are all handled by the iptables within the kernel.  Just think
of this as a bit of Linux magic -- I won't try to go into how that is
acomplished. :)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBSbQUNiBNyqUzGb8RAjSrAJ9ZROMN3fgNxSLd7YaNqhNHCbDaZwCfWzwZ
hTSYRrgsD2Ws4BIcjoa3R/I=
=DwHH
-----END PGP SIGNATURE-----

More information about the OLUG mailing list