* DNAT from an IP address that does not exist to another that exists
@ 2003-07-30 3:09 Carlo Florendo
2003-08-01 15:13 ` Chris Wilson
0 siblings, 1 reply; 8+ messages in thread
From: Carlo Florendo @ 2003-07-30 3:09 UTC (permalink / raw)
To: netfilter
Hello iptables gurus,
How do I setup iptables such that connections to a certain non-existent IP address is DNAT to another IP address within the
network?
Here's an explanation of the problem. Sorry for the verbosity. It's my first time to post in this list. :-)
I have several machines on my network and one gateway machine.
I've setup the gateway to do IP masquerading and everything's fine (i.e. any machine from the local network can acces the internet
flawlessly).
The gateway runs services such as ssh and http. Other machines on the local network run their respective services as well.
I want to achieve a setup such that connections to a certain non-existent IP address is DNAT to another IP address within the
network.
The gateway address is 192.168.30.1
The non-existent address which I want to DNAT to another machine within the network is 192.168.40.40
The existent IP address where I want 192.168.40.40 to be forwarded to, is 192.168.30.11
Here are 2 cases:
case 1). The non-existent IP address is DNAT to the the gateway (i.e. the accepting machine itself).
When I do this, everything works fine. (i.e. I get to access 192.168.40.40 as if it really existed although what I'm really
accessing is the gateway machine 192.168.30.1).
Here is how the configuration worked:
iptables -t nat -D PREROUTING -d 192.168.40.40 -j DNAT --to 192.168.30.1
case 2). The non-existent IP address is DNAT to another machine within the network (not the gateway).
Here's what I think is the solution but it does not work.
iptables -t nat -D PREROUTING -d 192.168.40.40 -j DNAT --to 192.168.30.11
I wanted to force our users to access 192.168.40.40 since it is *NOT* in the same network. Thus, all connections to it pass through
the gateway.
The solution does not work. Are there any pointers on how to make this possible?
A link to the network diagram is here: http://210.23.193.154/zxff/qsz.html
Thanks a lot!
Best Regards,
Carlo
------
Carlo Florendo
Astra Philippines Inc.
URL: http://www.hq.astra.ph/resources
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DNAT from an IP address that does not exist to another that exists
2003-07-30 3:09 DNAT from an IP address that does not exist to another that exists Carlo Florendo
@ 2003-08-01 15:13 ` Chris Wilson
0 siblings, 0 replies; 8+ messages in thread
From: Chris Wilson @ 2003-08-01 15:13 UTC (permalink / raw)
To: Carlo Florendo; +Cc: netfilter
Hi Carlo,
> The gateway address is 192.168.30.1
> The non-existent address which I want to DNAT to another machine
> within the network is 192.168.40.40
> The existent IP address where I want 192.168.40.40 to be forwarded to,
> is 192.168.30.11
This is a case of what I call "bermuda triangle" routing, and is
definitely a FAQ. The problem is that the replies to your connection go
_directly_ back from 192.168.30.11 to 192.168.30.x, without going through
the firewall, and as a result they don't get un-masqueraded, and
192.168.30.x ignores them, since it's expecting to see packets from
192.168.40.40 instead of 192.168.30.11.
The only solution that I know is to masquerade the DNAT'ed packets, so
that they will always go back through the firewall. For example, in your
case:
iptables -t nat -I POSTROUTING -s 192.168.30.0/24 -d 192.168.30.11 \
-j MASQUERADE
Cheers, Chris.
--
___ __ _
/ __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DNAT from an IP address that does not exist to another that exists
2003-08-07 6:55 ` Carlo Florendo
@ 2003-08-07 12:03 ` Whit Blauvelt
0 siblings, 0 replies; 8+ messages in thread
From: Whit Blauvelt @ 2003-08-07 12:03 UTC (permalink / raw)
To: Carlo Florendo; +Cc: netfilter
On Thu, Aug 07, 2003 at 02:55:28PM +0800, Carlo Florendo wrote:
> So this means that:
>
> iptables -t nat -I POSTROUTING -s 192.168.30.0/24 -d 192.168.30.11 \ -j MASQUERADE (your solution)
>
> and
>
> iptables -I POSTROUTING -t nat -s 192.168.30.0/24 -o $INTDEV -d \
> 192.168.30.11 -j SNAT --to 192.168.30.1 (c/o George Vieira)
>
> are equivalent (given that 192.168.30.1 is the gateway).
They get you to the same place. But it's said that SNAT is more resource
efficient.
Whit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DNAT from an IP address that does not exist to another that exists
[not found] <004e01c35caf$86bd4910$200aa8c0@thorin>
@ 2003-08-07 6:55 ` Carlo Florendo
2003-08-07 12:03 ` Whit Blauvelt
0 siblings, 1 reply; 8+ messages in thread
From: Carlo Florendo @ 2003-08-07 6:55 UTC (permalink / raw)
To: netfilter
Hello Chris,
> > The gateway address is 192.168.30.1
> > The non-existent address which I want to DNAT to another machine
> > within the network is 192.168.40.40
> > The existent IP address where I want 192.168.40.40 to be forwarded to,
> > is 192.168.30.11
>
> This is a case of what I call "bermuda triangle" routing, and is
> definitely a FAQ. The problem is that the replies to your connection go
> _directly_ back from 192.168.30.11 to 192.168.30.x, without going through
> the firewall, and as a result they don't get un-masqueraded, and
> 192.168.30.x ignores them, since it's expecting to see packets from
> 192.168.40.40 instead of 192.168.30.11.
>
> The only solution that I know is to masquerade the DNAT'ed packets, so
> that they will always go back through the firewall. For example, in your
> case:
>
> iptables -t nat -I POSTROUTING -s 192.168.30.0/24 -d 192.168.30.11 \
> -j MASQUERADE
>
> Cheers, Chris.
Thanks a lot! This is great! This one worked too as well as the earlier post.
So this means that:
iptables -t nat -I POSTROUTING -s 192.168.30.0/24 -d 192.168.30.11 \ -j MASQUERADE (your solution)
and
iptables -I POSTROUTING -t nat -s 192.168.30.0/24 -o $INTDEV -d \
192.168.30.11 -j SNAT --to 192.168.30.1 (c/o George Vieira)
are equivalent (given that 192.168.30.1 is the gateway).
Now I realize what *to masquerade* means.
Thanks a lot!
Best Regards,
Carlo
------
Carlo Florendo
Astra Philippines Inc.
URL: http://www.hq.astra.ph/resources
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DNAT from an IP address that does not exist to another that exists
2003-07-30 3:48 George Vieira
@ 2003-07-30 4:06 ` Carlo Florendo
0 siblings, 0 replies; 8+ messages in thread
From: Carlo Florendo @ 2003-07-30 4:06 UTC (permalink / raw)
To: George Vieira, netfilter
Hello George,
Thanks a lot for this!!!!! That was fast!!!! I tried your first post and was about to send a follow up when you immediately sent
the modified syntax.
Everything works well now.
Thanks so much! :-)
Best Regards,
Carlo
------
Carlo Florendo
Astra Philippines Inc.
URL: http://www.hq.astra.ph
----- Original Message -----
From: "George Vieira" <georgev@citadelcomputer.com.au>
To: "George Vieira" <georgev@citadelcomputer.com.au>; "Carlo Florendo" <carlo@hq.astra.ph>; <netfilter@lists.netfilter.org>
Sent: Wednesday, July 30, 2003 11:48 AM
Subject: RE: DNAT from an IP address that does not exist to another that exists
sorry, foot in mouth... syntax was wrong..
iptables -I PREROUTING -t nat -s 192.168.30.0/24 -i $INTDEV -d 192.168.40.40 -j DNAT --to 192.168.30.11
iptables -I POSTROUTING -t nat -s 192.168.30.0/24 -o $INTDEV -d 192.168.30.11 -j SNAT --to 192.168.30.1
I think that's better...
Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au
Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
Phone : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
-----Original Message-----
From: George Vieira
Sent: Wednesday, July 30, 2003 1:41 PM
To: Carlo Florendo; netfilter@lists.netfilter.org
Subject: RE: DNAT from an IP address that does not exist to another that
exists
You must
iptables -I PREROUTING -t nat -s 192.168.30.0/24 -i $INTDEV -d 192.168.40.40 -j DNAT --to 192.168.40.40
iptables -I POSTROUTING -t nat -s 192.168.30.0/24 -d 192.168.40.40 -j SNAT --to 192.168.30.1
so basically your masquerading the internal users like you would if the server was outside, you replace the source IP with the masq
server so the 192.168.40.40 (192.168.30.11) machine knows it MUST send it back via the gateway and NOT DIRECT to the 192.168.30.X
user...
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: DNAT from an IP address that does not exist to another that exists
@ 2003-07-30 3:48 George Vieira
2003-07-30 4:06 ` Carlo Florendo
0 siblings, 1 reply; 8+ messages in thread
From: George Vieira @ 2003-07-30 3:48 UTC (permalink / raw)
To: George Vieira, Carlo Florendo, netfilter
sorry, foot in mouth... syntax was wrong..
iptables -I PREROUTING -t nat -s 192.168.30.0/24 -i $INTDEV -d 192.168.40.40 -j DNAT --to 192.168.30.11
iptables -I POSTROUTING -t nat -s 192.168.30.0/24 -o $INTDEV -d 192.168.30.11 -j SNAT --to 192.168.30.1
I think that's better...
Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au
Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
Phone : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
-----Original Message-----
From: George Vieira
Sent: Wednesday, July 30, 2003 1:41 PM
To: Carlo Florendo; netfilter@lists.netfilter.org
Subject: RE: DNAT from an IP address that does not exist to another that
exists
You must
iptables -I PREROUTING -t nat -s 192.168.30.0/24 -i $INTDEV -d 192.168.40.40 -j DNAT --to 192.168.40.40
iptables -I POSTROUTING -t nat -s 192.168.30.0/24 -d 192.168.40.40 -j SNAT --to 192.168.30.1
so basically your masquerading the internal users like you would if the server was outside, you replace the source IP with the masq server so the 192.168.40.40 (192.168.30.11) machine knows it MUST send it back via the gateway and NOT DIRECT to the 192.168.30.X user...
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: DNAT from an IP address that does not exist to another that exists
@ 2003-07-30 3:40 George Vieira
0 siblings, 0 replies; 8+ messages in thread
From: George Vieira @ 2003-07-30 3:40 UTC (permalink / raw)
To: Carlo Florendo, netfilter
You must
iptables -I PREROUTING -t nat -s 192.168.30.0/24 -i $INTDEV -d 192.168.40.40 -j DNAT --to 192.168.40.40
iptables -I POSTROUTING -t nat -s 192.168.30.0/24 -d 192.168.40.40 -j SNAT --to 192.168.30.1
so basically your masquerading the internal users like you would if the server was outside, you replace the source IP with the masq server so the 192.168.40.40 (192.168.30.11) machine knows it MUST send it back via the gateway and NOT DIRECT to the 192.168.30.X user...
Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au
Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
Phone : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
-----Original Message-----
From: Carlo Florendo [mailto:carlo@hq.astra.ph]
Sent: Wednesday, July 30, 2003 1:14 PM
To: netfilter@lists.netfilter.org
Subject: DNAT from an IP address that does not exist to another that
exists
Hello iptables gurus,
How do I setup iptables such that connections to a certain non-existent IP address is DNAT to another IP address within the
network?
Here's an explanation of the problem. Sorry for the verbosity. It's my first time to post in this list. :-)
I have several machines on my network and one gateway machine.
I've setup the gateway to do IP masquerading and everything's fine (i.e. any machine from the local network can acces the internet
flawlessly).
The gateway runs services such as ssh and http. Other machines on the local network run their respective services as well.
I want to achieve a setup such that connections to a certain non-existent IP address is DNAT to another IP address within the
network.
The gateway address is 192.168.30.1
The non-existent address which I want to DNAT to another machine within the network is 192.168.40.40
The existent IP address where I want 192.168.40.40 to be forwarded to, is 192.168.30.11
Here are 2 cases:
case 1). The non-existent IP address is DNAT to the the gateway (i.e. the accepting machine itself).
When I do this, everything works fine. (i.e. I get to access 192.168.40.40 as if it really existed although what I'm really
accessing is the gateway machine 192.168.30.1).
Here is how the configuration worked:
iptables -t nat -D PREROUTING -d 192.168.40.40 -j DNAT --to 192.168.30.1
case 2). The non-existent IP address is DNAT to another machine within the network (not the gateway).
Here's what I think is the solution but it does not work.
iptables -t nat -D PREROUTING -d 192.168.40.40 -j DNAT --to 192.168.30.11
I wanted to force our users to access 192.168.40.40 since it is *NOT* in the same network. Thus, all connections to it pass through
the gateway.
The solution does not work. Are there any pointers on how to make this possible?
A link to the network diagram is here: http://210.23.193.154/zxff/qsz.html
Thanks a lot!
Best Regards,
Carlo
------
Carlo Florendo
Astra Philippines Inc.
URL: http://www.hq.astra.ph/resources
^ permalink raw reply [flat|nested] 8+ messages in thread
* DNAT from an IP address that does not exist to another that exists
@ 2003-07-30 3:13 Carlo Florendo
0 siblings, 0 replies; 8+ messages in thread
From: Carlo Florendo @ 2003-07-30 3:13 UTC (permalink / raw)
To: netfilter
Hello iptables gurus,
How do I setup iptables such that connections to a certain non-existent IP address is DNAT to another IP address within the
network?
Here's an explanation of the problem. Sorry for the verbosity. It's my first time to post in this list. :-)
I have several machines on my network and one gateway machine.
I've setup the gateway to do IP masquerading and everything's fine (i.e. any machine from the local network can acces the internet
flawlessly).
The gateway runs services such as ssh and http. Other machines on the local network run their respective services as well.
I want to achieve a setup such that connections to a certain non-existent IP address is DNAT to another IP address within the
network.
The gateway address is 192.168.30.1
The non-existent address which I want to DNAT to another machine within the network is 192.168.40.40
The existent IP address where I want 192.168.40.40 to be forwarded to, is 192.168.30.11
Here are 2 cases:
case 1). The non-existent IP address is DNAT to the the gateway (i.e. the accepting machine itself).
When I do this, everything works fine. (i.e. I get to access 192.168.40.40 as if it really existed although what I'm really
accessing is the gateway machine 192.168.30.1).
Here is how the configuration worked:
iptables -t nat -D PREROUTING -d 192.168.40.40 -j DNAT --to 192.168.30.1
case 2). The non-existent IP address is DNAT to another machine within the network (not the gateway).
Here's what I think is the solution but it does not work.
iptables -t nat -D PREROUTING -d 192.168.40.40 -j DNAT --to 192.168.30.11
I wanted to force our users to access 192.168.40.40 since it is *NOT* in the same network. Thus, all connections to it pass through
the gateway.
The solution does not work. Are there any pointers on how to make this possible?
A link to the network diagram is here: http://210.23.193.154/zxff/qsz.html
Thanks a lot!
Best Regards,
Carlo
------
Carlo Florendo
Astra Philippines Inc.
URL: http://www.hq.astra.ph/resources
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2003-08-07 12:03 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-30 3:09 DNAT from an IP address that does not exist to another that exists Carlo Florendo
2003-08-01 15:13 ` Chris Wilson
2003-07-30 3:13 Carlo Florendo
2003-07-30 3:40 George Vieira
2003-07-30 3:48 George Vieira
2003-07-30 4:06 ` Carlo Florendo
[not found] <004e01c35caf$86bd4910$200aa8c0@thorin>
2003-08-07 6:55 ` Carlo Florendo
2003-08-07 12:03 ` Whit Blauvelt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.