[Firewall] NAT forward issue

Lonnie Abelbeck lists at lonnie.abelbeck.com
Tue May 21 18:29:00 CEST 2013


Emmanuel,

Note that:

NAT_FORWARD_TCP ="80>10.0.0.10"

forwards ALL external (public) IP's to your internal host 10.0.0.10.

If for example Public_IP_1 is 1.1.1.1, then

NAT_FORWARD_TCP ="1.1.1.1#80>10.0.0.10"

will only forward Public_IP_1 to LAN_IP_1

I think your solution is to: (with example IP's)

NAT_FORWARD_TCP ="1.1.1.1#80>10.0.0.10 1.1.1.2#80>10.0.0.11 1.1.1.3#80>10.0.0.12"

Lonnie



On May 21, 2013, at 11:05 AM, Emmanuel Revah wrote:

> Hi,
> 
> 
> I have a hard to explain situation, in short I have a server that hosts virtual machines, it has arno-iptables-firewall. I just upgraded from the distro's version of it to the latest one, 2.0.1d. The host has a few forwarding rules to run services on VMs that only have LAN IPs. There are also VMs with public IPs.
> 
> The problem is when a VM with a public IP wants to reach an external server using any port that has been configured on the host to be forwarded to the LAN. There's no issues for all other ports.
> 
> 
> For a hopefully clearer picture with the example using port 80:
> 
> 
> Host server [Public_IP_1 + LAN_IP_1]
> NAT_FORWARD_TCP  80>10.0.0.10
> 
> 
> 
> Guest server 1 [Public_IP_2 + LAN_IP_2]
> - This machine can reach Public_IP_1 80 (it is redirected to 10.0.0.10) - connection hangs a bit
> - This machine can reach 10.0.0.10 80
> - This machine can NOT reach Some_Other_Public_IP_1 80, instead this is redirected to 10.0.0.10 by the host <- this is the problem
> - In most cases traffic appears to come from Public_IP_2 (except for LAN connecton)
> 
> 
> 
> Guest server 2 [LAN_IP_3]
> - This machine can reach Public_IP_1 80 (it is redirected to 10.0.0.10)
> - This machine can reach 10.0.0.10 80
> - This machine can reach Some_Other_Public_IP_1 80
> - In all cases traffic appears to come from Public_IP_1 (except for LAN connecton)
> 
> 
> I have "Guest server 3" which only has a public IP and has the same issues as Guest 1 (except that it's not on the LAN).
> 
> 
> 
> If anyone knows what I'm be doing wrong or any other clues it would be greatly appreciated.
> 
> 
> 
> 
> 
> -- 
> Emmanuel Revah
> http://manurevah.com
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 



More information about the Firewall mailing list