[Firewall] NAT forward issue

Emmanuel Revah stsil at manurevah.com
Tue May 21 19:00:30 CEST 2013


Lonnie,


I think you are correct. \o/


However, perhaps there's a bug in the comments of firewall.conf. Indeed, 
I tried with "~" previously, but it seems that I should have tried with 
the "#" as your example shows. (maybe I didn't understand the conf file 
comments).


 From firewall.conf:
# TCP/UDP form:
#       "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \
#        {SRCIP3,...~}PORT3,...>DESTIP2{~port}"
#
# IP form:
#       "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \
#        {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"
#
# TCP/UDP port forward examples:
# Simple (forward port 80 to internal host 192.168.0.10):
#       NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"
# Advanced (forward port 20 & 21 to 192.168.0.10 and
#           forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
#       NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"



Thanks again.






On 2013/05/21 18:29, Lonnie Abelbeck wrote:
> Emmanuel,
> 
> Note that:
> 
> NAT_FORWARD_TCP ="80>10.0.0.10"
> 
> forwards ALL external (public) IP's to your internal host 10.0.0.10.
> 
> If for example Public_IP_1 is 1.1.1.1, then
> 
> NAT_FORWARD_TCP ="1.1.1.1#80>10.0.0.10"
> 
> will only forward Public_IP_1 to LAN_IP_1
> 
> I think your solution is to: (with example IP's)
> 
> NAT_FORWARD_TCP ="1.1.1.1#80>10.0.0.10 1.1.1.2#80>10.0.0.11
> 1.1.1.3#80>10.0.0.12"
> 
> Lonnie
> 
> 
> 
> On May 21, 2013, at 11:05 AM, Emmanuel Revah wrote:
> 
>> Hi,
>> 
>> 
>> I have a hard to explain situation, in short I have a server that 
>> hosts virtual machines, it has arno-iptables-firewall. I just upgraded 
>> from the distro's version of it to the latest one, 2.0.1d. The host 
>> has a few forwarding rules to run services on VMs that only have LAN 
>> IPs. There are also VMs with public IPs.
>> 
>> The problem is when a VM with a public IP wants to reach an external 
>> server using any port that has been configured on the host to be 
>> forwarded to the LAN. There's no issues for all other ports.
>> 
>> 
>> For a hopefully clearer picture with the example using port 80:
>> 
>> 
>> Host server [Public_IP_1 + LAN_IP_1]
>> NAT_FORWARD_TCP  80>10.0.0.10
>> 
>> 
>> 
>> Guest server 1 [Public_IP_2 + LAN_IP_2]
>> - This machine can reach Public_IP_1 80 (it is redirected to 
>> 10.0.0.10) - connection hangs a bit
>> - This machine can reach 10.0.0.10 80
>> - This machine can NOT reach Some_Other_Public_IP_1 80, instead this 
>> is redirected to 10.0.0.10 by the host <- this is the problem
>> - In most cases traffic appears to come from Public_IP_2 (except for 
>> LAN connecton)
>> 
>> 
>> 
>> Guest server 2 [LAN_IP_3]
>> - This machine can reach Public_IP_1 80 (it is redirected to 
>> 10.0.0.10)
>> - This machine can reach 10.0.0.10 80
>> - This machine can reach Some_Other_Public_IP_1 80
>> - In all cases traffic appears to come from Public_IP_1 (except for 
>> LAN connecton)
>> 
>> 
>> I have "Guest server 3" which only has a public IP and has the same 
>> issues as Guest 1 (except that it's not on the LAN).
>> 
>> 
>> 
>> If anyone knows what I'm be doing wrong or any other clues it would be 
>> greatly appreciated.
>> 
>> 
>> 
>> 
>> 
>> --
>> Emmanuel Revah
>> http://manurevah.com
>> 
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>> 
>> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-- 
Emmanuel Revah
http://manurevah.com



More information about the Firewall mailing list