[Firewall] NAT forward issue

Lonnie Abelbeck lists at lonnie.abelbeck.com
Tue May 21 19:42:36 CEST 2013


Emmanuel,

The '#' trails the optional 'destination' IPv4 address.

The '~' trails the optional 'source' IPv4 address.

For example:

NAT_FORWARD_TCP ="1.1.1.1#2.2.2.2~8080>10.10.10.10~80"

Forwards a packet sent to 1.1.1.1 (of many presumably) on your external interface, sent from 2.2.2.2 using port 8080, then is NAT'ed to your internal host 10.10.10.10 on port 80 .

Lonnie


On May 21, 2013, at 12:00 PM, Emmanuel Revah wrote:

> Lonnie,
> 
> 
> I think you are correct. \o/
> 
> 
> However, perhaps there's a bug in the comments of firewall.conf. Indeed, I tried with "~" previously, but it seems that I should have tried with the "#" as your example shows. (maybe I didn't understand the conf file comments).
> 
> 
> From firewall.conf:
> # TCP/UDP form:
> #       "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \
> #        {SRCIP3,...~}PORT3,...>DESTIP2{~port}"
> #
> # IP form:
> #       "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \
> #        {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"
> #
> # TCP/UDP port forward examples:
> # Simple (forward port 80 to internal host 192.168.0.10):
> #       NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"
> # Advanced (forward port 20 & 21 to 192.168.0.10 and
> #           forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
> #       NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"
> 
> 
> 
> Thanks again.
> 
> 
> 
> 
> 
> 
> On 2013/05/21 18:29, Lonnie Abelbeck wrote:
>> Emmanuel,
>> Note that:
>> NAT_FORWARD_TCP ="80>10.0.0.10"
>> forwards ALL external (public) IP's to your internal host 10.0.0.10.
>> If for example Public_IP_1 is 1.1.1.1, then
>> NAT_FORWARD_TCP ="1.1.1.1#80>10.0.0.10"
>> will only forward Public_IP_1 to LAN_IP_1
>> I think your solution is to: (with example IP's)
>> NAT_FORWARD_TCP ="1.1.1.1#80>10.0.0.10 1.1.1.2#80>10.0.0.11
>> 1.1.1.3#80>10.0.0.12"
>> Lonnie
>> On May 21, 2013, at 11:05 AM, Emmanuel Revah wrote:
>>> Hi,
>>> I have a hard to explain situation, in short I have a server that hosts virtual machines, it has arno-iptables-firewall. I just upgraded from the distro's version of it to the latest one, 2.0.1d. The host has a few forwarding rules to run services on VMs that only have LAN IPs. There are also VMs with public IPs.
>>> The problem is when a VM with a public IP wants to reach an external server using any port that has been configured on the host to be forwarded to the LAN. There's no issues for all other ports.
>>> For a hopefully clearer picture with the example using port 80:
>>> Host server [Public_IP_1 + LAN_IP_1]
>>> NAT_FORWARD_TCP  80>10.0.0.10
>>> Guest server 1 [Public_IP_2 + LAN_IP_2]
>>> - This machine can reach Public_IP_1 80 (it is redirected to 10.0.0.10) - connection hangs a bit
>>> - This machine can reach 10.0.0.10 80
>>> - This machine can NOT reach Some_Other_Public_IP_1 80, instead this is redirected to 10.0.0.10 by the host <- this is the problem
>>> - In most cases traffic appears to come from Public_IP_2 (except for LAN connecton)
>>> Guest server 2 [LAN_IP_3]
>>> - This machine can reach Public_IP_1 80 (it is redirected to 10.0.0.10)
>>> - This machine can reach 10.0.0.10 80
>>> - This machine can reach Some_Other_Public_IP_1 80
>>> - In all cases traffic appears to come from Public_IP_1 (except for LAN connecton)
>>> I have "Guest server 3" which only has a public IP and has the same issues as Guest 1 (except that it's not on the LAN).
>>> If anyone knows what I'm be doing wrong or any other clues it would be greatly appreciated.
>>> --
>>> Emmanuel Revah
>>> http://manurevah.com
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
> 
> -- 
> Emmanuel Revah
> http://manurevah.com
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 



More information about the Firewall mailing list