[Firewall] NAT forward issue

Emmanuel Revah stsil at manurevah.com
Tue May 21 20:23:13 CEST 2013


Thanks for clarifying that, obviously this stuff blows my mind.
: ]



On 2013/05/21 19:42, Lonnie Abelbeck wrote:
> Emmanuel,
> 
> The '#' trails the optional 'destination' IPv4 address.
> 
> The '~' trails the optional 'source' IPv4 address.
> 
> For example:
> 
> NAT_FORWARD_TCP ="1.1.1.1#2.2.2.2~8080>10.10.10.10~80"
> 
> Forwards a packet sent to 1.1.1.1 (of many presumably) on your
> external interface, sent from 2.2.2.2 using port 8080, then is NAT'ed
> to your internal host 10.10.10.10 on port 80 .
> 
> Lonnie
> 
> 
> On May 21, 2013, at 12:00 PM, Emmanuel Revah wrote:
> 
>> Lonnie,
>> 
>> 
>> I think you are correct. \o/
>> 
>> 
>> However, perhaps there's a bug in the comments of firewall.conf. 
>> Indeed, I tried with "~" previously, but it seems that I should have 
>> tried with the "#" as your example shows. (maybe I didn't understand 
>> the conf file comments).
>> 
>> 
>> From firewall.conf:
>> # TCP/UDP form:
>> #       "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \
>> #        {SRCIP3,...~}PORT3,...>DESTIP2{~port}"
>> #
>> # IP form:
>> #       "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \
>> #        {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"
>> #
>> # TCP/UDP port forward examples:
>> # Simple (forward port 80 to internal host 192.168.0.10):
>> #       NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"
>> # Advanced (forward port 20 & 21 to 192.168.0.10 and
>> #           forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
>> #       NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"
>> 
>> 
>> 
>> Thanks again.
>> 
>> 
>> 
>> 
>> 
>> 
>> On 2013/05/21 18:29, Lonnie Abelbeck wrote:
>>> Emmanuel,
>>> Note that:
>>> NAT_FORWARD_TCP ="80>10.0.0.10"
>>> forwards ALL external (public) IP's to your internal host 10.0.0.10.
>>> If for example Public_IP_1 is 1.1.1.1, then
>>> NAT_FORWARD_TCP ="1.1.1.1#80>10.0.0.10"
>>> will only forward Public_IP_1 to LAN_IP_1
>>> I think your solution is to: (with example IP's)
>>> NAT_FORWARD_TCP ="1.1.1.1#80>10.0.0.10 1.1.1.2#80>10.0.0.11
>>> 1.1.1.3#80>10.0.0.12"
>>> Lonnie
>>> On May 21, 2013, at 11:05 AM, Emmanuel Revah wrote:
>>>> Hi,
>>>> I have a hard to explain situation, in short I have a server that 
>>>> hosts virtual machines, it has arno-iptables-firewall. I just 
>>>> upgraded from the distro's version of it to the latest one, 2.0.1d. 
>>>> The host has a few forwarding rules to run services on VMs that only 
>>>> have LAN IPs. There are also VMs with public IPs.
>>>> The problem is when a VM with a public IP wants to reach an external 
>>>> server using any port that has been configured on the host to be 
>>>> forwarded to the LAN. There's no issues for all other ports.
>>>> For a hopefully clearer picture with the example using port 80:
>>>> Host server [Public_IP_1 + LAN_IP_1]
>>>> NAT_FORWARD_TCP  80>10.0.0.10
>>>> Guest server 1 [Public_IP_2 + LAN_IP_2]
>>>> - This machine can reach Public_IP_1 80 (it is redirected to 
>>>> 10.0.0.10) - connection hangs a bit
>>>> - This machine can reach 10.0.0.10 80
>>>> - This machine can NOT reach Some_Other_Public_IP_1 80, instead this 
>>>> is redirected to 10.0.0.10 by the host <- this is the problem
>>>> - In most cases traffic appears to come from Public_IP_2 (except for 
>>>> LAN connecton)
>>>> Guest server 2 [LAN_IP_3]
>>>> - This machine can reach Public_IP_1 80 (it is redirected to 
>>>> 10.0.0.10)
>>>> - This machine can reach 10.0.0.10 80
>>>> - This machine can reach Some_Other_Public_IP_1 80
>>>> - In all cases traffic appears to come from Public_IP_1 (except for 
>>>> LAN connecton)
>>>> I have "Guest server 3" which only has a public IP and has the same 
>>>> issues as Guest 1 (except that it's not on the LAN).
>>>> If anyone knows what I'm be doing wrong or any other clues it would 
>>>> be greatly appreciated.
>>>> --
>>>> Emmanuel Revah
>>>> http://manurevah.com
>>>> _______________________________________________
>>>> Firewall mailing list
>>>> Firewall at rocky.eld.leidenuniv.nl
>>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>> http://rocky.eld.leidenuniv.nl
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>> 
>> --
>> Emmanuel Revah
>> http://manurevah.com
>> 
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>> 
>> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-- 
Emmanuel Revah
http://manurevah.com



More information about the Firewall mailing list