Re: DNAT and MASQUERADE
On Mon, Jan 12, 2015 at 8:50 PM, E.S. Rosenberg esr+linux...@g.jct.ac.il wrote: Alternatively you could also have a local dns/local hosts entries that point computerN at computer_1 when they are looking up whatever hostname is resolving to ext_ip nice idea. nut i'm not using DNS for that. also will cause all access to ext_ip to go to computer1 (i may want to forward some ports to computer1 and some to other computers) If they are on the same LAN all normal (sane) security policy will cause the drop of their packets when they are trying to reach ext_ip from inside the network that has ext_ip and you need to bend over backwards to get them accepted.. 2015-01-08 23:02 GMT+02:00 shimi linux...@shimi.net: On Thu, Jan 8, 2015 at 10:43 AM, Erez D erez0...@gmail.com wrote: On Wed, Jan 7, 2015 at 11:41 AM, shimi linux...@shimi.net wrote: On Wed, Jan 7, 2015 at 11:35 AM, shimi linux...@shimi.net wrote: On Wed, Jan 7, 2015 at 10:16 AM, Erez D erez0...@gmail.com wrote: hello. I have an iptables question i have the following ext_ip - NAT1 - linux firewall- network - computer1:eth0 .. computer99 i have no control over NAT1. computer1 also can reach the internet via eth1. linux firewall redirects incoming port from ext_ip to computer1 however i need coputer2 .. computer99 to connect to ext_ip: and also reach computer1 so first i did a NAT rule in linux firewall to redirect all packets from internal to ext_ip: to computer1. and did an 'ifconfig eth0:1 $ext_ip up' on computer1. this works. however it causes computer1 not to be able to access real ext_ip via eth1 which is connected to the internet as well so i though of both doing DNAT and MASQ, which will do the same but will not require assiging ext_ip to computer1. howerver i do not know how to do that If computer1 can access ext_ip:, all you need is to allow ip_forward (/etc/sysctl.conf for permanent, and echo 1 /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers have a static route to ext_ip via computer1 Then, in computer1, iptables -t nat -I POSTROUTING -o interface going towards ext_ip [ -i interface subnet of computers come from ] -s subnet of computers/netmask -p tcp --dport -j MASQUERADE should do... (of course, assuming the iptables FORWARD chain is not dropping those packets; otherwise you'ld need an ACCEPT rule there, too...) HTH, -- Shimi And on a second read, I think I got you wrong and the purpose was to access computer1 port (hopefully listening on 0.0.0.0) from computersN by using the external IP from the inside? yes couputerN default route is the linux firewall. without any rules on linux firewall, it will forward packets from computer1 destined to ext_ip to NAT1. and they will not reach computer1 att all, so rules on computer 1 are useless. Doing a DNAT on linux firewall will direct the packets to computer1, however computer 1 will know comuterN and will reply directly without going through linux firewall, and computer1 will not match the packets to the original connection. But if you create a static route on computerN towards the external IP via computer1 like I suggested, then these connections will not get to linux firewall at all, rather then get to computer1 (I'm assuming they're on the same L2 and share IP addresses in the same IP subnet) - so rules on computer1 will apply, wouldn't they? What am I missing? -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: DNAT and MASQUERADE
On Thu, Jan 8, 2015 at 11:02 PM, shimi linux...@shimi.net wrote: On Thu, Jan 8, 2015 at 10:43 AM, Erez D erez0...@gmail.com wrote: On Wed, Jan 7, 2015 at 11:41 AM, shimi linux...@shimi.net wrote: On Wed, Jan 7, 2015 at 11:35 AM, shimi linux...@shimi.net wrote: On Wed, Jan 7, 2015 at 10:16 AM, Erez D erez0...@gmail.com wrote: hello. I have an iptables question i have the following ext_ip - NAT1 - linux firewall- network - computer1:eth0 .. computer99 i have no control over NAT1. computer1 also can reach the internet via eth1. linux firewall redirects incoming port from ext_ip to computer1 however i need coputer2 .. computer99 to connect to ext_ip: and also reach computer1 so first i did a NAT rule in linux firewall to redirect all packets from internal to ext_ip: to computer1. and did an 'ifconfig eth0:1 $ext_ip up' on computer1. this works. however it causes computer1 not to be able to access real ext_ip via eth1 which is connected to the internet as well so i though of both doing DNAT and MASQ, which will do the same but will not require assiging ext_ip to computer1. howerver i do not know how to do that If computer1 can access ext_ip:, all you need is to allow ip_forward (/etc/sysctl.conf for permanent, and echo 1 /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers have a static route to ext_ip via computer1 Then, in computer1, iptables -t nat -I POSTROUTING -o interface going towards ext_ip [ -i interface subnet of computers come from ] -s subnet of computers/netmask -p tcp --dport -j MASQUERADE should do... (of course, assuming the iptables FORWARD chain is not dropping those packets; otherwise you'ld need an ACCEPT rule there, too...) HTH, -- Shimi And on a second read, I think I got you wrong and the purpose was to access computer1 port (hopefully listening on 0.0.0.0) from computersN by using the external IP from the inside? yes couputerN default route is the linux firewall. without any rules on linux firewall, it will forward packets from computer1 destined to ext_ip to NAT1. and they will not reach computer1 att all, so rules on computer 1 are useless. Doing a DNAT on linux firewall will direct the packets to computer1, however computer 1 will know comuterN and will reply directly without going through linux firewall, and computer1 will not match the packets to the original connection. But if you create a static route on computerN towards the external IP via computer1 like I suggested, then these connections will not get to linux firewall at all, rather then get to computer1 (I'm assuming they're on the same L2 and share IP addresses in the same IP subnet) - so rules on computer1 will apply, wouldn't they? What am I missing? 1. this means that i need to put static routes on computerN which is computer2 .. computer99, which some are linux, some windows, some android, some iphone, etc ... the same thing can be acheved by adding a static route on linux firewall to do the same 2. computer 1 will receive packets destined to ext_ip, so they will be ignored. -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: DNAT and MASQUERADE
Alternatively you could also have a local dns/local hosts entries that point computerN at computer_1 when they are looking up whatever hostname is resolving to ext_ip If they are on the same LAN all normal (sane) security policy will cause the drop of their packets when they are trying to reach ext_ip from inside the network that has ext_ip and you need to bend over backwards to get them accepted.. 2015-01-08 23:02 GMT+02:00 shimi linux...@shimi.net: On Thu, Jan 8, 2015 at 10:43 AM, Erez D erez0...@gmail.com wrote: On Wed, Jan 7, 2015 at 11:41 AM, shimi linux...@shimi.net wrote: On Wed, Jan 7, 2015 at 11:35 AM, shimi linux...@shimi.net wrote: On Wed, Jan 7, 2015 at 10:16 AM, Erez D erez0...@gmail.com wrote: hello. I have an iptables question i have the following ext_ip - NAT1 - linux firewall- network - computer1:eth0 .. computer99 i have no control over NAT1. computer1 also can reach the internet via eth1. linux firewall redirects incoming port from ext_ip to computer1 however i need coputer2 .. computer99 to connect to ext_ip: and also reach computer1 so first i did a NAT rule in linux firewall to redirect all packets from internal to ext_ip: to computer1. and did an 'ifconfig eth0:1 $ext_ip up' on computer1. this works. however it causes computer1 not to be able to access real ext_ip via eth1 which is connected to the internet as well so i though of both doing DNAT and MASQ, which will do the same but will not require assiging ext_ip to computer1. howerver i do not know how to do that If computer1 can access ext_ip:, all you need is to allow ip_forward (/etc/sysctl.conf for permanent, and echo 1 /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers have a static route to ext_ip via computer1 Then, in computer1, iptables -t nat -I POSTROUTING -o interface going towards ext_ip [ -i interface subnet of computers come from ] -s subnet of computers/netmask -p tcp --dport -j MASQUERADE should do... (of course, assuming the iptables FORWARD chain is not dropping those packets; otherwise you'ld need an ACCEPT rule there, too...) HTH, -- Shimi And on a second read, I think I got you wrong and the purpose was to access computer1 port (hopefully listening on 0.0.0.0) from computersN by using the external IP from the inside? yes couputerN default route is the linux firewall. without any rules on linux firewall, it will forward packets from computer1 destined to ext_ip to NAT1. and they will not reach computer1 att all, so rules on computer 1 are useless. Doing a DNAT on linux firewall will direct the packets to computer1, however computer 1 will know comuterN and will reply directly without going through linux firewall, and computer1 will not match the packets to the original connection. But if you create a static route on computerN towards the external IP via computer1 like I suggested, then these connections will not get to linux firewall at all, rather then get to computer1 (I'm assuming they're on the same L2 and share IP addresses in the same IP subnet) - so rules on computer1 will apply, wouldn't they? What am I missing? -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: DNAT and MASQUERADE
On Wed, Jan 7, 2015 at 11:41 AM, shimi linux...@shimi.net wrote: On Wed, Jan 7, 2015 at 11:35 AM, shimi linux...@shimi.net wrote: On Wed, Jan 7, 2015 at 10:16 AM, Erez D erez0...@gmail.com wrote: hello. I have an iptables question i have the following ext_ip - NAT1 - linux firewall- network - computer1:eth0 .. computer99 i have no control over NAT1. computer1 also can reach the internet via eth1. linux firewall redirects incoming port from ext_ip to computer1 however i need coputer2 .. computer99 to connect to ext_ip: and also reach computer1 so first i did a NAT rule in linux firewall to redirect all packets from internal to ext_ip: to computer1. and did an 'ifconfig eth0:1 $ext_ip up' on computer1. this works. however it causes computer1 not to be able to access real ext_ip via eth1 which is connected to the internet as well so i though of both doing DNAT and MASQ, which will do the same but will not require assiging ext_ip to computer1. howerver i do not know how to do that If computer1 can access ext_ip:, all you need is to allow ip_forward (/etc/sysctl.conf for permanent, and echo 1 /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers have a static route to ext_ip via computer1 Then, in computer1, iptables -t nat -I POSTROUTING -o interface going towards ext_ip [ -i interface subnet of computers come from ] -s subnet of computers/netmask -p tcp --dport -j MASQUERADE should do... (of course, assuming the iptables FORWARD chain is not dropping those packets; otherwise you'ld need an ACCEPT rule there, too...) HTH, -- Shimi And on a second read, I think I got you wrong and the purpose was to access computer1 port (hopefully listening on 0.0.0.0) from computersN by using the external IP from the inside? yes If so, did: couputerN default route is the linux firewall. without any rules on linux firewall, it will forward packets from computer1 destined to ext_ip to NAT1. and they will not reach computer1 att all, so rules on computer 1 are useless. Doing a DNAT on linux firewall will direct the packets to computer1, however computer 1 will know comuterN and will reply directly without going through linux firewall, and computer1 will not match the packets to the original connection. iptables -I PREROUTING -i interface of computersN subnet -s subnet of computers/netmask -p tcp --dport -j REDIRECT --to-port not work? -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: DNAT and MASQUERADE
On Thu, Jan 8, 2015 at 10:43 AM, Erez D erez0...@gmail.com wrote: On Wed, Jan 7, 2015 at 11:41 AM, shimi linux...@shimi.net wrote: On Wed, Jan 7, 2015 at 11:35 AM, shimi linux...@shimi.net wrote: On Wed, Jan 7, 2015 at 10:16 AM, Erez D erez0...@gmail.com wrote: hello. I have an iptables question i have the following ext_ip - NAT1 - linux firewall- network - computer1:eth0 .. computer99 i have no control over NAT1. computer1 also can reach the internet via eth1. linux firewall redirects incoming port from ext_ip to computer1 however i need coputer2 .. computer99 to connect to ext_ip: and also reach computer1 so first i did a NAT rule in linux firewall to redirect all packets from internal to ext_ip: to computer1. and did an 'ifconfig eth0:1 $ext_ip up' on computer1. this works. however it causes computer1 not to be able to access real ext_ip via eth1 which is connected to the internet as well so i though of both doing DNAT and MASQ, which will do the same but will not require assiging ext_ip to computer1. howerver i do not know how to do that If computer1 can access ext_ip:, all you need is to allow ip_forward (/etc/sysctl.conf for permanent, and echo 1 /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers have a static route to ext_ip via computer1 Then, in computer1, iptables -t nat -I POSTROUTING -o interface going towards ext_ip [ -i interface subnet of computers come from ] -s subnet of computers/netmask -p tcp --dport -j MASQUERADE should do... (of course, assuming the iptables FORWARD chain is not dropping those packets; otherwise you'ld need an ACCEPT rule there, too...) HTH, -- Shimi And on a second read, I think I got you wrong and the purpose was to access computer1 port (hopefully listening on 0.0.0.0) from computersN by using the external IP from the inside? yes couputerN default route is the linux firewall. without any rules on linux firewall, it will forward packets from computer1 destined to ext_ip to NAT1. and they will not reach computer1 att all, so rules on computer 1 are useless. Doing a DNAT on linux firewall will direct the packets to computer1, however computer 1 will know comuterN and will reply directly without going through linux firewall, and computer1 will not match the packets to the original connection. But if you create a static route on computerN towards the external IP via computer1 like I suggested, then these connections will not get to linux firewall at all, rather then get to computer1 (I'm assuming they're on the same L2 and share IP addresses in the same IP subnet) - so rules on computer1 will apply, wouldn't they? What am I missing? -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: DNAT and MASQUERADE
On Wed, Jan 7, 2015 at 11:35 AM, shimi linux...@shimi.net wrote: On Wed, Jan 7, 2015 at 10:16 AM, Erez D erez0...@gmail.com wrote: hello. I have an iptables question i have the following ext_ip - NAT1 - linux firewall- network - computer1:eth0 .. computer99 i have no control over NAT1. computer1 also can reach the internet via eth1. linux firewall redirects incoming port from ext_ip to computer1 however i need coputer2 .. computer99 to connect to ext_ip: and also reach computer1 so first i did a NAT rule in linux firewall to redirect all packets from internal to ext_ip: to computer1. and did an 'ifconfig eth0:1 $ext_ip up' on computer1. this works. however it causes computer1 not to be able to access real ext_ip via eth1 which is connected to the internet as well so i though of both doing DNAT and MASQ, which will do the same but will not require assiging ext_ip to computer1. howerver i do not know how to do that If computer1 can access ext_ip:, all you need is to allow ip_forward (/etc/sysctl.conf for permanent, and echo 1 /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers have a static route to ext_ip via computer1 Then, in computer1, iptables -t nat -I POSTROUTING -o interface going towards ext_ip [ -i interface subnet of computers come from ] -s subnet of computers/netmask -p tcp --dport -j MASQUERADE should do... (of course, assuming the iptables FORWARD chain is not dropping those packets; otherwise you'ld need an ACCEPT rule there, too...) HTH, -- Shimi And on a second read, I think I got you wrong and the purpose was to access computer1 port (hopefully listening on 0.0.0.0) from computersN by using the external IP from the inside? If so, did: iptables -I PREROUTING -i interface of computersN subnet -s subnet of computers/netmask -p tcp --dport -j REDIRECT --to-port not work? -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: DNAT and MASQUERADE
On Wed, Jan 7, 2015 at 10:16 AM, Erez D erez0...@gmail.com wrote: hello. I have an iptables question i have the following ext_ip - NAT1 - linux firewall- network - computer1:eth0 .. computer99 i have no control over NAT1. computer1 also can reach the internet via eth1. linux firewall redirects incoming port from ext_ip to computer1 however i need coputer2 .. computer99 to connect to ext_ip: and also reach computer1 so first i did a NAT rule in linux firewall to redirect all packets from internal to ext_ip: to computer1. and did an 'ifconfig eth0:1 $ext_ip up' on computer1. this works. however it causes computer1 not to be able to access real ext_ip via eth1 which is connected to the internet as well so i though of both doing DNAT and MASQ, which will do the same but will not require assiging ext_ip to computer1. howerver i do not know how to do that If computer1 can access ext_ip:, all you need is to allow ip_forward (/etc/sysctl.conf for permanent, and echo 1 /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers have a static route to ext_ip via computer1 Then, in computer1, iptables -t nat -I POSTROUTING -o interface going towards ext_ip [ -i interface subnet of computers come from ] -s subnet of computers/netmask -p tcp --dport -j MASQUERADE should do... (of course, assuming the iptables FORWARD chain is not dropping those packets; otherwise you'ld need an ACCEPT rule there, too...) HTH, -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il