BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] [SPAM] Re: iptables, one-to-one NAT

Subject: [Discuss] [SPAM] Re: iptables, one-to-one NAT
From: tmetro-blu at vl.com (Tom Metro)
Date: Sun, 05 Jun 2011 13:42:14 -0400
In-reply-to: <4DDC6BE4.6040408@vl.com>
References: <4DDC6BE4.6040408@vl.com>

Tom Metro wrote:
> To sum up, the physical structure is like:
> 
> { Internet } -- [ DSL Modem ] -- [WAN  router  LAN] -- { LAN }
> 
> While the virtual structure (due to PPPoE) is like:
>
> { Internet } -------PPPoE------- [WAN              ]
>                                  [      router     ]
>                 [ DSL Modem ] -- [eth0          LAN] -- { LAN }
>
> I tried:
> # iptables -t nat -I PREROUTING -i br0 -d 192.168.0.21 -j DNAT --to-destination 192.168.1.1
> # iptables -t nat -I POSTROUTING -s 192.168.1.1 -j SNAT --to-source 192.168.0.21
> 
> The first rule is supposed to take packets arriving on the LAN interface
> (br0) destined for the IP alias (192.168.0.21, "public IP") and rewrite
> them to go to the target device (192.168.1.1, DSL modem).
> 
> The second rule takes packets that were sent by the modem, and just
> before they leave the router, rewrite them so the appear to have come
> from the IP alias.
> 
> When I try connecting to the modem's web interface from the LAN, the
> browser just times out waiting for a reply. The packet/byte counts
> reported seem to indicate that the packets to the modem are being sent,
> but the replies are not passed back to the LAN.

If anyone cares, I determined what was going wrong. In a typical NAT
case the DNAT/SNAT pair works. In that case the DNAT rule handles the
inbound packet being port forwarded. It rewrites the destination IP to
point to some server on your LAN. That machine sees the packet being
sourced by some public IP, and due to its gateway routing rule, it knows
to send the reply back to the router, which passes it on to the WAN.

In this case the DSL modem had no knowledge of a gateway (it's factory
configured with a static IP), and thus when it saw the LAN IP as the
source address, it had no idea where to send the reply.

The fix is to rewrite the source address on packets exiting the router
heading to the mode, so the modem thinks they are coming directly from
the router. An additional SNAT rule accomplishes this:

# iptables -t nat -I POSTROUTING -d 192.168.1.1 -j SNAT --to-source
192.168.1.2

(192.168.1.2 is the router's IP on its interface attached to the modem.)

I was disappointed to see there wasn't a better mechanism for tracing a
packet as it flows through iptables. The logging mechanism it provides
requires that you add a logging rule at every step where you think the
packet might go. I gather the TRACE target should do what I want, but
the version of iptables on the router didn't support it.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

Prev by Date: [Discuss] [SPAM] Re: [SPAM] [SPAM] Re: [SPAM] [SPAM] Re: Distribution that tests printing
Next by Date: [Discuss] sox
Previous by thread: [Discuss] Boston Linux and Unix InstallFest XL REMINDER Tomorrow Saturday June 4, 2011
Next by thread: [Discuss] sox
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org