[SOLVED] 2 way masquerading

**Kieren** · 02-12-2008

I have a server and a PC. I want them to talk to the NAT but not know of each others existence. This is a bit like masquerading but both ways instead of only one end not knowing about the other. By using masquerading I've managed to stop the server knowing about the end user. What I need to do now is set up the NAT to translate a fake IP address into the actual IP for the server. Similar to host names in the hosts file does. Below is a description of what I'm trying to do. If it's not too clear just say.

Code:

 _______		 _______		 _______
|	|-------------->|	|-------------->|	|
|  PC	|		|  NAT	|		|  SV	|
|_______|<--------------|_______|<--------------|_______|
eth0: 192.168.1.2	eth0: 123.456.1.1 	eth0: 123.456.1.2
			eth1: 192.168.1.1

PC sends a request to SV:

PC sends request to 123.456.* (E.G. 123.456.789.1)
Goes out of eth0 on PC and received by eth1 on NAT
Nat translates packet's source address from 192.168.1.2 (PC eth0) to 123.456.1.1 (NAT eth0)
Nat translates packet's destination address from 123.456.789.1 (SV address according to PC) to 123.456.1.2 (Actual SV address)
PC sends packet to 123.456.1.2 (SV address)
Goes out of eth1 on NAT and received by eth0 on SV

SV responds to PC:

SV sends response to 123.456.1.1 (NAT eth0)
Goes out of eth0 on SV and received by eth0 on NAT
Nat translates packet's source address from 123.456.1.2 (SV address) to 192.168.1.1 (NAT eth1)
Nat translates packet's destination address from 123.456.1.1 (NAT eth0) to 192.168.1.2 (PC eth0)
NAT sends packet to 192.168.1.2 (PC eth0)

**pikah** · 02-12-2008

First, I do not think that you want to do this, but

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 123.456.1.1
iptables -t nat -A POSTROUTING -o eth1 -s 123.456.1.0/24 -j SNAT --to-source 192.168.1.1
OR
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -s 123.456.1.0/24 -j MASQUERADE

Notice that you get problems with ports because source addresses for all traffic to the other subnet are the same and NAT works with <src><srcport><dst><dstport> tuples..
ALSO, the BIG problem.... you do not know about any servers on both networks, so you have to make portforwards to make services work, so I don't recommend you to do this...

If there is only one server in 123.456.1.0 network just make a DNAT and SNAT ....

iptables -t nat -A PREROUTING -p tcp/udp --dport <theportyouneed on the server> -i eth1 -j DNAT --to-destination 123.456.1.2
iptables -t nat -A POSTROUTING -p tcp/udp --dport <theportyouneed on the server> -o eth0 -j SNAT --to-source 123.456.1.1
iptables -t nat -A POSTROUTING -o eth1 -s 123.456.1.0/24 -j MASQUERADE

I have not tested this, but it should work.. though I would not recommend this..

Anyway.. Just tell us what you want to achieve and I might have a better recommendation for you....

**Kieren** · 02-12-2008

Hi pikah and welcome to the Forums

What I'm trying to achieve is to have several end users and several servers. End users are on one side of the NAT and servers are on the other. End users are connected to the NATs eth1 device and the servers are connected to its eth0 device

Both sides should believe they're talking to the NAT and nothing is being forwarded beyond it.

The end users should be able to send a request to a made up IP address (E.G 192.168.1.5). The NAT should pick up the request on it's eth1 device, then translate the IP into an IP address of a server that has been allocated that 192.168.1.* address (E.G 123.456.1.2, so 192.168.1.5->123.456.1.2). It will also change the source address to that of the NAT's eth0.

When the server responds to the NAT the response should be forwarded to the end user with the source translated to the NAT's eth1 address.

What I have been trying is the following:

iptables --table nat --append PREROUTING --destination 192.168.1.5 --jump DNAT --to-destination 123.456.1.2

...but the NAT isn't picking up requests to 192.168.1.5 as this isn't the IP of the NAT

**HROAdmin26** · 02-12-2008

This is not the way routing works...

If your "made up" destination address is on the same subnet as the source machine (SM), the SM will just do an arp to find the MAC tied to the "made up" IP. If no one responds, then the SM will return "destination unreachable."

Routing requires that your "made up" address be on another subnet. But that "made up" address doesn't have to be the IP's assigned to the "other" NAT. IPTables can do the translation.

What needs to be set is that the "made up" IP's need to be a different subnet and the IPTables machine should either be the default gateway, or a static route needs to be set on each client.

(In your setup, the IPTables machines would have to bring up every "made up" IP via eth1:1, eth1:2, eth1:3, etc. in order to provide arp's for those IP's - which you *could* do depending on your motivation.)

**Kieren** · 02-12-2008

Thanks for your reply HROAdmin26

From this I have created the following rules to edit the source/destination addresses coming from the end user:

iptables --table nat --append PREROUTING --destination 192.16.1.1 --jump DNAT --to-destination 123.456.1.2
iptables --table nat --append POSTROUTING --source 192.168.1.2 --jump SNAT --to-source 123.456.1.1

Where:
+ 192.16.1.1 is the made up address
+ 123.456.1.2 is the servers actual IP address
+ 192.168.1.2 is the end users IP address
+ 123.456.1.1 it the NATs eth0 IP address

**HROAdmin26** · 02-12-2008

Great - let us know how it works.

I am thinking instead of setting an explicit rule for SNAT for every IP (in both directions), you may be able to use a MASQURADE rule (one for each direction.) You would still need a PREROUTING rule for each destination IP. You may also want to state match with RELATED and ESTABLISHED rules in the FORWARD chain.

**Kieren** · 02-13-2008

Okay, I have managed to get it working now. There is a file called ips containing the fake IPs and their allocated server address as follows:

192.16.1.1 123.456.1.3
192.16.1.2 123.456.1.4
192.16.1.3 123.456.1.5
192.16.1.4 123.456.1.6
192.16.1.5 123.456.1.7

And the bash script to set up iptables:

Code:

#loop through IPS
cat ips | while read line
do
	#block direct access to servers
	iptables --table nat --append PREROUTING --destination ${line#* } --jump DROP

	#forward fake IPs to servers
	iptables --table nat --append PREROUTING --destination ${line&#37; *} --jump DNAT --to-destination ${line#* }
done

#change source address of packets coming from NAT
iptables --table nat --append POSTROUTING --source 192.168.1.0/24 --jump SNAT --to-source 123.456.1.1

Thanks for all your help

Thread Tools

Display

[SOLVED] 2 way masquerading

Posting Permissions