Find the answer to your Linux question:
Results 1 to 7 of 7
I have a server and a PC. I want them to talk to the NAT but not know of each others existence. This is a bit like masquerading but both ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer Kieren's Avatar
    Join Date
    Aug 2007
    Location
    England
    Posts
    848

    [SOLVED] 2 way masquerading


    I have a server and a PC. I want them to talk to the NAT but not know of each others existence. This is a bit like masquerading but both ways instead of only one end not knowing about the other. By using masquerading I've managed to stop the server knowing about the end user. What I need to do now is set up the NAT to translate a fake IP address into the actual IP for the server. Similar to host names in the hosts file does. Below is a description of what I'm trying to do. If it's not too clear just say.

    Code:
     _______		 _______		 _______
    |	|-------------->|	|-------------->|	|
    |  PC	|		|  NAT	|		|  SV	|
    |_______|<--------------|_______|<--------------|_______|
    eth0: 192.168.1.2	eth0: 123.456.1.1 	eth0: 123.456.1.2
    			eth1: 192.168.1.1
    PC sends a request to SV:

    PC sends request to 123.456.* (E.G. 123.456.789.1)
    Goes out of eth0 on PC and received by eth1 on NAT
    Nat translates packet's source address from 192.168.1.2 (PC eth0) to 123.456.1.1 (NAT eth0)
    Nat translates packet's destination address from 123.456.789.1 (SV address according to PC) to 123.456.1.2 (Actual SV address)
    PC sends packet to 123.456.1.2 (SV address)
    Goes out of eth1 on NAT and received by eth0 on SV

    SV responds to PC:

    SV sends response to 123.456.1.1 (NAT eth0)
    Goes out of eth0 on SV and received by eth0 on NAT
    Nat translates packet's source address from 123.456.1.2 (SV address) to 192.168.1.1 (NAT eth1)
    Nat translates packet's destination address from 123.456.1.1 (NAT eth0) to 192.168.1.2 (PC eth0)
    NAT sends packet to 192.168.1.2 (PC eth0)
    Linux User #453176

  2. #2
    Just Joined!
    Join Date
    Feb 2008
    Posts
    1
    First, I do not think that you want to do this, but

    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 123.456.1.1
    iptables -t nat -A POSTROUTING -o eth1 -s 123.456.1.0/24 -j SNAT --to-source 192.168.1.1
    OR
    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o eth1 -s 123.456.1.0/24 -j MASQUERADE

    Notice that you get problems with ports because source addresses for all traffic to the other subnet are the same and NAT works with <src><srcport><dst><dstport> tuples..
    ALSO, the BIG problem.... you do not know about any servers on both networks, so you have to make portforwards to make services work, so I don't recommend you to do this...


    If there is only one server in 123.456.1.0 network just make a DNAT and SNAT ....

    iptables -t nat -A PREROUTING -p tcp/udp --dport <theportyouneed on the server> -i eth1 -j DNAT --to-destination 123.456.1.2
    iptables -t nat -A POSTROUTING -p tcp/udp --dport <theportyouneed on the server> -o eth0 -j SNAT --to-source 123.456.1.1
    iptables -t nat -A POSTROUTING -o eth1 -s 123.456.1.0/24 -j MASQUERADE


    I have not tested this, but it should work.. though I would not recommend this..

    Anyway.. Just tell us what you want to achieve and I might have a better recommendation for you....

  3. #3
    Linux Engineer Kieren's Avatar
    Join Date
    Aug 2007
    Location
    England
    Posts
    848
    Hi pikah and welcome to the Forums

    What I'm trying to achieve is to have several end users and several servers. End users are on one side of the NAT and servers are on the other. End users are connected to the NATs eth1 device and the servers are connected to its eth0 device

    Both sides should believe they're talking to the NAT and nothing is being forwarded beyond it.

    The end users should be able to send a request to a made up IP address (E.G 192.168.1.5). The NAT should pick up the request on it's eth1 device, then translate the IP into an IP address of a server that has been allocated that 192.168.1.* address (E.G 123.456.1.2, so 192.168.1.5->123.456.1.2). It will also change the source address to that of the NAT's eth0.

    When the server responds to the NAT the response should be forwarded to the end user with the source translated to the NAT's eth1 address.

    What I have been trying is the following:

    iptables --table nat --append PREROUTING --destination 192.168.1.5 --jump DNAT --to-destination 123.456.1.2

    ...but the NAT isn't picking up requests to 192.168.1.5 as this isn't the IP of the NAT
    Linux User #453176

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,760
    This is not the way routing works...

    If your "made up" destination address is on the same subnet as the source machine (SM), the SM will just do an arp to find the MAC tied to the "made up" IP. If no one responds, then the SM will return "destination unreachable."

    Routing requires that your "made up" address be on another subnet. But that "made up" address doesn't have to be the IP's assigned to the "other" NAT. IPTables can do the translation.

    What needs to be set is that the "made up" IP's need to be a different subnet and the IPTables machine should either be the default gateway, or a static route needs to be set on each client.

    (In your setup, the IPTables machines would have to bring up every "made up" IP via eth1:1, eth1:2, eth1:3, etc. in order to provide arp's for those IP's - which you *could* do depending on your motivation.)

  6. #5
    Linux Engineer Kieren's Avatar
    Join Date
    Aug 2007
    Location
    England
    Posts
    848
    Thanks for your reply HROAdmin26

    From this I have created the following rules to edit the source/destination addresses coming from the end user:

    iptables --table nat --append PREROUTING --destination 192.16.1.1 --jump DNAT --to-destination 123.456.1.2
    iptables --table nat --append POSTROUTING --source 192.168.1.2 --jump SNAT --to-source 123.456.1.1

    Where:
    + 192.16.1.1 is the made up address
    + 123.456.1.2 is the servers actual IP address
    + 192.168.1.2 is the end users IP address
    + 123.456.1.1 it the NATs eth0 IP address
    Linux User #453176

  7. #6
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,760
    Great - let us know how it works.

    I am thinking instead of setting an explicit rule for SNAT for every IP (in both directions), you may be able to use a MASQURADE rule (one for each direction.) You would still need a PREROUTING rule for each destination IP. You may also want to state match with RELATED and ESTABLISHED rules in the FORWARD chain.

  8. #7
    Linux Engineer Kieren's Avatar
    Join Date
    Aug 2007
    Location
    England
    Posts
    848
    Okay, I have managed to get it working now. There is a file called ips containing the fake IPs and their allocated server address as follows:

    192.16.1.1 123.456.1.3
    192.16.1.2 123.456.1.4
    192.16.1.3 123.456.1.5
    192.16.1.4 123.456.1.6
    192.16.1.5 123.456.1.7

    And the bash script to set up iptables:

    Code:
    #loop through IPS
    cat ips | while read line
    do
    	#block direct access to servers
    	iptables --table nat --append PREROUTING --destination ${line#* } --jump DROP
    
    	#forward fake IPs to servers
    	iptables --table nat --append PREROUTING --destination ${line&#37; *} --jump DNAT --to-destination ${line#* }
    done
    
    #change source address of packets coming from NAT
    iptables --table nat --append POSTROUTING --source 192.168.1.0/24 --jump SNAT --to-source 123.456.1.1
    Thanks for all your help
    Linux User #453176

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •