How to configure Full Cone NAT with iptables ?

[lvl1s7a]

Hi Experts;

I want to find the right iptables commands combination to address the following need:

- NEs are NATed thru the linux box (using iptables) towards the WAN cloud, where the NTP servers are situated.
- In order to achieve redundancy, the NTP Servers are in a load balancing cluster with one virtual IP address (172.30.4.245)
- The problem is that when the NEs request for NTP updates using the 172.30.4.245, the NTP response is received from one of the actual IP addresses (.200, .230 .240).

Example:

The iptables is not allowing this flow, which is normal since the requested vs responding address are not the same (172.30.4.245 vs 172.30.4.230) :

Request : UDP 10.68.2.11:23445 ---> 172.30.4.245:123 (this is Before NAT, of course after NAT the source is 10.23.14.72)
Response: UDP 172.30.4.230:123 ---> 10.23.14.72:23445 (Response to the WAN address)

I'm wondering if there is any way to let iptables establish the UDP flow only based on the (s-port/d-port) regardless of the IP addresses, and execute the NAT back to the LAN based on that.

UDP/NTP is just an example, almost all the needed services are setup in the same way (load balancing in Cluster).

fullconenat.jpg

Appreciate your help !

Thanks & Regards
lvl1s7a

[Lazydog]

The question becomes are you using a Stateful tracking firewall or not?

[lvl1s7a]

The question becomes are you using a Stateful tracking firewall or not?

Hi Robert;

Thanks for your reply;

It's a stateful tracking FW, but please elaborate more about what will be the way forward in both cases (stateful & stateless), this might be useful for me.

Thanks & Regards
lvl1s7a

[Lazydog]

I am going to assume you are starting the connection from within your network

Code:

iptables -A FORWARD -p udp -m upd -dport 123 -j ACCEPT

This will allow any system to connect to any system on port 123. I would suggest against using source ports if you cannot lock them down on the system. for example in your case 23445 is being used by the requesting system. This is a random port and if you cannot lock your system down to alway use this port then you are going to have issues.

The only way I can think to do this with STATEFUL Packet Inspection is to allow those other IPs to start a connecting to your system through the firewall which would mean placing a rule in your firewall for each of the ip addresses that would return a response to your port 123 requests..

That or have the administer setup his systems so they all look like they are coming from the same source.