Find the answer to your Linux question:
Results 1 to 4 of 4
Hi Experts; I want to find the right iptables commands combination to address the following need: - NEs are NATed thru the linux box (using iptables) towards the WAN cloud, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2012
    Posts
    2

    How to configure Full Cone NAT with iptables ?


    Hi Experts;

    I want to find the right iptables commands combination to address the following need:

    - NEs are NATed thru the linux box (using iptables) towards the WAN cloud, where the NTP servers are situated.
    - In order to achieve redundancy, the NTP Servers are in a load balancing cluster with one virtual IP address (172.30.4.245)
    - The problem is that when the NEs request for NTP updates using the 172.30.4.245, the NTP response is received from one of the actual IP addresses (.200, .230 .240).

    Example:

    The iptables is not allowing this flow, which is normal since the requested vs responding address are not the same (172.30.4.245 vs 172.30.4.230) :

    Request : UDP 10.68.2.11:23445 ---> 172.30.4.245:123 (this is Before NAT, of course after NAT the source is 10.23.14.72)
    Response: UDP 172.30.4.230:123 ---> 10.23.14.72:23445 (Response to the WAN address)

    I'm wondering if there is any way to let iptables establish the UDP flow only based on the (s-port/d-port) regardless of the IP addresses, and execute the NAT back to the LAN based on that.

    UDP/NTP is just an example, almost all the needed services are setup in the same way (load balancing in Cluster).

    fullconenat.jpg

    Appreciate your help !

    Thanks & Regards
    lvl1s7a

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    The question becomes are you using a Stateful tracking firewall or not?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jan 2012
    Posts
    2
    Quote Originally Posted by Lazydog View Post
    The question becomes are you using a Stateful tracking firewall or not?
    Hi Robert;

    Thanks for your reply;

    It's a stateful tracking FW, but please elaborate more about what will be the way forward in both cases (stateful & stateless), this might be useful for me.

    Thanks & Regards
    lvl1s7a

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    I am going to assume you are starting the connection from within your network

    Code:
    iptables -A FORWARD -p udp -m upd -dport 123 -j ACCEPT

    This will allow any system to connect to any system on port 123. I would suggest against using source ports if you cannot lock them down on the system. for example in your case 23445 is being used by the requesting system. This is a random port and if you cannot lock your system down to alway use this port then you are going to have issues.

    The only way I can think to do this with STATEFUL Packet Inspection is to allow those other IPs to start a connecting to your system through the firewall which would mean placing a rule in your firewall for each of the ip addresses that would return a response to your port 123 requests..

    That or have the administer setup his systems so they all look like they are coming from the same source.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •