Results 1 to 4 of 4
Hi Experts; I want to find the right iptables commands combination to address the following need: - NEs are NATed thru the linux box (using iptables) towards the WAN cloud, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 01-10-2012 #1
- Join Date
- Jan 2012
How to configure Full Cone NAT with iptables ?
I want to find the right iptables commands combination to address the following need:
- NEs are NATed thru the linux box (using iptables) towards the WAN cloud, where the NTP servers are situated.
- In order to achieve redundancy, the NTP Servers are in a load balancing cluster with one virtual IP address (172.30.4.245)
- The problem is that when the NEs request for NTP updates using the 172.30.4.245, the NTP response is received from one of the actual IP addresses (.200, .230 .240).
The iptables is not allowing this flow, which is normal since the requested vs responding address are not the same (172.30.4.245 vs 172.30.4.230) :
Request : UDP 10.68.2.11:23445 ---> 172.30.4.245:123 (this is Before NAT, of course after NAT the source is 10.23.14.72)
Response: UDP 172.30.4.230:123 ---> 10.23.14.72:23445 (Response to the WAN address)
I'm wondering if there is any way to let iptables establish the UDP flow only based on the (s-port/d-port) regardless of the IP addresses, and execute the NAT back to the LAN based on that.
UDP/NTP is just an example, almost all the needed services are setup in the same way (load balancing in Cluster).
Appreciate your help !
Thanks & Regards
- 01-16-2012 #2
The question becomes are you using a Stateful tracking firewall or not?
- 01-17-2012 #3
- Join Date
- Jan 2012
- 01-21-2012 #4
I am going to assume you are starting the connection from within your network
iptables -A FORWARD -p udp -m upd -dport 123 -j ACCEPT
This will allow any system to connect to any system on port 123. I would suggest against using source ports if you cannot lock them down on the system. for example in your case 23445 is being used by the requesting system. This is a random port and if you cannot lock your system down to alway use this port then you are going to have issues.
The only way I can think to do this with STATEFUL Packet Inspection is to allow those other IPs to start a connecting to your system through the firewall which would mean placing a rule in your firewall for each of the ip addresses that would return a response to your port 123 requests..
That or have the administer setup his systems so they all look like they are coming from the same source.