Trouble using iptables for IP masquerading

[Cybulski]

Hi,

I'm using CentOS on a box with two NICs as a firewall server, everything goes through that box. The webserver is fine, as I am running nginx as a reverse proxy on the box itself, however my application server (which MUST run on Windows) is a different story.

Although I'm not entirely sure if it's possible, I've been assured that it's possible to forward IP traffic from the firewall machine to the application server (running on Windows) WHILE preserving the source IP address.

I've been reading iptables documentation extensively, but I'm still not sure if it's actually possible. Here's how I've been told to do this:

Code:

-A PREROUTING -p tcp -i eth0 -m tcp --destination $PUBLIC_IP --dport $SERVER_PORT -j DNAT --to-destination $INTERNAL_IP:$SERVER_PORT
-A POSTROUTING -p tcp -o eth1 -m tcp --dport $SERVER_PORT -j MASQUERADE

Please note that eth0 is the public interface (and default gateway), and eth1 is the private interface.

The problem, however, is the source IP address becomes the firewall box (10.1.1.2) - which leads me to wonder if: a. it's simply not possible to forward the source IP address, b. I am going about this the wrong way, or c. it's correct and Windows is being a nuisance (and I realise this is a linux forum, sorry!).

Any help is much appreciated, thanks.

[Lazydog]

I take it your network looks something like this:

<Internet>--<Linux FW>--<Windows>

In this case what you need is for traffic coming into the FW to be redirected to the window box with

Code:

-A PREROUTING -i eth0 -p tcp -m tcp --dport <port> -j DNAT --to-destination <server ip>
-A POSTROUTING -p tcp -o etho -j MASQUERADE

This should direct all traffic for port X to your windows server and anything leaving your network to be set to your internet address.

Just ensure the routing table on the windows box uses the linux box as it's default gateway.

There is no reason to use both ip addresses and port in your rules, since you have a simple network setup, as it only leads to confusion in the beginning.

[Cybulski]

Thanks for your reply.

-A POSTROUTING -p tcp -o etho -j MASQUERADE

After fixing that to "eth0", I couldn't connect to the application server, so I changed it back to eth1 but still had the same source IP issue.

Just ensure the routing table on the windows box uses the linux box as it's default gateway.

How can I be sure of this?

Running "route print" shows this:

Code:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.1.1.3         10.1.1.2    266
          0.0.0.0          0.0.0.0    PUBLIC_GATEWAY    UNUSED_PUBLIC_IP    266
         10.1.1.0    255.255.255.0         On-link          10.1.1.2    266
         10.1.1.2  255.255.255.255         On-link          10.1.1.2    266

Could the other NIC on that (Windows) box, also with its own upstream be conflicting? Only use its own public IP address for remote administration of the Windows box, everything else goes through the firewall.

It's a little backwards, but 10.1.1.2 is the Windows box and 10.1.1.3 is the linux box.

The network layout looks like this:

[Internet - used by the public]
v
[Linux firewall/router]
v (crossover cable)
[Windows application server] < [Internet - "private" access]

If that makes any sense.

Thanks for your help thus far, appreciate it!

[Lazydog]

Can you give me an idea of how your network is laid out? I am trying to figure out why the postrouting isn't working.

[Cybulski]

Can you give me an idea of how your network is laid out? I am trying to figure out why the postrouting isn't working.

Right, well, I have purchased 2 dedicated servers through Leaseweb that are in the same rack.

They both have their own uplinks, one on the Linux box and one on the Windows box, though I only really need to go through Linux.

Additionally, both servers are connected to each other via crossover cable - eth1 on the Linux box.

IP addresses are as follows:
10.1.1.3 - Linux box (is a bit backwards considering it's used first!)
10.1.1.2 - Windows box

IP forwarding etc is enabled on both boxes (just in case), on the Windows box the LAN adapter's config is as follows:

Code:

IP: 10.1.1.2
Subnet: 255.255.255.0
Default gateway: 10.1.1.3 (should it be?)
(no DNS servers set)

(it has a WAN adapter too, but it's only used for remote administration - maybe it's conflicting with the LAN adapter?)

On the Linux box, eth0 (public interface) looks like:

Code:

DEVICE=eth0
BOOTPROTO=none
HWADDR=78:e3:b5:fd:c2:01
IPADDR=62.X.X.164
NETMASK=255.255.255.192
ONBOOT=yes
TYPE=Ethernet
GATEWAY=62.X.X.190

eth1, the private interface (crossover cable between the two machines) looks like this:

Code:

DEVICE=eth1
HWADDR=78:E3:B5:FD:C2:02
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=static
NETWORK=10.1.1.0
IPADDR=10.1.1.3
NETMASK=255.255.255.0
BROADCAST=10.1.1.255
TYPE=Ethernet

So... basically, everything I'm concerned about goes through the Linux box first and is routed over the crossover cable to the Windows box. The source IP addresses remain that of the Linux box, instead of the actual source though.

Thanks again for your help, hopefully this explains it.

EDIT:
Just to be clear, it's routing fine - the application server is receiving the requests and passing them back. However, Windows sees the source IP address of these requests as the Linux box's IP (10.1.1.3). I need this to be their actual source IP address.

[Lazydog]

OK, you have to be changing this somewhere and I need to see your complete firewall rules to see where the problem is.

[Cybulski]

OK, you have to be changing this somewhere and I need to see your complete firewall rules to see where the problem is.

Not to worry, the issue has been resolved. The original rules worked fine, it was two things - the default policy (added the FORWARD rule it needed) and the virtual NICs I neglected to mention.

Issue is resolved now, thanks for your help!