Find the answer to your Linux question:
Results 1 to 7 of 7
Hi, I'm using CentOS on a box with two NICs as a firewall server, everything goes through that box. The webserver is fine, as I am running nginx as a ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2011
    Posts
    4

    Trouble using iptables for IP masquerading


    Hi,

    I'm using CentOS on a box with two NICs as a firewall server, everything goes through that box. The webserver is fine, as I am running nginx as a reverse proxy on the box itself, however my application server (which MUST run on Windows) is a different story.

    Although I'm not entirely sure if it's possible, I've been assured that it's possible to forward IP traffic from the firewall machine to the application server (running on Windows) WHILE preserving the source IP address.

    I've been reading iptables documentation extensively, but I'm still not sure if it's actually possible. Here's how I've been told to do this:

    Code:
    -A PREROUTING -p tcp -i eth0 -m tcp --destination $PUBLIC_IP --dport $SERVER_PORT -j DNAT --to-destination $INTERNAL_IP:$SERVER_PORT
    -A POSTROUTING -p tcp -o eth1 -m tcp --dport $SERVER_PORT -j MASQUERADE
    Please note that eth0 is the public interface (and default gateway), and eth1 is the private interface.

    The problem, however, is the source IP address becomes the firewall box (10.1.1.2) - which leads me to wonder if: a. it's simply not possible to forward the source IP address, b. I am going about this the wrong way, or c. it's correct and Windows is being a nuisance (and I realise this is a linux forum, sorry!).

    Any help is much appreciated, thanks.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    I take it your network looks something like this:

    <Internet>--<Linux FW>--<Windows>

    In this case what you need is for traffic coming into the FW to be redirected to the window box with
    Code:
    -A PREROUTING -i eth0 -p tcp -m tcp --dport <port> -j DNAT --to-destination <server ip>
    -A POSTROUTING -p tcp -o etho -j MASQUERADE
    This should direct all traffic for port X to your windows server and anything leaving your network to be set to your internet address.

    Just ensure the routing table on the windows box uses the linux box as it's default gateway.

    There is no reason to use both ip addresses and port in your rules, since you have a simple network setup, as it only leads to confusion in the beginning.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Aug 2011
    Posts
    4
    Thanks for your reply.

    -A POSTROUTING -p tcp -o etho -j MASQUERADE
    After fixing that to "eth0", I couldn't connect to the application server, so I changed it back to eth1 but still had the same source IP issue.

    Just ensure the routing table on the windows box uses the linux box as it's default gateway.
    How can I be sure of this?

    Running "route print" shows this:
    Code:
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0         10.1.1.3         10.1.1.2    266
              0.0.0.0          0.0.0.0    PUBLIC_GATEWAY    UNUSED_PUBLIC_IP    266
             10.1.1.0    255.255.255.0         On-link          10.1.1.2    266
             10.1.1.2  255.255.255.255         On-link          10.1.1.2    266
    Could the other NIC on that (Windows) box, also with its own upstream be conflicting? Only use its own public IP address for remote administration of the Windows box, everything else goes through the firewall.

    It's a little backwards, but 10.1.1.2 is the Windows box and 10.1.1.3 is the linux box.

    The network layout looks like this:

    [Internet - used by the public]
    v
    [Linux firewall/router]
    v (crossover cable)
    [Windows application server] < [Internet - "private" access]

    If that makes any sense.

    Thanks for your help thus far, appreciate it!

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Can you give me an idea of how your network is laid out? I am trying to figure out why the postrouting isn't working.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Aug 2011
    Posts
    4
    Quote Originally Posted by Lazydog View Post
    Can you give me an idea of how your network is laid out? I am trying to figure out why the postrouting isn't working.
    Right, well, I have purchased 2 dedicated servers through Leaseweb that are in the same rack.

    They both have their own uplinks, one on the Linux box and one on the Windows box, though I only really need to go through Linux.

    Additionally, both servers are connected to each other via crossover cable - eth1 on the Linux box.

    IP addresses are as follows:
    10.1.1.3 - Linux box (is a bit backwards considering it's used first!)
    10.1.1.2 - Windows box

    IP forwarding etc is enabled on both boxes (just in case), on the Windows box the LAN adapter's config is as follows:

    Code:
    IP: 10.1.1.2
    Subnet: 255.255.255.0
    Default gateway: 10.1.1.3 (should it be?)
    (no DNS servers set)
    (it has a WAN adapter too, but it's only used for remote administration - maybe it's conflicting with the LAN adapter?)

    On the Linux box, eth0 (public interface) looks like:

    Code:
    DEVICE=eth0
    BOOTPROTO=none
    HWADDR=78:e3:b5:fd:c2:01
    IPADDR=62.X.X.164
    NETMASK=255.255.255.192
    ONBOOT=yes
    TYPE=Ethernet
    GATEWAY=62.X.X.190
    eth1, the private interface (crossover cable between the two machines) looks like this:

    Code:
    DEVICE=eth1
    HWADDR=78:E3:B5:FD:C2:02
    ONBOOT=yes
    HOTPLUG=no
    BOOTPROTO=static
    NETWORK=10.1.1.0
    IPADDR=10.1.1.3
    NETMASK=255.255.255.0
    BROADCAST=10.1.1.255
    TYPE=Ethernet
    So... basically, everything I'm concerned about goes through the Linux box first and is routed over the crossover cable to the Windows box. The source IP addresses remain that of the Linux box, instead of the actual source though.

    Thanks again for your help, hopefully this explains it.

    EDIT:
    Just to be clear, it's routing fine - the application server is receiving the requests and passing them back. However, Windows sees the source IP address of these requests as the Linux box's IP (10.1.1.3). I need this to be their actual source IP address.
    Last edited by Cybulski; 08-05-2011 at 05:13 AM.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK, you have to be changing this somewhere and I need to see your complete firewall rules to see where the problem is.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Aug 2011
    Posts
    4
    Quote Originally Posted by Lazydog View Post
    OK, you have to be changing this somewhere and I need to see your complete firewall rules to see where the problem is.
    Not to worry, the issue has been resolved. The original rules worked fine, it was two things - the default policy (added the FORWARD rule it needed) and the virtual NICs I neglected to mention.

    Issue is resolved now, thanks for your help!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •