One-to-One NAT using Linux IPTables Not Working
I am trying to implement a 1 to 1 NAT on a Linux Box. The setup is pretty basic, it has two interfaces, eth0 is the outside interface, eth1 is the inside. Behind eth1 resides the isolated 192.168.100.0/24 network while eth0 connects to the rest of the network on 192.168.0.0/24 (this network is irrelevant). What I want to do is allow the isolated network to communicate through the linux box using an external IP address of a different network, 192.168.50.0/24. So basically the linux box nats 192.168.100.10 from the inside network to 192.168.50.10 routed out of the linux box. I’ve set up routes to point traffic destined for 192.168.50.0/24 to the Linux box’s eth0 interface on all external devices. At this point, traffic destined for 192.168.50.0/24 arrives at eth0 of the Linux box, but it never seems to translate over as I never see any traffic for either 192.168.50.10 or 192.168.100.10 on the internal eth1 interface. Below is my basic NAT config. My question is, do I need to do something else? I didn’t bother adding routes on the Linux box for the 192.168.50.0/24 network since the box never routes packets with that address due to this NAT config.
Outbound rule
-A POSTROUTING -o eth0 -s 192.168.100.10 -j SNAT --to-source 192.168.50.10
Inbound rule
-A PREROUTING -i eth0 -d 192.168.50.10 -j DNAT --to-destination 192.168.100.10
Temp rules to allow all traffic
-A INPUT -j ACCEPT -A FORWARD -j ACCEPT
Notice all other traffic is allowed through iptables as well by default, so it shouldn’t be a blocking issue.
Iptables NAT one-to-one
I use linux serve Fedora 4.14.33-51.37.amzn1.x86_64. I want use NAT 1-to-1. For example Is it same problem My scheme is: My server has two network interfaces.
eth0: mtu 9001 qdisc mq state UP group default qlen 1000 link/ether 0a:8a:59:b9:2d:b8 brd ff:ff:ff:ff:ff:ff inet 172.10.1.72/25 brd 172.10.1.127 scope global eth0 valid_lft forever preferred_lft forever inet 172.10.1.32/25 brd 172.10.1.127 scope global secondary eth0 valid_lft forever preferred_lft forever inet 172.10.1.39/25 brd 172.10.1.127 scope global secondary eth0 valid_lft forever preferred_lft forever inet 172.10.1.101/25 brd 172.10.1.127 scope global secondary eth0 eth1: inet 172.10.1.246/28 brd 172.10.1.255 scope global eth1
(eth0)172.10.1.101 - (server1)192.168.1.10 (eth0)172.10.1.32 - (server2)192.168.1.11
Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.10.1.1 0.0.0.0 UG 0 0 0 eth0 0.0.0.0 172.10.1.241 0.0.0.0 UG 10001 0 0 eth1 10.0.0.0 172.10.1.1 255.0.0.0 UG 0 0 0 eth0 169.254.169.254 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 172.10.1.0 0.0.0.0 255.255.255.128 U 0 0 0 eth0 172.10.1.240 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 172.10.1.241 255.255.255.240 UG 0 0 0 eth1
iptables -nvL Chain INPUT (policy ACCEPT 1726 packets, 115K bytes) pkts bytes target prot opt in out source destination 1827 121K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 664 55128 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 Chain OUTPUT (policy ACCEPT 2123 packets, 668K bytes) pkts bytes target prot opt in out source destination 2123 668K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 36 packets, 2476 bytes) pkts bytes target prot opt in out source destination 8 528 DNAT all -- eth0 * 0.0.0.0/0 172.10.1.101 to:192.168.1.10 Chain INPUT (policy ACCEPT 36 packets, 2476 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 195 packets, 14344 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 202 packets, 14788 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * eth0 192.168.1.10 0.0.0.0/0 to:172.10.1.101
telnet: connect to address 172.10.1.101: Connection timed out
But I try connect to another ip on my eth0 interface and saw in log Jun 18 15:04:39 ip-172-10-1-72 kernel: [ 1245.059113] IN= OUT=eth0 SRC=172.10.1.39 DST=10.68.72.90 LEN=40 TOS=0x10 PREC=0x00 TTL=255 DF PROTO=TCP SPT=4016 DPT=47952 WINDOW=0 RES=0x00 ACK RST URGP=0
10.68.72.90 it is my server before NAT. After added roles in iptables I don’t able to ping my ip 172.10.1.101.
Can I create a 1:1 NAT with iptables?
I am running a Debian 10 server which has multiple network interfaces. Can I create rules that will route all network traffic coming in to one IP address on one of the interfaces from the outside (i.e. from other devices on the network), to another IP address not on the same machine but elsewhere on the network? Similarly to WAN-to-LAN routing. I know how to do it on e.g pfSense but I am quite lost with iptables.. Non-iptables solutions are also welcome.
Do you want to only forward traffic coming from outside of the box to that interface, or also traffic coming from other interfaces on the same box and/or traffic generated by programs locally?
Only forward traffic coming from outside the box. Edited my question for clarification, will try your suggested answer!
Please do not use NAT as a substitute for routing. If the networks are addresses differently, then simply route the packets between the networks. Changing the addresses on the packets causes more trouble, and NAT is resource intenive, slowing packet forwarding.
1 Answer 1
Quick examples for forwarding traffic coming from outside and interfaces within the same machine from address original to another address for ip versions 4 and 6 (possibly excluding ipsec traffic with an endpoint on the original address and existing connections at point of execution). This also does NOT redirect traffic generated by locally executing programs, for that you need the OUTPUT chain.
#Activate forwarding #Note: These forward settings are not reboot persistent sysctl -w net.ipv6.conf.all.forwarding=1 sysctl -w net.ipv4.ip_forward=1 iptables -t nat -A PREROUTING -d original.add.re.ss -j DNAT --to-destination ipv4.add.re.ss iptables -t nat -A POSTROUTING -j MASQUERADE ip6tables -t nat -A PREROUTING -d [original.add.re.ss] -j DNAT --to-destination [2001::] ip6tables -t nat -A POSTROUTING -j MASQUERADE
If you want to limit the forwarding to only packets from outside you have to modify the rules, either add a -i interface naming the interface where they come in or match everything that did not originate from a local address -m addrtype ! —src-type LOCAL . You could further exclude broadcast and multicast traffic by using -m addrtype —dst-type UNICAST —src-type UNICAST . You should also check that the default policy for the FORWARD chain is ACCEPT or add specific rules in that chain.
Dumping the existing filter and nat tables can be done with iptables -S -t filter and iptables -S -t nat . The filter table is where you configure the FORWARD rules if there is a DROP policy.The -A before PREROUTING/POSTROUTING means Append. If you need to insert the rule, because there is a DROP at the end, you have to use -I and put a number behind the chain name.