New on LowEndTalk? Please Register and read our Community Rules.
NAT Loopback
Network configuration:
(1.1.1.1) Router (10.0.0.254) - (10.0.0.1) Host 1
- (10.0.0.2) Host 2
I have created 2 hosts with 2 private IPs in a NAT setup. NAT Loopback is done such that internal hosts can access the public IP directly. Moreover, a port-forwarding is done from 1.1.1.1:80 to 10.0.0.1:80.
Whenever Host 2 access 1.1.1.1:80, Host 1 will see the incoming packet from 10.0.0.2.
This is working but is that possible to let it pass through the external interface on router such that Host 1 will see the incoming packet coming from 1.1.1.1 instead?
IPTables setup:
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.1 -p tcp --dport 80 -j MASQUERADE
Thanks.
Comments
Well, you've got them on the same subnet so they're going to try to hit locally, first. You could set them on different subnets and set the routing tables accordingly.
This might do what you want, but I haven't tested it. The first line pushed all HTTP traffic to 10.0.0.1 like you did above, but not for the routers' internal interface. The second rule redirects all .1 requests to go through the router, so it /should/ use that interface, but it'll probably come from the shared interface rather than externally. You'll need to tell the router what to do with the traffic as well.
Can't use
-j MASQUERADEhere, use-j SNAT --to 1.1.1.1instead.No 5king Id3a
That's strange, with your
MASQUERADErule it should have seen the connection coming from 10.0.0.254, no?echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.12.77:80
iptables -t nat -A POSTROUTING -p tcp -d 192.168.12.77 --dport 80 -j SNAT --to-source 192.168.12.87
@Letzien Thanks for the input, this results in the incoming packet from 10.0.0.254 due to the second rule.
Thanks @psb777! That works. Is there are any side effects using this? I know that all internal traffic from 10.0.0.2 will show as external IP now.
@FoxelVox Thanks. Although I didn't try your code but it should work and similar with the results below.
Updated IPTables:
You shouldn’t be using 1.1.1.1, this is a part of Internet routable subnet.
Hi Clouvider, thanks for commenting! It is just an example IP, I am hiding my external IP here using 1.1.1.1
On a side note, I always think that Clouvider is the provider that I should try one day but I don't need any powerful dedicated servers in UK yet
Makes sense :-). I only picked up on it as we see issues with some connectivity Customers who use 1.1.1.0/24 in their networks internally and then complain to us about issues reaching Cloudflare DNS...
Suggestion, there are blocks reserved for the purpose of documentation, https://tools.ietf.org/html/rfc5737 - I’m not picky, just trying to be helpful :-).
Looking forward to it! Whenever you have a need, reach out, I’ll cut you a deal!
That's an interesting RFC, didn't know about it until now
Thanks in advance for the deal! I need to build some projects first before I need them unless it is a great deal for VPS which I can add to my idling collection. Roughly 70% of the VPS that I bought in LET are still idling lol
Psychz LAX also uses 1.1.1.1 for cisco ip
That depends on whether you have other rules, but generally speaking, there shouldn't be any side effects.
iptables -t nat -A POSTROUTING -s 10.0.0.2 -d 10.0.0.1 -j SNAT --to 1.1.1.1Even with that rule on your router, when the host 10.0.0.2 connects 10.0.0.1 directly, the traffic won't pass through your router at all, and thus won't be NAT'd. Given your current ruleset, it will only take effect when 10.0.0.2 tries to access 1.1.1.1 port 80.
That's the only important IPTables rules. Thanks for the great and detailed explanation!