Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

NAT Loopback
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

NAT Loopback

FAT32FAT32 Administrator, Deal Compiler Extraordinaire
in Help

Network configuration:

(1.1.1.1) Router (10.0.0.254) - (10.0.0.1) Host 1
                              - (10.0.0.2) Host 2

I have created 2 hosts with 2 private IPs in a NAT setup. NAT Loopback is done such that internal hosts can access the public IP directly. Moreover, a port-forwarding is done from 1.1.1.1:80 to 10.0.0.1:80.

Whenever Host 2 access 1.1.1.1:80, Host 1 will see the incoming packet from 10.0.0.2.

This is working but is that possible to let it pass through the external interface on router such that Host 1 will see the incoming packet coming from 1.1.1.1 instead?

IPTables setup:

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.1 -p tcp --dport 80 -j MASQUERADE

Thanks.

Comments

  • LetzienLetzien Member

    Well, you've got them on the same subnet so they're going to try to hit locally, first. You could set them on different subnets and set the routing tables accordingly.

    Thanked by 1FAT32
  • LetzienLetzien Member
    edited January 2019

    This might do what you want, but I haven't tested it. The first line pushed all HTTP traffic to 10.0.0.1 like you did above, but not for the routers' internal interface. The second rule redirects all .1 requests to go through the router, so it /should/ use that interface, but it'll probably come from the shared interface rather than externally. You'll need to tell the router what to do with the traffic as well.

    iptables -t nat -A PREROUTING -i br0 -s ! 10.0.0.254/32 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
iptables -t nat -A POSTROUTING -o br0 -s 10.0.0.0/24 -d 10.0.0.1/32 -j SNAT --to 10.0.0.254
    Thanked by 1FAT32
  • psb777psb777 Member

    FAT32 said:

    iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.1 -p tcp --dport 80 -j MASQUERADE

    Can't use -j MASQUERADE here, use -j SNAT --to 1.1.1.1 instead.

    Thanked by 1FAT32
  • uxtvdluxtvdl Member

    No 5king Id3a

  • psb777psb777 Member

    FAT32 said: Whenever Host 2 access 1.1.1.1:80, Host 1 will see the incoming packet from 10.0.0.2.

    That's strange, with your MASQUERADE rule it should have seen the connection coming from 10.0.0.254, no?

    Thanked by 1FAT32
  • FoxelVoxFoxelVox Member

    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -F
    iptables -t nat -F
    iptables -X

    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.12.77:80
    iptables -t nat -A POSTROUTING -p tcp -d 192.168.12.77 --dport 80 -j SNAT --to-source 192.168.12.87

    Thanked by 1FAT32
  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire

    @Letzien Thanks for the input, this results in the incoming packet from 10.0.0.254 due to the second rule.

    Thanks @psb777! That works. Is there are any side effects using this? I know that all internal traffic from 10.0.0.2 will show as external IP now.

    @FoxelVox Thanks. Although I didn't try your code but it should work and similar with the results below.

    Updated IPTables:

    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.2 -d 10.0.0.1 -j SNAT --to 1.1.1.1
  • ClouviderClouvider Member, Patron Provider
    edited January 2019

    You shouldn’t be using 1.1.1.1, this is a part of Internet routable subnet.

    Thanked by 1FAT32
  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire

    @Clouvider said:
    You shouldn’t be using 1.1.1.1, this is a part of Internet routable subnet.

    Hi Clouvider, thanks for commenting! It is just an example IP, I am hiding my external IP here using 1.1.1.1

    On a side note, I always think that Clouvider is the provider that I should try one day but I don't need any powerful dedicated servers in UK yet

    Thanked by 1Clouvider
  • ClouviderClouvider Member, Patron Provider
    edited January 2019

    @FAT32 said:

    @Clouvider said:
    You shouldn’t be using 1.1.1.1, this is a part of Internet routable subnet.

    Hi Clouvider, thanks for commenting! It is just an example IP, I am hiding my external IP here using 1.1.1.1

    Makes sense :-). I only picked up on it as we see issues with some connectivity Customers who use 1.1.1.0/24 in their networks internally and then complain to us about issues reaching Cloudflare DNS...

    Suggestion, there are blocks reserved for the purpose of documentation, https://tools.ietf.org/html/rfc5737 - I’m not picky, just trying to be helpful :-).

    On a side note, I always think that Clouvider is the provider that I should try one day but I don't need any powerful dedicated servers in UK yet

    Looking forward to it! Whenever you have a need, reach out, I’ll cut you a deal!

    Thanked by 2FAT32 uptime
  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire

    @Clouvider said:
    Suggestion, there are blocks reserved for the purpose of documentation, https://tools.ietf.org/html/rfc5737 - I’m not picky, just trying to be helpful :-).

    Looking forward to it! Whenever you have a need, reach out, I’ll cut you a deal!

    That's an interesting RFC, didn't know about it until now :)

    Thanks in advance for the deal! I need to build some projects first before I need them unless it is a great deal for VPS which I can add to my idling collection. Roughly 70% of the VPS that I bought in LET are still idling lol

    Thanked by 1Clouvider
  • kerus1024kerus1024 Member
    edited January 2019

    @Clouvider said:
    You shouldn’t be using 1.1.1.1, this is a part of Internet routable subnet.

    Psychz LAX also uses 1.1.1.1 for cisco ip

    Thanked by 1Clouvider
  • psb777psb777 Member

    FAT32 said: Is there are any side effects using this? I know that all internal traffic from 10.0.0.2 will show as external IP now.

    That depends on whether you have other rules, but generally speaking, there shouldn't be any side effects.

    iptables -t nat -A POSTROUTING -s 10.0.0.2 -d 10.0.0.1 -j SNAT --to 1.1.1.1

    Even with that rule on your router, when the host 10.0.0.2 connects 10.0.0.1 directly, the traffic won't pass through your router at all, and thus won't be NAT'd. Given your current ruleset, it will only take effect when 10.0.0.2 tries to access 1.1.1.1 port 80.

    Thanked by 1FAT32
  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire

    @psb777 said:
    That depends on whether you have other rules, but generally speaking, there shouldn't be any side effects.

    iptables -t nat -A POSTROUTING -s 10.0.0.2 -d 10.0.0.1 -j SNAT --to 1.1.1.1

    Even with that rule on your router, when the host 10.0.0.2 connects 10.0.0.1 directly, the traffic won't pass through your router at all, and thus won't be NAT'd. Given your current ruleset, it will only take effect when 10.0.0.2 tries to access 1.1.1.1 port 80.

    That's the only important IPTables rules. Thanks for the great and detailed explanation! :)

Sign In or Register to comment.