[TriLUG] IPTables - disable NAT for a specific source/destination

Ron Kelley via TriLUG trilug at trilug.org
Wed Jun 6 19:30:13 EDT 2018 

Thanks Aaron.  Very much appreciated!



> On Jun 6, 2018, at 6:30 PM, Aaron Joyner <aaron at joyner.ws> wrote:
> 
> I suggest a quick read of the iptables man page, or some examples online, would be helpful to you.  The critical part to absorb is that -A POSTROUTING means "Append to the POSTROUTING chain", which puts the rule at the end of the existing chain.  My suggested command leveraged -I POSTROUTING 1, which is a capital i for insert, into the POSTROUTING chain, at position 1.  Thus, regardless of where you put it in your shell script, when that command is run it will insert it at the "top" of the POSTROUTING chain.
> 
> If you list the nat table on your gateway by running iptables -L -t nat (and your email expresses the entirety of the iptables configuration) you will see that the POSTROUTING chain only had one entry.  So long as the -j RETURN entry is above that one entry, you're in good shape.
> 
> Aaron S. Joyner
> 
> 
> On Wed, Jun 6, 2018 at 11:15 AM, Ron Kelley <rkelleyrtp at gmail.com> wrote:
> Thanks Aaron.  By chance, did the PDF diagram make it through the email alias?  I got a message stating the email awaits moderator approval.
> 
> As for the return path, you are correct.  We will add a static route on the 172.16 host to ensure it knows how to get back to the 192.168 VM.
> 
> Here are the iptable commands we are currently using. 
> 
> -------------------------
> /sbin/iptables -F  -t nat
> /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
> /sbin/iptables -I INPUT -i eth1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
> 
> /sbin/iptables -t nat -A PREROUTING -s 172.16.100.10 -p tcp --dport 2211 -j DNAT --to-destination 192.168.100.11:22
> /sbin/iptables -t nat -A PREROUTING -s 172.16.100.10 -p tcp --dport 2212 -j DNAT --to-destination 192.168.100.12:22
> /sbin/iptables -t nat -A PREROUTING -s 172.16.100.10 -p tcp --dport 2213 -j DNAT --to-destination 192.168.100.13:22
> /sbin/iptables -t nat -A PREROUTING -s 172.16.100.10 -p tcp --dport 2214 -j DNAT --to-destination 192.168.100.14:22
> /sbin/iptables -t nat -A PREROUTING -s 172.16.100.10 -p tcp --dport 2215 -j DNAT --to-destination 192.168.100.15:22
> 
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8811 -j DNAT --to-destination 192.168.100.11:80
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8812 -j DNAT --to-destination 192.168.100.12:80
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8813 -j DNAT --to-destination 192.168.100.13:80
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8814 -j DNAT --to-destination 192.168.100.14:80
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8815 -j DNAT --to-destination 192.168.100.15:80
> 
> -------------------------
> 
> As you can see, we have two sets of DNAT rules: one for ssh (top DNAT rules) and one for web traffic (bottom DNAT rules).  The goal is to insert a command that provides a connection from 192.168.100.13 to 172.16.100.13 w/out NAT.
> 
> From your example below, it seems I might need this command:
> ------------
> /sbin/iptables -I POSTROUTING 1 -s 192.168.100.13 -d 172.16.100.13 -j RETURN
> ------------
> 
> If correct, where should we put this rule?  Above/below the PREROUTING rules or somewhere else?
> 
> Hope this makes it more clear.
> 
> Thanks for the assistance!
> 
> 
> -Ron
> 
> 
> 
> > On Jun 6, 2018, at 11:05 AM, Aaron Joyner via TriLUG <trilug at trilug.org> wrote:
> > 
> > There's a simple answer to your question, but read on, because there is
> > another problem you are likely to stumble on.  Packages traverse an
> > iptables chain until they hit a terminating action, typically one of
> > ACCEPT, DROP, or RETURN.  You can use this behavior to stop processing of
> > the NAT table's POSTROUTING chain before it encounters the target which
> > would apply the MASQUERADE behavior, only for that host.  Site-unseen, you
> > can probably put insert a rule in position 1 to achieve that effect:
> > 
> > $ SRCIP = 192.168.100.42 # The IP in 192.168.100.0/24 that should not be
> > translated
> > $ iptables -I POSTROUTING 1 -s $SRCIP -j RETURN
> > 
> > Assuming you want $SRCIP to also be able to reach the internet through this
> > NAT gatweay, you likely also want to add "-d 172.16.100.0/24" to that
> > command, so that it doesn't NAT only when talking to hosts in that subnet.
> > 
> > This will get your packet from $SRCIP to the hosts in the 172.16.100.0/24
> > subnet... but it's unlikely they know how to route back to $SRCIP.  You'll
> > also need a route on hosts in the 172.16.100.0/24 subnet to direct their
> > traffic to 192.168.100.0/24 (including response packets) to the gateway
> > IP.  Assuming the gateway's IP is 172.16.100.1, that would look like this:
> > 
> > $ ip route add 192.168.100.0/24 via 172.16.100.1
> > 
> > Aaron S. Joyner
> > 
> > On Wed, Jun 6, 2018 at 9:14 AM, Brian Henning via TriLUG <trilug at trilug.org>
> > wrote:
> > 
> >> I think there may be some confusion of terms going on here.
> >> 
> >> A "firewall" decides what packets to allow through or not.
> >> A "router" handles modifying envelope data to get packets along to the
> >> next hop.
> >> 
> >> NAT is a routing function.  iptables does both firewalling and routing.
> >> 
> >> Perhaps Huan is guessing your intent correctly (a DMZ), but that's not
> >> what I'm getting from your description.
> >> 
> >> Can you describe the intent some more, perhaps give an example situation
> >> where NAT is not what you want?
> >> 
> >> Cheers,
> >> -Brian
> >> 
> >> 
> >> -----Original Message-----
> >> From: TriLUG [mailto:trilug-bounces+bhenning=pineresearch.com at trilug.org]
> >> On Behalf Of Ron Kelley via TriLUG
> >> Sent: Wednesday, June 06, 2018 8:24 AM
> >> To: Triangle Linux Users Group General Discussion <trilug at trilug.org>
> >> Subject: [TriLUG] IPTables - disable NAT for a specific source/destination
> >> 
> >> Greetings all,
> >> 
> >> I have a test bed running using IPTables on a RHEL 7 server (a “firewall”
> >> machine).  This machine provides NAT services for an inside network to an
> >> outside network.  For my test, the outside network has the IP space of
> >> 172.16.100/0/24, and the inside network has the IP space of
> >> 192.168.100.0/24.  The firewall has two IP Addresses:  172.16.100.10
> >> (outside) and 192.168.100.1 (inside).
> >> 
> >> As you might expect, all VMs on the inside network go through the
> >> firewall, and their source IP gets NAT’d to the 172.16.100.10 IP.  All
> >> working well.
> >> 
> >> However, I have a unique requirement for one of the inside VMs to go
> >> through the firewall w/out a NAT address.  Essentially, this particular
> >> machine needs a “no nat” statement in the IPTables rules.  In this case,
> >> the firewall is simply a router.
> >> 
> >> I have searched google for any sort of “no nat” example but can’t find
> >> it.  Does anyone have a sample they can share?
> >> 
> >> 
> >> Thanks,
> >> 
> >> -Ron
> >> --
> >> This message was sent to: Brian <bhenning at pineresearch.com> To
> >> unsubscribe, send a blank message to trilug-leave at trilug.org from that
> >> address.
> >> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> >> Unsubscribe or edit options on the web  : https://www.trilug.org/
> >> mailman/options/trilug/bhenning%40pineresearch.com
> >> Welcome to TriLUG: https://trilug.org/welcome
> >> --
> >> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> >> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> >> address.
> >> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> >> Unsubscribe or edit options on the web  : https://www.trilug.org/
> >> mailman/options/trilug/aaron%40joyner.ws
> >> Welcome to TriLUG: https://trilug.org/welcome
> >> 
> > -- 
> > This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> > TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web        : https://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
> > Welcome to TriLUG: https://trilug.org/welcome
> 
>

More information about the TriLUG mailing list