Scientific Linux Forum.org -> How to Configure Full cone NAT using iptables ?

This forum is proudly powered by Scientific Linux 6

SL website Download SL Help Search Members

Welcome Guest ( Log In | Register )

Resend Validation Email

Scientific Linux Forum.org -> Support -> Networking and wireless

How to Configure Full cone NAT using iptables ?, use iptables to configure a full NAT

Track This Topic | Email This Topic | Print This Topic

lvl1s7a	Posted: Jan 10 2012, 12:33 PM
SLF Newbie Group: Members Posts: 1 Member No.: 1186 Joined: 10-January 12	Hi Experts; I want to find the right iptables commands combination to address the following need: - NEs are NATed thru the linux box (using iptables) towards the WAN cloud, where the NTP servers are situated. - In order to achieve redundancy, the NTP Servers are in a load balancing cluster with one virtual IP address (172.30.4.245) - The problem is that when the NEs request for NTP updates using the 172.30.4.245, the NTP response is received from one of the actual IP addresses (.200, .230 .240). Example: The iptables is not allowing this flow, which is a normal behaviour since the requested vs responding address are not the same (172.30.4.245 vs 172.30.4.230) : Request : UDP 10.68.2.11:23445 ---> 172.30.4.245:123 (this is Before NAT, of course after NAT the source is 10.23.14.72) Response: UDP 172.30.4.230:123 ---> 10.23.14.72:23445 (Response to the WAN address) I'm wondering if there is any way to let iptables establish the UDP flow only based on the (s-port/d-port) regardless of the IP addresses, and execute the NAT back to the LAN based on that. UDP/NTP is just an example, almost all the needed services are setup in the same way (load balancing in Cluster). Appreciate your help ! Thanks & Regards lvl1s7a
	^

helikaon

Posted: Jan 11 2012, 04:20 PM

SLF Moderator

Group: Moderators
Posts: 514
Member No.: 4
Joined: 8-April 11

Hi there,
1. nice nick

2. nice picture and description of problem
3. not sure about your rules already on place, but, if i would suppose scenario, when your linux router has 2 NIC interfaces:
:eth0 == outside world (WAN)
:eth1 == inside world of LAN env.
:eht1 has as gateway setup the eth0 IP
:and also that the packet forwarding is enabled in /etc/sysctl.conf
:and also that eth1 is setup as gateway on the LAN clients (desktops, other servers, whatever)

very roughly and very discutable a few lines:

CODE

# accept 123 port communication
iptables -t filter -A INPUT -i eth0 -p udp --dport 123 -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p udp --sport 123 -j ACCEPT

# accept all from lan to eth1
iptables -t filter -A INPUT -p ALL -i eth1 -s 10.68.2.0/24 -j ACCEPT

# get all forwareded between interffaces
iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT

# to translate inside IPs to outside IP
iptables -t nat -A POSTROUTING -o eth0 -s10.68.2.0/24 -j SNAT --to 10.23.14.72

cheers,

--------------------

What is SL? - Forum Rules - Repository configuration - Howto post images - Howto post long text and config files - TUV docs

0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)

0 Members:

« Next Oldest | Networking and wireless | Next Newest »

Powered by Invision Power Board (Jcink.com Free Forum Hosting) © 2012 IPS, Inc.
Page creation time: 0.5927 · Mobile | Lo-Fi