Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> How to Configure Full cone NAT using iptables ?, use iptables to configure a full NAT
lvl1s7a
 Posted: Jan 10 2012, 12:33 PM
Quote Post


SLF Newbie


Group: Members
Posts: 1
Member No.: 1186
Joined: 10-January 12









Hi Experts;

I want to find the right iptables commands combination to address the following need:

- NEs are NATed thru the linux box (using iptables) towards the WAN cloud, where the NTP servers are situated.
- In order to achieve redundancy, the NTP Servers are in a load balancing cluster with one virtual IP address (172.30.4.245)
- The problem is that when the NEs request for NTP updates using the 172.30.4.245, the NTP response is received from one of the actual IP addresses (.200, .230 .240).

Example:

The iptables is not allowing this flow, which is a normal behaviour since the requested vs responding address are not the same (172.30.4.245 vs 172.30.4.230) :

Request : UDP 10.68.2.11:23445 ---> 172.30.4.245:123 (this is Before NAT, of course after NAT the source is 10.23.14.72)
Response: UDP 172.30.4.230:123 ---> 10.23.14.72:23445 (Response to the WAN address)

I'm wondering if there is any way to let iptables establish the UDP flow only based on the (s-port/d-port) regardless of the IP addresses, and execute the NAT back to the LAN based on that.

UDP/NTP is just an example, almost all the needed services are setup in the same way (load balancing in Cluster).

user posted image

Appreciate your help !

Thanks & Regards
lvl1s7a
PMEmail Poster
^
helikaon
 Posted: Jan 11 2012, 04:20 PM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 628
Member No.: 4
Joined: 8-April 11









Hi there,
1. nice nick smile.gif
2. nice picture and description of problem
3. not sure about your rules already on place, but, if i would suppose scenario, when your linux router has 2 NIC interfaces:
:eth0 == outside world (WAN)
:eth1 == inside world of LAN env.
:eht1 has as gateway setup the eth0 IP
:and also that the packet forwarding is enabled in /etc/sysctl.conf
:and also that eth1 is setup as gateway on the LAN clients (desktops, other servers, whatever)

very roughly and very discutable a few lines:


CODE

# accept 123 port communication
iptables -t filter -A INPUT -i eth0 -p udp --dport 123 -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p udp --sport 123 -j ACCEPT

# accept all from lan to eth1
iptables -t filter -A INPUT -p ALL -i eth1 -s 10.68.2.0/24 -j ACCEPT

# get all forwareded between interffaces
iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT

# to translate inside IPs to outside IP
iptables -t nat -A POSTROUTING -o eth0 -s10.68.2.0/24  -j SNAT --to 10.23.14.72



cheers,




--------------------
PMEmail Poster
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll