Ubuntu – NAT rules betweek 2 network interfaces (with iptables)

iptablesnat;Ubuntu

this is the current network that I have:

UBUNTU:
  eth0:
    ip: 212.83.10.10
    bcast: 212.83.10.10
    netmask 255.255.255.255
    gateway 62.x.x.x
  eth1:
    ip: 192.168.1.1
    bcast: 192.168.1.255
    netmask: 255.255.255.0
    gateway ?

CENTOS:
  eth0:
    ip: 192.168.1.2
    bcast: 192.168.1.255
    netmask 255.255.255.0
    gateway 192.168.1.1

I basically want this:

Make specific NAT rules from the internet to specific internal servers depending on the port:

Connections incoming to port 80 must be redirected to 192.168.1.2:80

Connections incoming to port 3306 must be redirected to 192.168.1.3:3306

and so on…

I also need one NAT rule to allow the servers in the subnet 192.168.1.x to browse the internet. I need to route the requests on eth0 to eth1 to be able to exit to internet.

Can I do this on the UBUNTU machine with iptables?

Thanks!

Best Answer

For the fist requirement you will need to use DNAT or destination natting it's used like this,

iptables -t nat -A PREROUTING -p tcp --dport TARGETPORT -j DNAT --to TARGET-IP:TARGETPORT

Example:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.2:80

For Internet browsing you will need Source Natting:

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source GATEWAY-IP

Or you can use masquarding instead of Source Natting like this:

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE

Also don't forget to open the needed ports on the servers.

Related Solutions

Ubuntu – Use specific interface for outbound connections (Ubuntu 9.04)

You should only have one default gateway. If you remove the gateway line from eth1, it'll all just work (after networking is restarted).

Firewall – Multiple interface NAT routing

These rules probably don't do what you want. The first rule permits any new connection from eth1 and eth2, the second permits everything from eth0 and eth1. This appears to permit everything from any interface basically making your firewall pointless.

iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth2 -j ACCEPT

You may mean this instead.

iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT

Anyway, instead of adding things to rc.local I would probably update your /etc/network/interfaces to look like this. I am making some guesses about what you have for masks, so be sure to check and update. You probably should be adding all of the link routes to the fiber table.

auto eth0
iface eth0 inet static
  address 192.168.1.2
  netmask 255.255.255.0
  network 192.168.1.0
  broadcast 192.168.1.255
  gateway 192.168.1.1
  up ip route add table fiber scope link proto kernel dev eth0 192.168.1.0/24

auto eth1
iface eth1 inet static
  address 10.254.239.1
  netmask 255.255.255.0
  network 10.254.239.0
  broadcast 10.254.239.255
  up ip route add table fiber scope link proto kernel dev eth1 10.254.239.0/24

auto eth2
iface eth2 inet static
  address 20.20.20.22
  netmask 255.255.255.252
  network 20.20.20.20
  broadcast 20.20.20.23
  up ip route add table fiber scope link proto kernel dev eth2 20.20.20.20/30
  up ip route add default via 20.20.20.21 table fiber
  up ip rule add fwmark 2 table fiber

Best Answer

Related Solutions

Ubuntu – Use specific interface for outbound connections (Ubuntu 9.04)

Firewall – Multiple interface NAT routing

Related Topic