2

I would like to redirect all traffic (specifically TCP & UDP) from multiple WAN interfaces (ppp0, ppp1, ppp2) to a single IP from eth0.
When it comes to interface to IP, I can use the PREROUTING and POSTROUTING and change the destination and source IP accordingly.
But in that case (with multiple interfaces), how can I tell which IP to use as source-IP in POSTROUTING?

So IPs of ppp0-ppp3 are changing, and eth0 remains "192.168.1.5".
I would like to forward traffic to IP: "192.168.1.10".

For example (for TCP only), I would direct incoming connections to eth0 using: 

iptables -t nat -A PREROUTING -p tcp --dport 5000 -j DNAT --to-destination 192.168.1.10:5000
iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.10 --dport 5000 -j SNAT --to-source 192.168.1.5`

But with multiple interfaces (IPs) I don't know how to set the POSTROUTING rule to the source remains the same?
So question is - am I supposed to use iptables techniques to "save" that IP and than use it as source, or there's another way for doing that?
I found a link that looks like what I need, but I can't figure out how to implement it: http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/multiple-ips.html.

Bottom line, I need "DMZ" from multiple interfaces to a single IP.

RoeeK
  • 151
  • 2
  • 8

1 Answers1

1

Link at the bottom of your question is aimed at people who have multiple exit IPs. Since you are trying to push packages through eth0 (192.168.1.5) - you don't have IP aliases and you don't have multiple exit IPs but a single IP.

So, lets say ppp0 has ip range: 10.100.100.0/24, initial packet connecting to your host will look something like:

 | SRC IP        | DST IP       |
 | 10.100.100.10 | 10.100.100.1 |

Your first rule is correct:

-t nat -A PREROUTING -p tcp --dport 5000 -j DNAT --to-destination 192.168.1.10:5000

So, whenever a machine behind ppp0-ppp3 tries to contact your host (192.168.1.5) on port 5000, packets will get re-routed to 192.168.1.10. Packet will look like:

 | SRC IP        | DST IP       |
 | 10.100.100.10 | 192.168.1.10 |

Now, you're routing packets through your host, so you have to enable IP forwarding:

sysctl -w net.ipv4.ip_forward=1

But, when destination (192.168.1.10) gets packet, it will see source 10.100.100.10 and it will return packet to his own default gateway. What you can do is set up static routes on 192.168.1.10 that will tell that host that packages originating from 10.100.100.0/24 are routed via 192.168.1.5, something like:

ip route add 10.100.100.0/24 via 192.168.1.5

This way, you wouldn't need to add any POSTROUTING rules, because destination (192.168.1.10) would automatically know where to return packets.

But, if that solution isn't viable for whatever reason (or you personally don't like it), next thing what I would suggest is to use MASQUERADE on eth0:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

DNAT solution will also probably work. Just make sure your FORWARD chain is set to ACCEPT and not filter packages on their way through your host.

Jakov Sosic
  • 5,267
  • 4
  • 24
  • 35
  • while trying to make sure i understand, the common initiative connection will be from client in ppp0 network (e.g. 10.100.100.10) connecting to my server's ppp0 IP (e.g. 10.100.100.1). so the packet will look like: "SRC IP - 10.100.100.10, DSP IP - 10.100.100.1". same thing will be on 2 other ppp interfaces on other networks – RoeeK Dec 11 '14 at 14:40
  • Ah I didn't know that, although that doesn't change much. Where do you observe problems? Returning traffic is not hitting machines behind ppp0-3 ? – Jakov Sosic Dec 11 '14 at 16:19
  • Well, at some point I need to change the source and dest IPs back to the same host IP and ppp interface IP (don't I?), or can I just route all networks to go via 192.168.1.5 which maybe simplifies this whole routing somehow – RoeeK Dec 11 '14 at 17:07
  • Just to make sure, if I want to forward "all traffic" can I just remove the "-p tcp --dport" part, and the port at end of the first rule? – RoeeK Dec 14 '14 at 09:45