0

i am trying to learn NAT with iptables but i ran into some confusions.

i am having two virtual machines with ips 18.43 lets say B and 18.42 C running webservers on port 80. i need to NAT every traffic coming on B:80 to C:80 (Do not want to use any other techinique other than NAT)

rule on B with ip-forward on and Default Policy of every chain is to ACCEPT

iptables -t nat -A PREROUTING -p tcp -d 10.10.18.43 --dport 80 -j  DNAT --to 10.10.18.42:80

When i make request from A(my machine 11.46) to B:80 i can see the following on tcpdump of Machine B

12:24:43.488944 IP 10.10.11.46.43149 > 10.10.18.43.http: Flags [S], seq 3856561847, win 14600, options [mss 1460,sackOK,TS val 2554127 ecr 0,nop,wscale 5], length 0
12:24:43.488986 IP 10.10.11.46.43149 > 10.10.18.42.http: Flags [S], seq 3856561847, win 14600, options [mss 1460,sackOK,TS val 2554127 ecr 0,nop,wscale 5], length 0
12:24:44.488106 IP 10.10.11.46.43149 > 10.10.18.43.http: Flags [S], seq 3856561847, win 14600, options [mss 1460,sackOK,TS val 2554377 ecr 0,nop,wscale 5], length 0
12:24:44.488138 IP 10.10.11.46.43149 > 10.10.18.42.http: Flags [S], seq 3856561847, win 14600, options [mss 1460,sackOK,TS val 2554377 ecr 0,nop,wscale 5], length 0
12:24:46.492250 IP 10.10.11.46.43149 > 10.10.18.43.http: Flags [S], seq 3856561847, win 14600, options [mss 1460,sackOK,TS val 2554878 ecr 0,nop,wscale 5], length 0
12:24:46.492283 IP 10.10.11.46.43149 > 10.10.18.42.http: Flags [S], seq 3856561847, win 14600, options [mss 1460,sackOK,TS val 2554878 ecr 0,nop,wscale 5], length 0

Also on the Machine C i am getting following on tcpdump

 12:24:43.497050 IP 10.10.11.46.43149 > 10.10.18.42.http: Flags [S], seq 3856561847, win 14600, options [mss 1460,sackOK,TS val 2554127 ecr 0,nop,wscale 5], length 0
 12:24:43.497116 IP 10.10.18.42.http > 10.10.11.46.43149: Flags [S.], seq 450030769, ack 3856561848, win 14480, options [mss 1460,sackOK,TS val 2097931 ecr 2554127,nop,wscale 7], length 0
 12:24:44.496174 IP 10.10.11.46.43149 > 10.10.18.42.http: Flags [S], seq 3856561847, win 14600, options [mss 1460,sackOK,TS val 2554377 ecr 0,nop,wscale 5], length 0
 12:24:44.496227 IP 10.10.18.42.http > 10.10.11.46.43149: Flags [S.], seq 450030769, ack 3856561848, win 14480, options [mss 1460,sackOK,TS val 2098181 ecr 2554127,nop,wscale 7], length 0
 12:24:44.970715 IP 10.10.18.42.http > 10.10.11.46.43149: Flags [S.], seq 450030769, ack 3856561848, win 14480, options [mss 1460,sackOK,TS val 2098300 ecr 2554127,nop,wscale 7], length 0.
 12:24:46.500288 IP 10.10.11.46.43149 > 10.10.18.42.http: Flags [S], seq 3856561847, win 14600, options [mss 1460,sackOK,TS val 2554878 ecr 0,nop,wscale 5], length 0
 12:24:46.500336 IP 10.10.18.42.http > 10.10.11.46.43149: Flags [S.], seq 450030769, ack 3856561848, win 14480, options [mss 1460,sackOK,TS val 2098682 ecr 2554127,nop,wscale 7], length 0
 12:24:46.970717 IP 10.10.18.42.http > 10.10.11.46.43149: Flags [S.], seq 450030769, ack 3856561848, win 14480, options [mss 1460,sackOK,TS val 2098800 ecr 2554127,nop,wscale 7], length 0

But i am not getting any Reply back to Machine A.,If my interpretation is correct on machine C packets are coming as source ip 11.46(A) and 18.42(C) is replying to A but why are the packets not reaching A.Do i need more rules on B to make this work.

Update

added SNAT

SNAT       tcp  --  anywhere             anywhere             to:10.10.18.43:80

Tcpdump on machine B:

   15:13:38.816289 IP 10.10.11.46.44423 > 10.10.18.43.http: Flags [P.], seq 2436344770:2436345215, ack 4133534960, win 892, options [nop,nop,TS val 5087771 ecr 4627759], length 445
15:13:38.816332 IP 10.10.18.43.http > 10.10.18.42.http: Flags [P.], seq 2436344770:2436345215, ack 4133534960, win 892, options [nop,nop,TS val 5087771 ecr 4627759], length 445
15:13:38.817173 IP 10.10.18.42.http > 10.10.18.43.http: Flags [P.], seq 1:159, ack 445, win 231, options [nop,nop,TS val 4631763 ecr 5087771], length 158
15:13:38.817206 IP 10.10.18.43.http > 10.10.11.46.44423: Flags [P.], seq 1:159, ack 445, win 231, options [nop,nop,TS val 4631763 ecr 5087771], length 158
15:13:38.818819 IP 10.10.11.46.44423 > 10.10.18.43.http: Flags [.], ack 159, win 926, options [nop,nop,TS val 5087772 ecr 4631763], length 0
15:13:38.818830 IP 10.10.18.43.http > 10.10.18.42.http: Flags [.], ack 159, win 926, options [nop,nop,TS val 5087772 ecr 4631763], length 0

tcpdump on machine C:

15:13:38.824622 IP 10.10.18.43.http > 10.10.18.42.http: Flags [P.], seq 2436344770:2436345215, ack 4133534960, win 892, options [nop,nop,TS val 5087771 ecr 4627759], length 445
15:13:38.824880 IP 10.10.18.42.http > 10.10.18.43.http: Flags [P.], seq 1:159, ack 445, win 231, options [nop,nop,TS val 4631763 ecr 5087771], length 158
15:13:38.826811 IP 10.10.18.43.http > 10.10.18.42.http: Flags [.], ack 159, win 926, options [nop,nop,TS val 5087772 ecr 4631763], length 0
MadHatter
  • 81,580
Kevin Parker
  • 777

2 Answers2

0

iptables -t nat -A PREROUTING -p tcp -d 10.10.18.43 --dport 80 -j DNAT --to 10.10.18.42:80

As khaled specified machine A was confused with reply from C and Rejected all the packets from C.

SNAT ing source ip fixed this

iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 10.10.18.43

Community
  • 1
Kevin Parker
  • 777
-1

You did not tell us exactly how these machines are connected and whether they are attached to a single subnet or not. However, I can assume at least that machines B and C are in the same subnet and machine A is in different one.

Your setup will not work this way. You will not receive any response back to your machine A because the server C is replying back directly to machine A and not through NATing box (server B in this case).

Machine A will get confused as it is sending to machine B and receiving response back from machine C.

In order to make it work, you need to do the NATing on the gateway of machines B and C.

Khaled
  • 37,789