• Diff for "Firewalls-dnat-redirect"

This page is inteded to help ppl with a DNAT from a 192 from another 192 address that needs to be redirected instead. Were only talking about ONE interface, the internal one. For the topic disscused the ""external"" interface might also be the internal one, I.E. using the same 192 IP.

THE SETUP: A router with local ip 192.168.1.1 and internet ip x.y.z.p Several clients on the 192 network(hosts 100 and up). An fqdn DNS pointing too x.y.z.p and at least one \["DNATed"]\ server with a real IP of 192.168.1.10

THE PROBLEM: Host 192.168.1.100 gets an fqdn DNS as x.y.z.p and fails to connect, YES a BUG. The bug that the rest of this document will explain and offer several good solutions.

THE SOLUTIONS:

1. Use a separate DNS to point 192 clients to the correct 192 address. This is the (IMHO) BEST but also, thankfully, was the HARDEST (until dnsmasq came along).

1a. Use 'hosts' files on all the clients. Add the 192.168.1.10 ip number against all fqdn's used by the server, in /etc/hosts or lmhosts.sam file on each internal client and server.

1b. Use dnsmasq in the router, along with/as your DHCP server. Works nicely. Install it to serve dns requests only from internal machines, (not internet facing). Edit /etc/hosts (or a separate file) on the router to give 192.168.1.10 for all of the fqdn's of the server. Either make a DNAT rule for dns queries to redirect to dnsmasq, eg iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT or using dhcp specify the dnsmasq machine as primary dns server, or manually change everybody's dns settings to point to the router. (This is where dhcp and static assignments comes in very handy) This leaves just one place to enter fqdn numbers..

1c. Use another DNS server for just your internal clients. There can be only one domain, even if there is only one changed record, so you will have to duplicate all the DNS records. One problem you will run into is that client's can't have a backup DNS server, unless you setup more than one internal DNS server. To combat this and other problems* I always run a DNS server/cache on every host. For this dnsmasq is small, so it won't hurt your clients much, and is easy to setup.

• ?GetHostBy""Ip"" is a blocking function call used by most servers(telnet, ssh, smtp, pop3, imap, http, ect) that will BLOCK for 60 seconds if your nameserver(s) are down. THIS IS NOT A BUG IT'S A GOOD DESIGN. The end result is Names vs ["IPs"] in the logs and is needed for hosts.deny and the like.

2. Use a SNAT to 192.168.1.1 for data from from 192.168.1.0/24 eg on the router iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.10 -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.1 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.10 -j SNAT --to-source x.y.z.p so every reply is forced back to the router to de-SNAT correctly. The server sees 192.168.1.1 & the clients see x.y.z.p

3. Place all servers and clients on different subnets.

3a. Change the server IP to a different subnet and add a virtual ip on the router for it's gateway address. This sends ALL traffic through the router, so isn't practical if the server has a large amount of local traffic from other services. If you want to pass packets directly, make a static arp entry in each client.

3b. Add a virtual ip to the server (192.168.2.10 eth0:1) and a matching virtual ip address on the router (192.168.2.1 eth1:1) for it's gateway. Change the router's DNAT to the second server address and add iproute2 definitions to force replies back out the same incoming interface. eg echo "300 router" >> /etc/iproute2/rt_tables (or wherever the tables file is) ip route add 192.168.2.0/24 dev eth0:1 src 192.168.2.10 table router ip route add default via 192.168.2.1 table router ip route add 192.168.2.0/24 dev eth1 src 192.168.2.10 ip rule add from 192.168.2.10 table router This makes sure replies to 192.168.1.0/24 go back to the router on the 2nd card rather than be routed directly. Add an outgoing SNAT on the router to fake the x.y.z.p address, eg iptables -t nat -A POSTROUTING -o eth1 -s 192.168.2.10 -j SNAT --to-source x.y.z.p

3c. Use a second set of nic cards for clients and servers. This is good for HA/mission-critical servers as they don't have to compete with clients for the router's incoming(can not be shaped) bandwith. You must still use routing rules as in 3b to pass the replies back out the incoming interface to avoid local delivery.

4. Route the server(192.168.1.10) to 192.168.1.1/32 instead of 192.168.1.0/24. This is more difficult than 2 and doesn't really gain a whole lot. You lose local connectivity and broadcasts.

5. Add a proxy in the network. Use mod_proxy or mod_rewrite etc or ["ACLs"] to pull files from 192.168.1.10 and serve from the proxy. It's a huge cpu and disk drain however if it's installed on the router, (and a security risk too).

THE DON'T WORK: 1. Never use a non-statefull DNAT(only for the 192 interface). As all pkts will be sent directly to the client, but they will not get unnated and apper to come from the wrong host then be droped by the client.

THE FAQ: Q? Why doesn't it just work without all of this.

A? The DNAT allows the SYN togo through, but never sees the SYN+ACK. This packet gets sent directly from 192.168.1.10 to the client without going through 192.168.1.1. Since according to the router the connection was never accepted the rest of the data from the client is dropped at the router(192.168.1.1). According to the client, it never sees replies from x.y.z.p and drops the replies from 192.168.1.10