5

iptables: log connection after SNAT/MASQUERADE command

view full story
linux-howto

http://www.unix.com – Hello! I have the following problem with iptables in Debian 6: My server works as a router and it needs to log server external IP+port for all outgoing connections. But after command SNAT or MASQUERADE traffic is "lost". I mean no following rules can catch those traffic. Everything looks like SNAT/MASQUERADE is the "end" rule and it pushes traffic to network immediately. Question: How can I log routed connection data with server external IP and port? (HowTos)

robot1's picture
Submitted by robot1 on 07/18/2012 – Made popular on 07/18/2012

Stories similar to iptables: log connection after SNAT/MASQUERADE command

I now played around with iptables (the whole day) to make my rules work, but there is one issue.. all traffic that I redirect goes through my server and back through my server. We are talking about high HIGH amounth of bandwidth.

I want to forward port 2222 on an Ubuntu 12.04 server to remote host 1.2.3.4 port 22, using iptables.

After reading many web pages on port-forwarding, I issue

$ sysctl net.ipv4.conf.eth0.forwarding net.ipv4.conf.eth0.forwarding = 1 $ sudo iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 2222 -j DNAT --to-destination 1.2.3.4:22

Which forwards traffic as I desired. But ssh does not work.

There are lots of questions on here about iptables DNAT/SNAT setups but I haven't found one that solves my current problem. I have services bound to the IP address of eth0 (e.g. 192.168.0.20) and I also have a IP address on eth0:0 (192.168.0.40) which is shared with another server. Only one server is active, so this alias interface comes and goes depending on which server is active.

IPtables SNAT eats packets 34 weeks 3 hours ago

I am trying to translate outgoing UDP packets with a source port of X to a source port of Y.

I have done this using the following iptables rule:

iptables -t nat -A POSTROUTING -s 10.0.0.1 -p udp --sport X -j SNAT --to-source 10.0.0.1:Y

The counters for this rule increase when packets with a source port of X are generated, but completely vanish after that.

I am using a Strongswan VPN server on a Debian Squeeze machine. The incoming VPN clients get an IP of the 192.168.99.0/24 subnet.

As I am using this VPN mainly to have encryption when using non-encrypted WLANs I am doing a source NAT into the internet using iptables.

[other] iptables question 3 years 17 weeks ago

I use ddwrt to redirect traffic to my squid/dansguardian box. It does this transparently using the iptables script below.

#!/bin/sh PROXY_IP=192.168.1.2 PROXY_PORT=8080 LAN_IP=`nvram get lan_ipaddr` LAN_NET=$LAN_IP/`nvram get lan_netmask` iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT

Network sharing "Question" 35 weeks 4 days ago

Hi,

I'm trying to set up connection sharing in fedora 15 to a windows machine I have the following set up

Modem to Router Router to Linux machine "Wifi" Eth0 set to share the connection.

I get Internet on the windows machine no problem, then issue is when hosting a game server on the windows machine no one can connect to my server, by my external ip.

I've been reading info

I have 2 servers and I need to forwart to internal port.

To explain I use the server with 2 interfaces (internal/external) as server A and the internal server as server B.

In server A i use

iptables -A PREROUTING -t nat -i $extif -p tcp --dport $extif_port -j DNAT --to-destination $dst_ip:$dst_port" iptables -A FORWARD -t filter -d $dst_ip -j ACCEPT" iptables -A POSTROUTING -t nat -p tcp -s $ds

I want to setup a VPN server for personal use, so I follow the blog article [1], and it work like a charm.

The only thing I am wondering is if the iptable's rule secure, e.g.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

And I have only one public interface eth0, are there any risk in using the rule above?

From other place, I see other alternatives of iptable rules, e.g.

1.

sudo ipta