Tuesday, September 13, 2011

Setting up snat and dnat with iptables on single NIC server

Objective: on a single NIC server, configure snat and dnat to totally change source ip and destination ip. When ssh-ing into ip at port 222,> then it will NAT the traffic as>
Environment: CentOS 5.4 server with single NIC, eth0:, eth0:0, eth0:1

1. Enable IP forwarding - most important, otherwise everything will fail. Even on single NIC server, as long as you are using snat and dnat
ehco 1 > /proc/sys/net/ipv4/ip_forward

2. /etc/sysconfig/iptables
-A PREROUTING -s -d -p tcp -j DNAT --dport 222 --to-destination
-A POSTROUTING -s -d -p tcp --dport 22 -j SNAT --to-source

:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s -d --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

3. other usages for iptables NAT
If you are going to use tomcat to serve port 80, you can't do so without running tomcat as root, but you can use iptables to listen at port 80 while keeping tomcat to listen at unprivileged port 8080:

iptables -t nat -A PREROUTING -d -p tcp -j DNAT --dport 80 --to-destination
iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j REDIRECT --to-ports 8080

4. Notes:

a. only after prerouting , it will be tested by forwarding rules.
b. iptables package check sequence: