iptables : Redirect packets to another ip without nat
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
To have multiple public ips on my home connection, i rent a VPS with few IPs, i've set a openvpn server and all the servers at my home which need a public ip, have a vpn connection and i'm doing DNAT/SNAT on the VPS to redirect the traffic destined to a specific public ip to my home server trough openvpn.
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -j DNAT --to-destination 172.17.0.6
-A POSTROUTING -s 172.17.0.6/32 -j SNAT --to-source xxx.xxx.xxx.xxx
It work like that for more than one year on a mail server/web/ect.., it's pretty cool
I just have one issue, the incoming packet on my server is natted with the VPN server ip so i can't use access lists based on the ip, neither RBL on mail server.
Is there a way to tell iptable to redirect the traffic without doing the NAT ?
On my client, the default gateway is my vpn server so the packet will come back on the vpn in any way.
Thanks
networking iptables vpn
asked Mar 6 at 19:11
makz
235
add a comment |Â
up vote
0
down vote
favorite
To have multiple public ips on my home connection, i rent a VPS with few IPs, i've set a openvpn server and all the servers at my home which need a public ip, have a vpn connection and i'm doing DNAT/SNAT on the VPS to redirect the traffic destined to a specific public ip to my home server trough openvpn.
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -j DNAT --to-destination 172.17.0.6
-A POSTROUTING -s 172.17.0.6/32 -j SNAT --to-source xxx.xxx.xxx.xxx
It work like that for more than one year on a mail server/web/ect.., it's pretty cool
I just have one issue, the incoming packet on my server is natted with the VPN server ip so i can't use access lists based on the ip, neither RBL on mail server.
Is there a way to tell iptable to redirect the traffic without doing the NAT ?
On my client, the default gateway is my vpn server so the packet will come back on the vpn in any way.
Thanks
networking iptables vpn
asked Mar 6 at 19:11
makz
235
These rules dont change the source ip of packets going into ip XXX.XXX.XXX.XXX/32. Some other rule is messing you up. Post an output of iptables -t nat -vL of your VPN/Homeserver (only if you do any nat there) please. Did you do any rules with ip route / ip rule ?
– UXELDUXEL
Mar 6 at 19:43
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
To have multiple public ips on my home connection, i rent a VPS with few IPs, i've set a openvpn server and all the servers at my home which need a public ip, have a vpn connection and i'm doing DNAT/SNAT on the VPS to redirect the traffic destined to a specific public ip to my home server trough openvpn.
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -j DNAT --to-destination 172.17.0.6
-A POSTROUTING -s 172.17.0.6/32 -j SNAT --to-source xxx.xxx.xxx.xxx
It work like that for more than one year on a mail server/web/ect.., it's pretty cool
I just have one issue, the incoming packet on my server is natted with the VPN server ip so i can't use access lists based on the ip, neither RBL on mail server.
Is there a way to tell iptable to redirect the traffic without doing the NAT ?
On my client, the default gateway is my vpn server so the packet will come back on the vpn in any way.
Thanks
networking iptables vpn
asked Mar 6 at 19:11
makz
235
To have multiple public ips on my home connection, i rent a VPS with few IPs, i've set a openvpn server and all the servers at my home which need a public ip, have a vpn connection and i'm doing DNAT/SNAT on the VPS to redirect the traffic destined to a specific public ip to my home server trough openvpn.
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -j DNAT --to-destination 172.17.0.6
-A POSTROUTING -s 172.17.0.6/32 -j SNAT --to-source xxx.xxx.xxx.xxx
It work like that for more than one year on a mail server/web/ect.., it's pretty cool
I just have one issue, the incoming packet on my server is natted with the VPN server ip so i can't use access lists based on the ip, neither RBL on mail server.
Is there a way to tell iptable to redirect the traffic without doing the NAT ?
On my client, the default gateway is my vpn server so the packet will come back on the vpn in any way.
Thanks
networking iptables vpn
asked Mar 6 at 19:11
makz
235
asked Mar 6 at 19:11
makz
235
asked Mar 6 at 19:11
makz
235
asked Mar 6 at 19:11
makz
235
235
These rules dont change the source ip of packets going into ip XXX.XXX.XXX.XXX/32. Some other rule is messing you up. Post an output of iptables -t nat -vL of your VPN/Homeserver (only if you do any nat there) please. Did you do any rules with ip route / ip rule ?
– UXELDUXEL
Mar 6 at 19:43
add a comment |Â
These rules dont change the source ip of packets going into ip XXX.XXX.XXX.XXX/32. Some other rule is messing you up. Post an output of iptables -t nat -vL of your VPN/Homeserver (only if you do any nat there) please. Did you do any rules with ip route / ip rule ?
– UXELDUXEL
Mar 6 at 19:43
These rules dont change the source ip of packets going into ip XXX.XXX.XXX.XXX/32. Some other rule is messing you up. Post an output of iptables -t nat -vL of your VPN/Homeserver (only if you do any nat there) please. Did you do any rules with ip route / ip rule ?
– UXELDUXEL
Mar 6 at 19:43
These rules dont change the source ip of packets going into ip XXX.XXX.XXX.XXX/32. Some other rule is messing you up. Post an output of iptables -t nat -vL of your VPN/Homeserver (only if you do any nat there) please. Did you do any rules with ip route / ip rule ?
– UXELDUXEL
Mar 6 at 19:43
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
If you want to change the destination but not the source just get rid of the "SNAT" rule.
Sorry did not read the question carefully enough.
let's say, my server y.y.y.y is pinging x.x.x.x, it come on my vpn server and i dnat "destination x.x.x.x to 172.17.0.6 and on my home server i get packets with source 172.17.0.1
DNAT only changes the destination of a connection, not the source. If you are seeing a source of 172.17.0.1 then you must have another SNAT or MASQUERADE rule that is not listed in your question that is affecting the packet. You need to remove that rule or limit it's scope so it doesn't affect the connections coming in to your home server.
If you want further help please post a complete list of iptables rules for your server, not just the ones you think are relavent.
it go back on my vpn and get snat to go back to y.y.y.y
No, it gets reverse translated using the state tracking established when the first packet of the (psuedo-)connection was processed. iptables nat tables are only processed for the first packet of a connection.
answered Mar 6 at 19:16
plugwash
1,682516
Not really, let's say, my server y.y.y.y is pinging x.x.x.x, it come on my vpn server and i dnat "destination x.x.x.x to 172.17.0.6 and on my home server i get packets with source 172.17.0.1 and it go back on my vpn and get snat to go back to y.y.y.y What i want to do, is ping from y.y.y.y to x.x.x.x it go on my vpn server, it's forwared to 172.17.0.6 but not natted so on my home server i get packets from y.y.y.y and not 172.17.0.1 in fact i try to get rid of the DNAT
– makz
Mar 6 at 19:23
Ohhh right i forgot to mention the -t nat -A POSTROUTING -j MASQUERADE Removing this rule is the answer Thanks !
– makz
Mar 6 at 19:40
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
If you want to change the destination but not the source just get rid of the "SNAT" rule.
Sorry did not read the question carefully enough.
let's say, my server y.y.y.y is pinging x.x.x.x, it come on my vpn server and i dnat "destination x.x.x.x to 172.17.0.6 and on my home server i get packets with source 172.17.0.1
DNAT only changes the destination of a connection, not the source. If you are seeing a source of 172.17.0.1 then you must have another SNAT or MASQUERADE rule that is not listed in your question that is affecting the packet. You need to remove that rule or limit it's scope so it doesn't affect the connections coming in to your home server.
If you want further help please post a complete list of iptables rules for your server, not just the ones you think are relavent.
it go back on my vpn and get snat to go back to y.y.y.y
No, it gets reverse translated using the state tracking established when the first packet of the (psuedo-)connection was processed. iptables nat tables are only processed for the first packet of a connection.
answered Mar 6 at 19:16
plugwash
1,682516
Not really, let's say, my server y.y.y.y is pinging x.x.x.x, it come on my vpn server and i dnat "destination x.x.x.x to 172.17.0.6 and on my home server i get packets with source 172.17.0.1 and it go back on my vpn and get snat to go back to y.y.y.y What i want to do, is ping from y.y.y.y to x.x.x.x it go on my vpn server, it's forwared to 172.17.0.6 but not natted so on my home server i get packets from y.y.y.y and not 172.17.0.1 in fact i try to get rid of the DNAT
– makz
Mar 6 at 19:23
Ohhh right i forgot to mention the -t nat -A POSTROUTING -j MASQUERADE Removing this rule is the answer Thanks !
– makz
Mar 6 at 19:40
add a comment |Â
up vote
2
down vote
accepted
If you want to change the destination but not the source just get rid of the "SNAT" rule.
Sorry did not read the question carefully enough.
let's say, my server y.y.y.y is pinging x.x.x.x, it come on my vpn server and i dnat "destination x.x.x.x to 172.17.0.6 and on my home server i get packets with source 172.17.0.1
DNAT only changes the destination of a connection, not the source. If you are seeing a source of 172.17.0.1 then you must have another SNAT or MASQUERADE rule that is not listed in your question that is affecting the packet. You need to remove that rule or limit it's scope so it doesn't affect the connections coming in to your home server.
If you want further help please post a complete list of iptables rules for your server, not just the ones you think are relavent.
it go back on my vpn and get snat to go back to y.y.y.y
No, it gets reverse translated using the state tracking established when the first packet of the (psuedo-)connection was processed. iptables nat tables are only processed for the first packet of a connection.
answered Mar 6 at 19:16
plugwash
1,682516
Not really, let's say, my server y.y.y.y is pinging x.x.x.x, it come on my vpn server and i dnat "destination x.x.x.x to 172.17.0.6 and on my home server i get packets with source 172.17.0.1 and it go back on my vpn and get snat to go back to y.y.y.y What i want to do, is ping from y.y.y.y to x.x.x.x it go on my vpn server, it's forwared to 172.17.0.6 but not natted so on my home server i get packets from y.y.y.y and not 172.17.0.1 in fact i try to get rid of the DNAT
– makz
Mar 6 at 19:23
Ohhh right i forgot to mention the -t nat -A POSTROUTING -j MASQUERADE Removing this rule is the answer Thanks !
– makz
Mar 6 at 19:40
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
If you want to change the destination but not the source just get rid of the "SNAT" rule.
Sorry did not read the question carefully enough.
let's say, my server y.y.y.y is pinging x.x.x.x, it come on my vpn server and i dnat "destination x.x.x.x to 172.17.0.6 and on my home server i get packets with source 172.17.0.1
DNAT only changes the destination of a connection, not the source. If you are seeing a source of 172.17.0.1 then you must have another SNAT or MASQUERADE rule that is not listed in your question that is affecting the packet. You need to remove that rule or limit it's scope so it doesn't affect the connections coming in to your home server.
If you want further help please post a complete list of iptables rules for your server, not just the ones you think are relavent.
it go back on my vpn and get snat to go back to y.y.y.y
No, it gets reverse translated using the state tracking established when the first packet of the (psuedo-)connection was processed. iptables nat tables are only processed for the first packet of a connection.
answered Mar 6 at 19:16
plugwash
1,682516
If you want to change the destination but not the source just get rid of the "SNAT" rule.
Sorry did not read the question carefully enough.
let's say, my server y.y.y.y is pinging x.x.x.x, it come on my vpn server and i dnat "destination x.x.x.x to 172.17.0.6 and on my home server i get packets with source 172.17.0.1
DNAT only changes the destination of a connection, not the source. If you are seeing a source of 172.17.0.1 then you must have another SNAT or MASQUERADE rule that is not listed in your question that is affecting the packet. You need to remove that rule or limit it's scope so it doesn't affect the connections coming in to your home server.
If you want further help please post a complete list of iptables rules for your server, not just the ones you think are relavent.
it go back on my vpn and get snat to go back to y.y.y.y
No, it gets reverse translated using the state tracking established when the first packet of the (psuedo-)connection was processed. iptables nat tables are only processed for the first packet of a connection.
answered Mar 6 at 19:16
plugwash
1,682516
edited Mar 6 at 19:34
answered Mar 6 at 19:16
plugwash
1,682516
answered Mar 6 at 19:16
plugwash
1,682516
answered Mar 6 at 19:16
plugwash
1,682516
1,682516
Not really, let's say, my server y.y.y.y is pinging x.x.x.x, it come on my vpn server and i dnat "destination x.x.x.x to 172.17.0.6 and on my home server i get packets with source 172.17.0.1 and it go back on my vpn and get snat to go back to y.y.y.y What i want to do, is ping from y.y.y.y to x.x.x.x it go on my vpn server, it's forwared to 172.17.0.6 but not natted so on my home server i get packets from y.y.y.y and not 172.17.0.1 in fact i try to get rid of the DNAT
– makz
Mar 6 at 19:23
Ohhh right i forgot to mention the -t nat -A POSTROUTING -j MASQUERADE Removing this rule is the answer Thanks !
– makz
Mar 6 at 19:40
add a comment |Â
Not really, let's say, my server y.y.y.y is pinging x.x.x.x, it come on my vpn server and i dnat "destination x.x.x.x to 172.17.0.6 and on my home server i get packets with source 172.17.0.1 and it go back on my vpn and get snat to go back to y.y.y.y What i want to do, is ping from y.y.y.y to x.x.x.x it go on my vpn server, it's forwared to 172.17.0.6 but not natted so on my home server i get packets from y.y.y.y and not 172.17.0.1 in fact i try to get rid of the DNAT
– makz
Mar 6 at 19:23
Ohhh right i forgot to mention the -t nat -A POSTROUTING -j MASQUERADE Removing this rule is the answer Thanks !
– makz
Mar 6 at 19:40
Not really, let's say, my server y.y.y.y is pinging x.x.x.x, it come on my vpn server and i dnat "destination x.x.x.x to 172.17.0.6 and on my home server i get packets with source 172.17.0.1 and it go back on my vpn and get snat to go back to y.y.y.y What i want to do, is ping from y.y.y.y to x.x.x.x it go on my vpn server, it's forwared to 172.17.0.6 but not natted so on my home server i get packets from y.y.y.y and not 172.17.0.1 in fact i try to get rid of the DNAT
– makz
Mar 6 at 19:23
Not really, let's say, my server y.y.y.y is pinging x.x.x.x, it come on my vpn server and i dnat "destination x.x.x.x to 172.17.0.6 and on my home server i get packets with source 172.17.0.1 and it go back on my vpn and get snat to go back to y.y.y.y What i want to do, is ping from y.y.y.y to x.x.x.x it go on my vpn server, it's forwared to 172.17.0.6 but not natted so on my home server i get packets from y.y.y.y and not 172.17.0.1 in fact i try to get rid of the DNAT
– makz
Mar 6 at 19:23
Ohhh right i forgot to mention the -t nat -A POSTROUTING -j MASQUERADE Removing this rule is the answer Thanks !
– makz
Mar 6 at 19:40
Ohhh right i forgot to mention the -t nat -A POSTROUTING -j MASQUERADE Removing this rule is the answer Thanks !
– makz
Mar 6 at 19:40
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f428589%2fiptables-redirect-packets-to-another-ip-without-nat%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
These rules dont change the source ip of packets going into ip XXX.XXX.XXX.XXX/32. Some other rule is messing you up. Post an output of iptables -t nat -vL of your VPN/Homeserver (only if you do any nat there) please. Did you do any rules with ip route / ip rule ?
– UXELDUXEL
Mar 6 at 19:43