reroute IP behind NAT
Martin
I am drawing a blank on what search terms to use here (with all the
usual 'seems really basic'... 'maybe I am missing the obvious'... so I
thought I would ask.
I have a couple devices behind a router doing NAT (internal IP range
is 10.0.0.*, routers internal IP is 10.0.0.1 on eth0). Let's pretend
that all my devices are trying to reach linux.ucla.edu, I own and run
linux.ucla.edu, and I have a openvpn setup between linux.ucla.edu and
my router. So the setup is:
devices <-- 10.0.0.* --> NAT <-- teh Internet --> linux.ucla.edu
(131.179.104.17)
I want to divert all connections from the devices to linux.ucla.edu
port 80 to 10.0.0.1 and server up content from 10.0.0.1. It is fine
connections going to all other ports also go to 10.0.0.1... but only
for linux.ucla.edu.
It was easy to setup DNS on the NAT box so that if the devices try to
visit linux.ucla.edu they get the routers NAT box's (10.0.0.1).
BUT... what if the devices ask for 131.179.104.17? Can I do some sort
of firewall rule or setup some route so that the same thing happens?
I mentioned that I have a VPN setup between the NAT and linux.ucla.edu
because I can not just bring up a virtual interface on the NAT
ifconfig eth0:1 131.179.104.17 up
... this causes the NAT to not be able to work over VPN and not even
be able to talk to linux.ucla.edu.
Ideas? Suggestions?
After writing all that up, maybe I want a transparent proxy? I would
prefer if the solution were just a couple lines of script for a
firewall rule or some route setting... but I guess doing something
like squid is possible too.
Thank you!
M.
P B Postovoit
*What* will be doing the static &/or dynamic NAT/PAT-ing may not be a
linux box, but, perhaps, a more common broadband router (WRT54G, etc).
Considering why some do NAT, not sure would want static NAT without
putting such machines in a DMZ.
Should be able to keep your search continuing.
> --
> You received this message because you are subscribed to the UCLA LUG "Linux" group.
> To post to this group, send email to li...@linux.ucla.edu
> To unsubscribe from this group, send email to
> linux+un...@linux.ucla.edu
> For more options, visit this group at
> http://groups.google.com/a/linux.ucla.edu/group/linux?hl=en
>
Martin Lukac
always think of that for trying to get into a NAT protected network.
So I just tried setting up the port forward (from my example) of
131.179.104.17:80 to 10.0.0.1:80 and it worked! Now when my devices
browse to 131.179.104.17 they are talking to my NAT box.
Thanks!
M.
--
Martin L. Lukac, Ph.D.
Co-Founder | CTO
Nexleaf Analytics
http://nexleaf.org
Visiting Scientist
Computer Science
UCLA Center for Embedded Networked Sensing
Mike Mammarella
http://www.linuxtopia.org/Linux_Firewall_iptables/x4508.html
Depending on how you want to actually serve the content, you may also
want a (transparent) proxy, or just a web server.
--Mike Mammarella
Martin
always think of that for trying to get into a NAT protected network.
So I just tried setting up the port forward (from my example) of
131.179.104.17:80 to 10.0.0.1:80 and it worked! Now when my devices
browse to 131.179.104.17 they are talking to my NAT box.
Thanks!
M.
On Sat, Feb 26, 2011 at 9:24 PM, P B Postovoit <phi...@ucla.edu> wrote:
Ben Clifford
if NAT is on linux box then section 5 of this might be somewhere to start
looking:
http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s5
The command they give:
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
redirects everything on port 80 to squid. You could use something similar
to redirect a specific IP address (rather than the default of all
addresses). You'll only be redirected to the localhost, so you'd have to
run something (squid is the example given in that howto, but if its just a
single HTTP server, then you could have something that forwards localhost
port 3128 to remote host 80 - perhaps something involving netcat)
A different approach, which might be more useful if you're trying to
redirect more than port 80, might be to try the -j DNAT target, with
--to-destination 10.1.2.3 (where 10.1.2.3 is your fake linux.ucla.edu
host). I've not tried that and my reply is vague because of that.