Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Let us define: <br>{source address} - packet sender (some remote address) <br>{interface address} - packet receiver (firewall external address) <br>{local address} - packet end point receiver local network address <br>{local gateway} - firewall local address <br>{proto block} - IP protocols limitation (i.e. -p tcp -m tcp --dport xxxx)<br> 1. If you want the client to see ip address of packet source - do that:</p> <pre><code>IPTABLES -t nat -A PREROUTING -s {source address} -d {interface address} {proto block} -j DNAT --to-destination {local address} IPTABLES -A FORWARD -d {local address} -j ACCEPT </code></pre> <p>Do not forget to make:</p> <pre><code>echo "1" &gt; /proc/sys/net/ipv4/ip_forward </code></pre> <p>It will enable packets forwarding.<br> In this case, your end point will see original ip address, however, it will try to respond to default gateway, if this address is not in local network range, add:</p> <pre><code>route add {source address} gw {local gateway} </code></pre> <p>this will tell your endpoint to send packets for {source address} via {local gateway} (or reply back).<br> 2. You do not want endpoint to see original ip address and do not want to modify routing tables, then add</p> <pre><code>IPTABLES -t nat -A POSTROUTING -s {source address} -j MASQUERADE </code></pre> <p>In this case, LAN client will see only {local gateway} address.</p> <p>In any case, do not forget to masquerade all packets that are going from your local network to remote addresses by:</p> <pre><code>IPTABLES -t nat -A POSTROUTING !-d 192.168.0.0/16 -j MASQUERADE </code></pre> <ol start="3"> <li>You want to keep source address and destination address for further processing. In this case, your {local gateway} will be just a part of packet routing and {local address} has to be just a next hop - use policy routing for that.</li> </ol> <p>First, add your own routing table with lower than 252 tag to <code>/etc/iproute2/rt_tables</code></p> <p>Then - you can add rule for {source address} directly to rules set or mark packets from {source address} - both methods will lookup your custom routing table for that packets:</p> <pre><code>ip rule add from {source address} table custom_table </code></pre> <p>or</p> <pre><code>iptables -t mangle -A PREROUTING -s {source address} -j MARK --set-mark 1 ip rule add fwmark 1 table custom_table </code></pre> <p>And then, make {local address} next hop gateway for these packets:</p> <pre><code>ip route add default via {local address} table custom_table </code></pre> <p>Of course, <code>POSTROUTING</code> chain will be applied just before packet exit and you can shape your source address if needed.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload