1

How would you setup iptables to generically send packets of some port say tcp port 80 to the correct machines (which are not all in the same subnet)?

For ex:
iptables -t nat -A PREROUTING -s 0.0.0.0//0 -p tcp -d $NATIP -j DNAT --to-destination $machineIP
iptables -t nat -A POSTROUTING -s $machineIP -p tcp -d 0.0.0.0//0 -j SNAT --to-source $NATIP

The above would send packets correctly to and from a single machine, but how would you do this for n machines. As I don't believe a generic destination such as 192.168.1.0/25 would work.

Do you somehow tag the packets so when they comeback you can send them to the correct IP?
Is this done with some other command?

kevin
  • 13
  • 2

1 Answers1

0

Some considerations first. If you have 0.0.0.0/0 as source or destination, you don't have to specify it on your rule.

Now considering your question, if you have one NATIP for each machine, it's just a question of making one pair of rules for each machine. If you want to use the same NATIP to multiple machines you need something to differentiate, if not the port, then the source IP. Otherwise iptables, per se, can't choose where to send the package. (will get back to this matter)

To make the output NAT you can make one rule.for each machine, or create a table and set there all the IPs and subnets you wish to translate.

iptables -t nat -N addrTranslate
iptables -t nat -A OUTPUT -s x.x.x.x -j addrTranslate
iptables -t nat -A OUTPUT -s y.y.y.y/24 -j addrTranslate
iptables -t nat -A addrTranslate -j SNAT --to z.z.z.z

One alternative for multiple machine NAT with one single IP address is to setup a proxy with apache.

fboaventura
  • 1,125
  • 11
  • 16