Iptables port mapping from two PCs to one

We have 3 PCs, two of it are connected to internet (both of it have 2 NIC)

PC1:

eth0 - 1.0.0.1 (external IP)
eth1 - 172.16.0.1 (internal IP)

PC2:

eth0 - 1.0.0.2 (external IP)
eth1 - 172.16.0.2 (internal IP)

PC3:

eth0 - 172.16.0.3 (internal IP)

Now we want to forward port 80 from PC1 and PC2 to PC3.

But there is the problem: iptables port forwarding works well from PC1 or PC2, but only in case if PC3 have PC1 or PC2 as gateway.

IPtables rules (for PC1):

iptables -t nat -A PREROUTING  -p tcp -d 1.0.0.1 --dport 80 -j DNAT --to-destination 172.16.0.3:80
iptables -A FORWARD -p tcp -d 172.16.0.3 --dport 80 -j ACCEPT

So, question is: can we have port mapping from both PC1 and PC2 regardless of gateway settings on PC3?

Thank you in advance.

Anton

Posted 2012-07-01T08:43:48.273

Reputation: 33

What does "map port 80 from PC1 and PC2 to PC3" mean? – David Schwartz – 2012-07-01T11:02:14.580

I mean port 80 forward inside local network – Anton – 2012-07-01T11:11:57.647

I still don't get it. Are you saying that when people connect to 172.16.0.1:80 or 172.16.0.2:80, you want to actually connect them to 172.16.0.3? – David Schwartz – 2012-07-01T11:22:19.957

PC1 and PC2 are both connected to internet and have external IP (1.0.0.1 and 1.0.0.2), otherside both PC1 and PC2 are connected to local network (172.16.0.1 and 172.16.0.2). Also inside local network there is PC3 (172.16.0.3) - web server. So I want to all incoming HTTP requests to any of external IPs (PC1 1.0.0.1 or PC2 1.0.0.2) were redirected to PC3 (172.16.0.3) – Anton – 2012-07-01T11:25:09.320

How are you doing iptables port forwarding exactly? If you're doing it correctly, the source IP address as seen by PC3 should be an address assigned to PC1 or PC2, so the gateway shouldn't matter. – David Schwartz – 2012-07-01T11:29:51.787

Added rules into question description – Anton – 2012-07-01T11:33:24.743

Answers

You've only rewritten the destination.

You need to change the source address to be from PC1 or PC2, so the reply packets can also be NATted. And you need to change the destination address so that the packet will go to PC3. Rewriting both the source and the destination is called "dual NAT".

You need to do the DNAT in the PREROUTING chain and the SNAT in the POSTROUTING chain. Like this (for PC1):

iptables -t nat -A PREROUTING -p tcp -m tcp -d 1.0.0.1 --dport 80 -j DNAT \
  --to-destination 172.16.0.3:80
iptables -t nat -A POSTROUTING -p tcp -m tcp -d 172.16.0.3 --dport 80 \
   -j SNAT --to-source 172.16.0.1

David Schwartz

Posted 2012-07-01T08:43:48.273

Reputation: 58 310

David, it is just what I need. I have tried to make similar rule, but can't do it myself. Thanks! – Anton – 2012-07-01T11:55:02.367

David, one more question: now in apache i see only 172.16.0.x IP instead of real client's IP. Without SNAT using default gateway I see real IP... What should I configure to see real IP? – Anton – 2012-07-01T13:50:43.860

You can't. You have to change the source address to be the NAT device's source address, so you can't provide the "real" source address to the server. If you need that, you can't use NAT and have to use something like a reverse proxy instead. – David Schwartz – 2012-07-01T14:20:07.863

Give PC3 another IP address and use DNAT rules in PC1 and PC2 to the different IP addresses of PC3.

On PC3 use "ip rule" to route by source IP address, as shown by: http://lartc.org/howto/lartc.rpdb.multiple-links.html

Timothy Baldwin

Posted 2012-07-01T08:43:48.273

Reputation: 141