# Mapping of IPs

## Proteus

Hi!

When I don't want to do NAT but instead want to map all traffic comming from i.e. 192.168.0.10 to some public ip i.e. 217.55.55.12 and vice versa how can I do that?

I cannot find a rule for that. Is it possible?

----------

## Sven Vermeulen

What do you mean with "map"? You mean IP-spoofing?

http://www.linuxgazette.com/issue63/sharma.html

----------

## slartibartfasz

 *Proteus wrote:*   

> I cannot find a rule for that. Is it possible?

 

...if u want to use iptables, i think nat is the way to do it...

----------

## Matje

IPTABLES -A FORWARD tcp -i eth0 -j REDIRECT --to eth1

IPTABLES -A FORWARD tcp -i eth1 -j REDIRECT --to eth0

something like this?  :Smile: 

----------

## Proteus

NAT is not for me because the clients are Win PCs and they must be able to run any game online. Sometimes NAT causes problems with that.

What I want to do is to tell iptables that it should route traffic coming from i.e. 192.168.1.10 to a public ip like i.e. 194.50.50.10 and so on. We have 30 public ips that shuld be routed this way.

Therefore, I think, my router must be able to respond to any traffic that is directed to any of the public ips. That is my problem.

@Matje: I don't exactly understand what your rules would do. Looks like a never ending loop to me??

----------

## Sven Vermeulen

I've never had any troubles with gaming (my brother games a lot) and, to share internet, I use the following rules:

```

/sbin/iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE

/sbin/iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j ACCEPT

/sbin/iptables -A FORWARD -o eth0 -i eth1 -d 192.168.0.0/24 -s ! 192.168.0.0/24 -j ACCEPT

```

Yes, that's NAT. What games do you have troubles with? Perhaps google'ing would help.

----------

## Proteus

I already do NAT. It works. But it does cause problems with games when multiple users play on the LAN. Just believe me.

Also we have just want to use the public ips we got.

----------

## mrhodes

Hello,

  I had similar problems with Empire Earth. I could join anyone from my WinXP client, however I couldn't host games because of being behind a real IP... I solved that problem by finding out what port EE uses and just forward all incoming packages to those ports to my WinXP machine.... Hosting worked great after that :

Mike

----------

## Proteus

yes, you can do port forwarding. But then you can only have one specific machine acting as a server- That solution does not work for me. I must be able to use any client as server with any game (even those not yet released) and it must not require any configuration of the router.

I just know there must be a solution - this is Linux after all. Must find it...

----------

## kashani

You need NAT at some point otherwise the far end of the connection will see the internal IP's and most likely a provider in the middle will filter the NAT IP space in the middle. At least they should. 

let's say you have 4 machines internally

192.168.0.11/24

192.168.0.12/24

192.168.0.13/24

192.168.0.14/24

They all use the Linux box as the gateway which is 192.168.0.1/24

Now your firewall has an external IP of 217.55.55.2/24. You'll want to match additional IP's to each internal machine

217.55.55.11 --> 192.168.0.11 and so on. 

iptables -A POSTROUTING -t nat -s 192.168.0.11 -o eth0 -j SNAT --to-source 217.55.55.11

iptables -A PREROUTING -t nat -s 217.55.55.11   -d eth1 -j NAT --to 192.168.0.11

The above might even work though I seriously doubt it, but it shoudl give a better idea on what the config should look like. Also googling for "static nat iptables linux one-to-one SNAT NAT" might narrow it down.

kashani

----------

## Proteus

Thanks a lot! You understood what I want to do.

----------

## kashani

Ran accross this in another thread. You'll want to bind all the IP's to your Linux box. Your /etc/conf.d/net might look like this

iface_eth0="217.55.55.1 broadcast 217.55.55.255 netmask 255.255.255.0"

# For adding aliases to a interface

#

alias_eth0="217.55.55.11 217.55.55.12 etc"

kashani

----------

## Rroet

yes, virtual ip-addresses on a nic is possible, but keep in mind that this will only work if you have MULTIPLE EXTERNAL ipadresses. If you don't have em, you're whole idea will not work.

a external ipaddress can only be mapped 1 on 1. With that I offcourse mean every external socket.

so redirecting 1 external ipaddres to 2 internal machines will not work unless you divide some sockets accross those machines.

----------

## Proteus

Yes, thats exactly what I want to do. Map 1 internal for each 1 external adress. We got 30 clients and about 32 external ips - that should suffice  :Wink: 

----------

## splooge

Here's what I use:

```
iptables -t nat -A POSTROUTING -s 10.1.1.1 -j SNAT --to 123.456.789.1

iptables -t nat -A PREROUTING -d 123.456.789.1 -j DNAT --to 10.1.1.1
```

Of course that's very insecure =)

----------

## Proteus

Excuse me but why is that insecure?

Or do you mean because of the absence of any other filtering rules inbetween? I assume that those exist but are not listed because we just talked about the mapping here.

Or is there anything that prohibits filtering with this setup? I'd be surprised to hear that but you never know...

----------

## Rroet

No, it can't be filtered if I remember correctly.

check this scheme and know what you have to do:

[img:d4fe4244a1]http://iptables-tutorial.frozentux.net/images/tables_traverse.jpg[/img:d4fe4244a1]

I partially participated in this project. Mostly on reading the stuff and commenting on little errors, but this is a good study for anyone who wants to know all about iptables:

Iptables-Tutorial

----------

## Proteus

Well, I think that there can be filtering rules implemented.

Do the filtering in the forward chain because everything thats forwarded must go through it.

I don't see why that should not work.

----------

## splooge

You could for example filter based on port or source ip such as:

iptables -P INPUT DROP

iptables -t nat -A PREROUTING -d 123.456.789.0 -s 234.567.890.1 -p tcp --dport 80 -j DNAT --to 10.1.1.1

That would only allow port 80 connections from 234.567.890.1 to 123.456.789.0 and then the rest of the traffic would hit the input drop rule.

Right?

Or like Proteus said you could do it here also:

iptables -P FORWARD DROP

iptables -A FORWARD -s 234.567.890.1 -d 123.456.789.0 -p tcp --dport 80 -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Right?

----------

## Rroet

again, THAT CANNOT BE DONE!

like he said:

he want to connect internal IP's [192.168.x.x / 10.x.x.x] to external ip-adresses... so it's nice to forward incoming stuff to 192.168.x.x and try to NAT it outgoing again, but iptables can't comprehend this complex thing your trying to make of it. iptables cannot connection track forwarded packets which aren't prerouted before and correctly nat them back to the external ip that was trying to talk to this machine.

There is a little basic filtering you can do to filter out bad / malformed packages, but that's about it.

RTFM and see what can and cannot be done.

----------

## Proteus

Ok, I did not mean to be offensive.

I do believe that you know what you are talking about.

What I never knew was that this is a complex thing to achive with iptables, I always thought of it being extremely simple   :Confused: 

And btw, I really tried RTFM even before posting the first message in here but I can still not find the part where it states that forwarded traffic cannot be filtered. But I will be glad if you give me a hint or hit my dumb head on a stone until I can see it myself  :Wink: 

----------

## Rroet

dunno, must have missed a couple of hours of sleep somewhere this week. Normally I tend to behave on forums...

what do you want to have filtered out, because some basic filtering .... I might wanna try brake my head over it see if it indeed can / can't be done.. afaik it couldn't be done cording to the manual. Seeing the entire structure you can also see it can't be done, but I remember there are ways to fool the system   :Twisted Evil: .

----------

## Proteus

But the structure that is shown in this thread is my problem.

There is a "forward filter" section in it and I thought that there is the point where forwarded (i.e. SNAT/DNAT/MASQUERADE) traffic can be filtered.

Or is that something completely different?

----------

