Destination NAT

Issues related to configuring your network
Post Reply
kbocek
Posts: 242
Joined: 2005/05/30 15:40:15
Location: Benicia CA, USA

Destination NAT

Post by kbocek » 2017/09/29 18:26:29

How do you setup Destination NAT for inbound forwarded ports?

I have an email server behind a firewalld router. Port forwarding works fine but the IP address of the sending host is lost. I'm looking but not finding how to do destination NAT for inbound traffic.

Thanks

Edit:

This: http://www.mjhall.org/centos7-firewalld-nat-router/

Seems to say something like this:

Code: Select all

firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth1 -j MASQUERADE

firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth2 -o eth1 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
Top
JeffMings
Posts: 19
Joined: 2014/01/05 02:23:14

Re: Destination NAT

Post by JeffMings » 2017/10/04 23:37:09

I'm trying to resolve the same issue, for the most part, in my post:
viewtopic.php?f=50&t=64484

Centos 7 doesn't keep the IP of an external host across a routed or forwarded connection, and I'm hoping to fix that.
Top
kbocek
Posts: 242
Joined: 2005/05/30 15:40:15
Location: Benicia CA, USA

Re: Destination NAT

Post by kbocek » 2017/10/05 14:17:43

Isn't that the function of masquerade? I just want to do it in an inbound direction.
Top
JeffMings
Posts: 19
Joined: 2014/01/05 02:23:14

Re: Destination NAT

Post by JeffMings » 2017/10/06 09:14:49

Most consumer/small office routers do the usual snat where the packets from the hosts inside/behind the router are sent out to the public internet with the address of the router. However, packets coming back, sent by external hosts, almost always return to the inside hosts with the external addresses intact. This was true of masquerading with iptables under Centos 6, as well.
For example, 192.168.1.22 sends a ping/icmp to 8.8.8.8 on the public internet via the router at 192.168.1.1, that has an internet IP of 7.7.7.7. The host at 8.8.8.8 receives a packet that has the external address of the router, 7.7.7.7, and sends an echo back. The router sends the echo packet to 192.168.1.22 with the address of 8.8.8.8 as the sender.
Under Centos 7, the internal host will see the echo packet's sender as the router, at 192.168.1.1, and not as the external host at 8.8.8.8. This causes various problems. It's why you are not seeing the ip address of the sending host.

I'd really like to know how to change Centos 7's masquerading behavior to be like that of Centos 6.
Top
kbocek
Posts: 242
Joined: 2005/05/30 15:40:15
Location: Benicia CA, USA

Re: Destination NAT

Post by kbocek » 2017/10/06 15:06:20

I have an email server sitting behind a firewall. The traffic forwarded by the router has the IP address of the router when it arrives at the email server. I would like to keep the source IP on the inbound traffic intact.
Top
kbocek
Posts: 242
Joined: 2005/05/30 15:40:15
Location: Benicia CA, USA

Re: Destination NAT

Post by kbocek » 2017/10/11 15:53:35

Sound like what I'm asking for is not possible.

Postfix docs:

http://www.postfix.org/STANDARD_CONFIGU ... l#firewall

Has some complex instructions. If I read it right, you setup forwarding on the firewall host and let Postfix handle everything.
Top
Post Reply

Return to “CentOS 7 - Networking Support”