Like many small companies we are typical in our use ofRFC1918. addressing.Specifically the 192.168.0.0/16range. Because we needed someuntrusted network aclearcase/" target="_blank" >ccess, as a security precaution I made thedubious decision to use overlapping address ranges that deliberatelyclashed with our own corporate network use to make it especiallyhard for someone to hack our main network if the untrusted networkwere compromised.
Unfortunately those untrusted networks have become increasingly more andmore important and developers at our company needed use them. Thisbecame a problem because access was limited to a few physical locations.Now you know the reasons why I went through all this rigamarole, here'show I accomplished it.
This mini-howto is for 2.4 kernels and ip netfilter. All the examples weretested on a 2.4.18 kernel.
ASCII Art 1: The situation
Network 1
192.168.150.0 (Corporate)
--------------/-------------------------
Network 2
192.168.150.0 (Untrusted Network)First Attempt: Single NAT
On my first try I simply used a third intermediate network which was routedto network 1 and connected the NAT box in-between.
ASCII Art 2: Attempt 1
Network 1
192.168.150.0 (Corp)
|
Router
|
Network 2
192.168.180.0 (Intermediate)
|
NAT BOX |
eth0 192.168.180.180
eth1 192.168.150.180
|
Network 3 |
192.168.150.0 (Untrusted Network)Using a combination of Destination NAT mappings and a Source NAT remapping,this was a partial success. I could access all the stuff on Network 3from any network that WASN'T network 1. Why ? Localhost routing policyon the NAT box.
The local routing policy on a normal linux system is usually:
- Directly Connected Interfaces
- Static Routes
- Default Routes
In that order. So since I was directly connected to 192.168.150.0 therewas no way for the NAT box to talk to Network 1 since it was technicallyalready directly connected to it, or at least it's doppleganger.I'm sure there's some way to overcome this usingAlexey's ip util but I did not look into this further.
Second Attempt: Double NAT
Double NAT is one of those unholy things that makes network administratorscringe. Their bones crackle and sinews twist as they think of the nastythings that a) NAT does and b) Double NAT does doubly. It's a hack, butwhen you have a situation where you have two subnets that are the sameaddressing that wish to communicate, it's a useful hack because it allowsyou to de-couple them into separate address space.
ASCII Art 3: Attempt 2
Network 1
192.168.150.0 (Corp)
|
Network 2 |
192.168.180.0 (Intermediate)
|
NAT BOX 1 |
eth0 192.168.180.180
eth1 10.15.15.1
|
NAT BOX 2 |
eth0 10.15.15.2
eth1 192.168.150.252
|
Newtwork 3 |
192.168.150.0 (Untrusted Network)Yeah, like I said it's pretty satanic. So first step, host preparation.
Rusty's Really Quick Guide To Packet Filtering Copied:
I will assume you've used Rusty's really quick guide to packet filteringand you already have 2 systems prepared for NAT. Check the Packet FilteringFAQ for more details.
'iptables -vL' will probably look something like this:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2434 219K block all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11657 5137K block all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 2514 packets, 217214 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- any any anywhere anywhere state INVALID
Chain block (2 references)
pkts bytes target prot opt in out source destination
13579 5319K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
512 37065 ACCEPT all -- !eth1 any anywhere anywhere state NEW
0 0 DROP all -- any any anywhere anywheretranslated it will look something like this:
iptables -N block
iptables -A INPUT -j block
iptables -A FORWARD -j block
iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP
iptables -A block -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A block -i ! eth1 -m state --state NEW -j ACCEPT
iptables -A block -j DROPDon't forget to turn IP forwarding on, otherwise this probably won't work.On a redhat 7.[2|3] system after entering this you can simply type:
iptables-save > /etc/sysconfig/iptablesThis will create your iptables config file which will load automagicallyat every boot up.
Assign alias IP addresses to the eth0 interfaces of NAT BOX 1 and 2
The key to making this work is to remap the IP addresses you are interestedin accessing to a different subnet. For our example, let's say we interestedin communicating with address range 192.168.150.10 through 12 on Network 3.
On NAT BOX 1, create 3 new alias interfaces on eth0, e.g.
ifconfig eth0:0 192.168.180.181 netmask 255.255.255.0
ifconfig eth0:1 192.168.180.182 netmask 255.255.255.0
ifconfig eth0:2 192.168.180.183 netmask 255.255.255.0On NAT BOX 2, create 3 new alias interfaces on eth0, e.g.
ifconfig eth0:0 10.15.15.181 netmask 255.255.255.0
ifconfig eth0:1 10.15.15.182 netmask 255.255.255.0
ifconfig eth0:2 10.15.15.183 netmask 255.255.255.06.2 Create Static NAT Mappings on NAT BOX 1
On NAT BOX 1, create 3 new mappings on eth0:
iptables -t nat -A PREROUTING -d 192.168.180.181 -i eth0 \
-j DNAT --to-destination 10.15.15.181
iptables -t nat -A PREROUTING -d 192.168.181.182 -i eth0 \
-j DNAT --to-destination 10.15.15.182
iptables -t nat -A PREROUTING -d 192.168.181.183 -i eth0 \
-j DNAT --to-destination 10.15.15.183and 1 SOURCE NAT map:
iptables -A POSTROUTING -s 192.168.150.0/255.255.255.0 \
-d 10.15.15.0/255.255.255.0 -j SNAT -o eth1 \
--to-source 10.15.15.1This takes care of NAT BOX 1, and allows you to talk to NAT BOX 2.
You can test it at this point and make sure that NAT box 1 is set up.Typically ssh'ing to one of the alias addresses will allow you to loginto NAT box 2 and make sure you haven't done anything silly. If thisworks then you are good to go.
6.3 Create Static NAT Mappings on NAT BOX 2
On NAT BOX 2, create 3 new mappings on eth0:
iptables -t nat -A PREROUTING -d 10.15.15.181 -i eth0 \
-j DNAT --to-destination 192.168.150.10
iptables -t nat -A PREROUTING -d 10.15.15.182 -i eth0 \
-j DNAT --to-destination 192.168.150.11
iptables -t nat -A PREROUTING -d 10.15.15.183 -i eth0 \
-j DNAT --to-destination 192.168.150.12and 1 SOURCE NAT map to our target destinations:
iptables -A POSTROUTING -s 10.15.15.0/24 \
-d 192.168.150.0/24 -j SNAT -o eth1 \
--to-source 192.168.150.252You should now be done. Now it is possible to access 192.168.150.150 through152 on network 3 via the addresses 192.168.180.181-183 on network 2 fromnetwork 1. I told you it was evil.