14

I use the auto generated rules that come from OpenWRT as an example of NAT reflection (NAT loopback).

So let's pretend there's a network 192.168.1.0/24 with two hosts (+ router): 192.168.1.100 and 192.168.1.200. The router has two interfaces LAN (br-lan) and WAN (eth0). The LAN interface has an IP 192.168.1.1 and the WAN interface has an IP 82.120.11.22 (public). There's a www server on 192.168.1.200. We want to connect from 192.168.1.100 to the web server using the public IP address.

If you wanted to redirect WAN->LAN so people from the internet can visit the web server, you would add the following rules to iptables:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.200:80

I know what the rules mean. But there's also two other rules, which are responsible for NAT reflection. One of them isn't that clear to me as the ones above. So the first rule looks like this:

iptables -t nat -A PREROUTING -i br-lan -s 192.168.1.0/24 -d 82.120.11.22/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.200

And this means that all the traffic from the 192.168.1.0/24 network that is destined to the public IP to the port 80 should be sent to the local web server, which means that I type the public IP in firefox and I should get the page returned by the server, right? All the other forwarding magic in the filter table was already done, but I still can't connect to the web server using the public IP. The packet hit the rule, but nothing happens.

We need another nat rule in order to make the whole mechanism work:

iptables -t nat -A POSTROUTING -o br-lan -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.1.1

I don't know why the rule is needed. Can anyone explain what exactly the rule does?

3
  • Are you running any transparent proxy for HTTP? squid? Commented May 9, 2016 at 17:05
  • 1
    No I'm just testing NAT reflection. The web serwer is just uhttpd. Commented May 9, 2016 at 17:13
  • 1
    I do not usually use it. I prefer to use DNS with views. Commented May 9, 2016 at 17:34

2 Answers 2

27

For a NAT to work properly both the packets from client to server and the packets from server to client must pass through the NAT.

Note that the NAT table in iptables is only used for the first packet of a connection. Later packets related to the connection are processed using the internal mapping tables established when the first packet was translated.

iptables -t nat -A PREROUTING -i br-lan -s 192.168.1.0/24 -d 82.120.11.22/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.200

With just this rule in place the following happens.

  • The client creates the initial packet (tcp syn) and addresses it to the public IP. The client expects to get a response to this packet with the source ip/port and destination ip/port swapped.
  • Since the client has no specific entries in its routing table it sends it to its default gateway. The default gateway is the NAT box.
  • The NAT box receives the intial packet, modifies the destination IP, establishes a mapping table entry, looks up the new destination in its routing table and sends the packets to the server. The source address remains unchanged.
  • The Server receives the initial packet and crafts a response (syn-ack). In the response the source IP/port is swapped with the destination IP/port. Since the source IP of the incoming packet was unchanged the destination IP of the reply is the IP of the client.
  • The Server looks up the IP in its routing table and sends the packet back to the client.
  • The client rejects the packet because the source address doesn't match what it expects.
iptables -t nat -A POSTROUTING -o br-lan -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.1.1

Once we add this rule the sequence of events changes.

  • The client creates the initial packet (tcp syn) and addresses it to the public IP. The client expects to get a response to this packet with the source ip/port and destination ip/port swapped.
  • Since the client has no specific entries in its routing tables it sends it to its default gateway. The default gateway is the NAT box.
  • The NAT box receives the intial packet, following the entries in the NAT table it modifies the destination IP, source IP and possiblly source port (source port is only modified if needed to disambiguate), establishes a mapping table entry, looks up the new destination in its routing table and sends the packets to the server.
  • The Server receives the initial packet and crafts a response (syn-ack). In the response the source IP/port is swapped with the destination IP/port. Since the source IP of the incoming packet was modified by the NAT box the destination IP of the packet is the IP of the NAT box.
  • The Server looks up the IP in its routing table and sends the packet back to the NAT box.
  • The NAT box looks up the packet's details (source IP, source port, destination IP, destination port) in its NAT mapping tables and performs a reverse translation. This changes the source IP to the public IP, the source port to 80, the destination IP to the client's IP and the destination port back to whatever source port the client used.
  • The NAT box looks up the new destination IP in its routing table and sends the packet back to the client.
  • The client accepts the packet.
  • Communication continues with the NAT translating packets back and forth.
0

It sounds like it enforces that the reverse traffic also flows through openwrt. By rewriting the source address that the webserver will see.

If the webserver replied directly to the client, the source address for those packets would still be that of the webserver. But the client is trying to talk to the openwrt IP. Therefore the reply packets would be discarded.

You don't need this enforcement in the first case, because the route from the webserver to the clients across the internet already goes through the openwrt box.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.