How to configure Full Cone NAT using iptables ?

For discussions about security.
Post Reply
Message
Author
lvl1s7a
Posts: 1
Joined: Tue 10 Jan 2012, 12:42

How to configure Full Cone NAT using iptables ?

#1 Post by lvl1s7a »

Hi Experts;

I want to find the right iptables commands combination to address the following need:

- NEs are NATed thru the linux box (using iptables) towards the WAN cloud, where the NTP servers are situated.
- In order to achieve redundancy, the NTP Servers are in a load balancing cluster with one virtual IP address (172.30.4.245)
- The problem is that when the NEs request for NTP updates using the 172.30.4.245, the NTP response is received from one of the actual IP addresses (.200, .230 .240).

Example:

The iptables is not allowing this flow, which is a normal behaviour since the requested vs responding address are not the same (172.30.4.245 vs 172.30.4.230) :

Request : UDP 10.68.2.11:23445 ---> 172.30.4.245:123 (this is Before NAT, of course after NAT the source is 10.23.14.72)
Response: UDP 172.30.4.230:123 ---> 10.23.14.72:23445 (Response to the WAN address)

I'm wondering if there is any way to let iptables establish the UDP flow only based on the (s-port/d-port) regardless of the IP addresses, and execute the NAT back to the LAN based on that.

UDP/NTP is just an example, almost all the needed services are setup in the same way (load balancing in Cluster).

Image

Appreciate your help !

Thanks & Regards
lvl1s7a

Post Reply