November 23, 2024, 08:09:24 AM

News : LinuxSolved.com Linux Help Community Forum..


Author Topic: How to configure full cone NAT with iptables ?  (Read 12087 times)

Offline lvl1s7a

  • New Member
  • Posts: 1
How to configure full cone NAT with iptables ?
« on: January 10, 2012, 10:39:24 AM »
Hi Experts;

I want to find the right iptables commands combination to address the following need:

- NEs are NATed thru the linux box (using iptables) towards the WAN cloud, where the NTP servers are situated.
- In order to achieve redundancy, the NTP Servers are in a load balancing cluster with one virtual IP address (172.30.4.245)
- The problem is that when the NEs request for NTP updates using the 172.30.4.245, the NTP response is received from one of the actual IP addresses (.200, .230 .240).

Example:

The iptables is not allowing this flow, which is a normal behaviour since the requested vs responding address are not the same (172.30.4.245 vs 172.30.4.230) :

Request : UDP 10.68.2.11:23445 ---> 172.30.4.245:123 (this is Before NAT, of course after NAT the source is 10.23.14.72)
Response: UDP 172.30.4.230:123 ---> 10.23.14.72:23445 (Response to the WAN address)

I'm wondering if there is any way to let iptables establish the UDP flow only based on the (s-port/d-port) regardless of the IP addresses, and execute the NAT back to the LAN based on that.

UDP/NTP is just an example, almost all the needed services are setup in the same way (load balancing in Cluster).







Appreciate your help !

Thanks & Regards
lvl1s7a
« Last Edit: January 10, 2012, 10:42:02 AM by lvl1s7a »