iptables: How best to DNAT/SNAT with a dynamic (DHCP) address

philipp

1/21/24, 10:54 AM

I am looking into building something like a "VPN satellite device". Basically a Linux box, that can be used in any typically home network. It should obtain a DHCP lease, connect to a vpn server, and then forward/DNAT/SNAT certain ports to an address within the vpn. So, basically, it provides certain services that are hosted within the vpn, as if they were hosted on the satellite device.

First question: Does this technique have a name already? Is this a well known pattern (or anti-pattern) I can read about somewhere?

Going into the details, there is a specific problem that, as it seems, I need to specify the local IP when setting up DNAT/SNAT. At least, that is the cleanest, I assume.

I come up with some interfaces and IP adresses as an example, the device has:

eth0 with an address obtained through DHCP. Lets assume its 192.168.1.13. But I need code/rules that is agnostic of that address
wg0 (the vpn interface) with IP 10.0.0.17. This is an address I know for sure. I can use it in code/rules. On that network, there is a server with IP 10.0.0.1.

Lets assume, the server on 10.0.0.1 has an http service running on port 80. I want to setup my satellite box to provide this service on port 80, to whatever home network it is plugged into.

For this, i could have rules like:

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.13 --dport 80 -j DNAT --to-destination 10.0.0.1
iptables -t nat -A POSTROUTING -o wg0 -d 10.0.0.1 -p tcp --dport 80 -j SNAT --to 10.0.0.17

But, obviously, this uses the DHCP-obtained address 192.168.1.13 , which I do not know in advance. Which is basically the heart of my question.

How to solve this in the most clean way? In the end, I want to forward about 3 ports in this way. I basically see 2 options:

a) create a script that re-sets iptable rules, which is executed after dhcp client obtained an address

b) define such rules in a way that they do not require the locally obtained IP address.

a is feasible, but looks a bit quirky to me. For b, I am not sure if its really possible, and does not generate side effects, like DNAT/SNAT-ing to many packets.

255

0 + 6

linux

iptables

xrisk

1/21/24, 1:02 PM

Not sure if I understand correctly, but why do you need a `-d` filter on the `PREROUTING` rule? The fact that you specify the incoming interface should be sufficient. All traffic on that interface is going to be addressed to the DHCP given IP address anyway.

xrisk

1/21/24, 1:04 PM

Also, your `POSTROUTING` rule isn’t going to work. You need to SNAT it to your DHCP address, which isn’t possible of course — so you need to use `-j MASQUERADE`which is probably what you’re looking for.

philipp

1/21/24, 1:14 PM

I think you do understand correctly :) It just doesn't feel correct to DNAT everything incoming on an interface. I am not an expert here. Are there packets I would DNAT, which I shoudnt? Thats why I am asking...

philipp

1/21/24, 1:18 PM

I dont need MASQUERADE, tough, as fas as I know. I have seen this working with DNAT and SNAT, but with known local IP. Also the `POSTROUTING` rule does not contain `192.168.1.` addresses, so it should be fine anyways.

xrisk

1/21/24, 1:23 PM

The outgoing packets on `wg0` will have source `10.0.0.1` and destination ip `10.0.0.17`. If you don’t dnat them, they will never reach the correct destination.

A.B

1/21/24, 2:40 PM

I agree with @xrisk 's first comment: -d is just not needed. I don't agree with xrisk's other comments: SNAT-ing to the other fixed system's IP is completely fine (it could even be SNAT-ed to something completely different such as 172.17.17.17 or kept as is (like a client's original 192.168.1.42) but then the remote WG peer would have to allow it in WG configuration and have a route to it (through WG) ).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: iptables: How best to DNAT/SNAT with a dynamic (DHCP) address

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.