Assign different local IP for each TCP Session using iptables

Latest response

I have a service in a client that accept only one connection per IP address. Due this security directive, I followed the article https://access.redhat.com/knowledge/solutions/21614, but with no success.

I used an IP range like this:
iptables -t nat -A POSTROUTING -d 32.8.0.0/16 -j SNAT --to-source 10.8.81.49-10.8.81.62

If I did two or more connections from the same source (client) station, all the connections are mapped to the same SNAT address by iptables. I need to map each TCP session to a different address, to allow N connections from the same source station. Anyone know if is it possible to do using iptables?

Responses

It's an interesting question, Ricardo! Looks like you might have the community stumped for the time being. I'll see if I can find someone to help you out.

Hello Ricardo - I have some additional questions:

Is the client using the same IP for multiple connection attempts to your NAT'd server?

What application/protocol/port are you using?

Is there any sort of network-based router or F5 in between the client and server?

 

I'll admit that I don't fully understand how to technically solve your task - but I am surprised that you would not have needed to enable ip_forwarding (which is not in that how-to you forwarded.

Ok, you question is not entirely clear. Are you asking "how do I use iptables to limit the number of connections coming in from any given client" or "how do I use iptables to make six outbound connections from client 'A' appear to come from client A1, A2, A3, A4, Aand A6". The former is trivial, the latter is a bit more difficult and is likely to have consequences that you really don't want (i.e., a lot of client-server interactions involve more than one port - trying to limit connections can easily break normal comms between the client and server). You'd probably need a fairly complex conntrack rule to handle what you're looking to do.

Hello,

What i understood from the questions is.

32.8.0.0/16 range is assign to client which accept only one connection per ip. am i right?

Now using this iptable rule "iptables -t nat -A POSTROUTING -d 32.8.0.0/16 -j SNAT --to-source 10.8.81.49-10.8.81.62" you want aprox 14 connection (49 - 62) to be established at a same time from the same source using this rendom range. Right?

Can you share which kernel you are using?

This is what i found from man page. May be helpful

man iptables:-

SNAT
This  target  is only valid in the nat table, in the POSTROUTING chain.  It specifies that the source address of the packet should be modified
(and all future packets in this connection will also be mangled), and rules should cease being examined.  It takes one type of option:
--to-source ipaddr[-ipaddr][:port[-port]]
  which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid
  if the rule also specifies -p tcp or -p udp).  If no port range is specified, then source ports below 512 will be mapped to other ports
 below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to  1024  or  above. Where   possible, no port alteration will

******************************

              In  Kernels  up  to  2.6.10,  you  can add several --to-source options. For those kernels, if you specify more than one source address,
              either via an address range or multiple --to-source options, a simple round-robin (one after another  in  cycle)  takes  place  between
              these addresses.  Later Kernels (>= 2.6.11-rc1) don’t have the ability to NAT to multiple ranges anymore.

******************************

Thanks,

Rupesh Patel

Hi Ricardo

Let's say you have multiple IP Addresses ready for SNAT on the source machine. On the source machine itself, if you could implement iptables, you would intercept them in nat/OUTPUT, check if the connection was ESTABLISHED already and pass it through, else if the connection is NEW, pass it through a series of chains where connection limits are checked for each possible SNAT address. If the connection limits say that the packet can be sent through, the packet is marked to be picked up later by a chain of the intended SNAT address in nat/POSROUTING. If the end of the connection limit checking chains is reached, then the packet is marked for removal and can be REJECTed in filter/OUTPUT. Should you need to deploy this on a router, OUTPUT chains would need substitution.

For a quick and dirty sample iptables-save output of the described process, have a look at http://pastebin.com/aHZ5KAdt . 192.168.11.101 is the destination server here, and 192.168.11.102,242,252 are IPs on the source. I only minimally tested this against an Apache access_log, so it may have some caveats or other issues. But looks like iptables can do the job! And generation of such rules with accuracy should certainly be done via a script.

Let me know if you need more help on this. Comments/improvements welcome from all.

That's a really interesting solution, Dhruv. Thanks!

Hello guys,

Let me explain a little bit more about my problem:

Like Thomas Jones said: "how do I use iptables to make six outbound connections from client 'A' appear to come from client A1, A2, A3, A4, Aand A6" - this is the exactly problem I have.

I'm using kernel = 2.6.32-279.19.1.el6.x86_64 and iptables = 1.4.7-5.1.el6_2

I will try the solution of our friend Dhruv this night (because I cannot test it during the working hours) and post here the results.

Thanks for all the help.