O
O
Oleg Aksenov2017-11-08 20:09:35
Debian
Oleg Aksenov, 2017-11-08 20:09:35

Why does not see the external ip address of the user?

Good evening, there was a misunderstanding with routing through iptables. There is a server on Debian 9 (Xen Dom0), port 1010 on VM (DomU) is forwarded from it using iptables, in fact, the game server is spinning on this machine and users cling to it through this port and as a result, they get strange ip addresses, more precisely, they connect under strange ones:
192.168.1.1:43570
192.168.1.1:32478
And they are not visible externally. I don’t understand what the problem is, can you tell me?
Below is the setup and how it's built.
Such a chain works, the external interface eth0 with ip address 88.90.73.149, it is forwarded through iptables
to xenbr0 (bridge), which is a gateway with address 192.168.1.1 for all VMs.

iptables -A INPUT -p udp --dport 1010 -j ACCEPT
iptables -A INPUT -p tcp --dport 1010 -j ACCEPT

iptables -t nat -I PREROUTING -p udp -d 88.90.73.149 --dport 1010 -j DNAT --to-destination 192.168.1.10:1010
iptables -t nat -I PREROUTING -p tcp -d 88.90.73.149 --dport 1010 -j DNAT --to-destination 192.168.1.10:1010

iptables -t nat -A POSTROUTING  -j MASQUERADE

Thanks in advance for your replies.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
W
Wexter, 2017-11-08
@Takun

here is your reason, all your traffic is masqueraded, i.e. in any packet passing through this server, ip will be replaced with the server's ip

iptables -t nat -A POSTROUTING -j MASQUERADE

K
krosh, 2017-11-08
@krosh

This is normal, because NAT (Network Address Translation, network address translation) works - it replaces one address in the packet headers with another, so you get port forwarding and hiding the internal network from an external observer.
You will see the correct remote addresses in the case of a routed network, ie. when there will be no NAT, but just traffic forwarding from one interface to another. Or set up a proxy server. There is also a variant with a VPN server, but then each client will need to install a vpn client and everyone will be in the same virtual subnet, but you will still see gray addresses on the destination server, although you can correlate white-gray on the VPN server. There are probably no other ways.
Rules in INPUT do not work, you can remove them. And it is recommended to change MASQUERADE to SNAT if the external address is permanent.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question