Solved

Static NAT w/ iptables problem

Posted on 2004-08-14
13
1,327 Views
Last Modified: 2012-08-14
Hello,

I'm trying to set up a firewall to do static NAT between two networks:

   internal network
    192.168.1.0/24

   server 192.168.1.3
       |
     LAN_IF 192.168.1.7
    Firewall
     EXT_IF 10.80.137.1, 10.80.137.10
       |
      DMZ
    10.80.137.0/24

'server' should be reachable from the DMZ by talking to 10.80.137.1. That
address has no other purpose.
Default policies are currently ACCEPT. All the tables have been cleared before
I installed the rules posted below.
Testing is done by connecting a dedicated computer to each interface and trying
to reach the one on the internal net from the DMZ. The firewall can reach each
computer and each computer can reach the firewall (ping).

My rules so far don't work. I can not reach 'server' by talking to 10.80.137.1
on the external IF of the Firewall. Any idea why?

I hope that the two networks are both private networks does not create a problem
here.

------------------------------------------------
ifconfig eth1 add 10.80.137.1 netmask 255.255.255.0

echo "Clearing current rules ..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# LAN: 192.168.1.0/24
LAN_IF=eth0
# EXT: 10.80.137.0/24
EXT_IF=eth1

# 'server':
EXT_DS=10.80.137.1
DS=192.168.1.195

IPTABLES=/sbin/iptables

# (Connections originating from the DMZ)
$IPTABLES -t nat -A PREROUTING -d $EXT_DS -i $EXT_IF -j DNAT --to-destination $DS
$IPTABLES -A FORWARD -p all -i $EXT_IF -o $LAN_IF -d $DS -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -t filter -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# (Connections originating from internal)
$IPTABLES -t nat -A POSTROUTING -s $EXT_DS -o $EXT_IF -j SNAT --to-source $DS
$IPTABLES -A FORWARD -t filter -i $LAN_IF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

------------------------------------------------

Thanks in advance
  Markus

---------------------------------------------------------------------------------
| Dipl. Inform. Markus Trümper             |                                    |
|                                          | Daewoo Automobile Deutschland GmbH |
| email:   m.truemper@daewoo-automobile.de | Lindenstraße 110                   |
| www:     http://www.daewoo-automobile.de | 28755 Bremen                       |
| Telefon: +49 (0)421 668-4138             | Germany                            |
| Fax:     +49 (0)421 668-4192             |                                    |
---------------------------------------------------------------------------------
0
Comment
Question by:Caligostro
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11801693
Silly question, but did you enable ip-forwarding?

to get curent state:
cat /proc/sys/net/ipv4/ip_forward

to set forwarding on:
echo 1 > /proc/sys/net/ipv4/ip_forward
0
 
LVL 2

Expert Comment

by:rmharwood
ID: 11801721
Your "diagram" shows your server on 192.168.1.3 but your script has it as 192.168.1.195

Which is the correct one?

Plus, the first rule under "Connections originating from internal", shouldn't you be source-NAT'ing from $DS to $EXT_DS ?

Or maybe I'm completely misunderstanding :)
0
 
LVL 9

Assisted Solution

by:e-tsik
e-tsik earned 250 total points
ID: 11802981
Hi :-)

1.
First, I assume that you have enabled ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

2.
If all your polices are accept, then all those filter lines do not do anything.

3.
DNAT is required, but without the -i $EXT_IF
$IPTABLES -t nat -A PREROUTING -d $EXT_DS -j DNAT --to-destination $DS

I would also remove the secondary IP address and a static route on the router (and the testing computer)
route add 10.80.137.1 10.80.137.10
(or on linux)
route add 10.80.137.1 gw 10.80.137.10

4.
SNAT will never work, unless you want to define a static route an all your local system(s):
route add 192.168.1.195

Hope it helps...
0
 
LVL 5

Accepted Solution

by:
brabard earned 250 total points
ID: 11803333
>>I'm trying to set up a firewall to do static NAT between two networks:

If you want two neighbour private networks only to talk each other , you don't need any NAT . NAT is for internetworking purpose . You need only routes between server and client . No matter of other routes , assuming your server is 192.168.1.3 and your client is 10.80.137.3 , you have to :
1. route add -net 192.168.1.0/24 gw 10.80.137.10 ##on the client
2. route add -net 10.80.137.0/24 gw 192.168.1.7 ##on the server
3. remove iptables -t nat from firewal .

In the second case , if you really need server to be shown as 10.80.137.1 for the clients from 10.80.137.0 network , you have to change iptables on the forewall as follows :
iptables -F
iptables -t nat -F
iptables -t mangle -F

#For requests to server :
iptables -t nat -A PREROUTING -i eth1 -d 10.80.137.1 -j DNAT --to 192.168.1.3
iptables -A FORWARD  -i eth1 -d 192.168.1.3 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.1.3 -j DROP

#For server's replies :
iptables -t nat -A POSTROUTING -s 192.168.1.3 -d 10.80.137.0/24 -j SNAT --to 10.80.137.1
iptables -A FORWARD  -s 192.168.1.3 -d 10.80.137.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD  -s 192.168.1.3 -d 10.80.137.0/24 -j DROP

This will work if you don't have services in active mode . But you can add --state NEW in pre-last line .
0
 

Author Comment

by:Caligostro
ID: 11811149
Sorry, the problem persists. Thanks for all suggestions so far, I tried them all. But the problem persists. And yes, IP-forwarding was enabled. Still, thanks for the reminder.

For clarification because ther was some befuddlement as to why I wanted to snat between
two private networks:
We are part of a larger company (got purchased not too long ago). They want to access some of our servers. They provided a line and the 10.80.137.0/24 subnet with the request to map the first server they want to access to 10.80.137.1. My own internal network is 192.168.1.0/24,
so snat seemed to be the obvious solution. As a special quirk the gateway machine to their network has a completely different address (public, I think) in it's own little (/29) network which is where the address of eth1 really is going to be.

If the nat works i still need to configure some routing but I think I can
do that on my own.

Again, after some modifications that didn't work, my current rule set and routes
:
-------------------------------------
Netfilter/IPTABLES filter status:
-------------------------------------
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            192.168.1.195       state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
-------------------------------------
Netfilter/IPTABLES nat status:
-------------------------------------
Chain PREROUTING (policy DROP 19 packets, 2708 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    3   144 DNAT       all  --  eth1   *       0.0.0.0/0            10.80.137.1         to:192.168.1.195

Chain POSTROUTING (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 SNAT       all  --  *      eth1    192.168.1.195        0.0.0.0/0           to:10.80.137.1

Chain OUTPUT (policy ACCEPT 2 packets, 168 bytes)
 pkts bytes target     prot opt in     out     source               destination        
-------------------------------------

Ziel            Router          Genmask         Flags Metric Ref    Use Iface
172.16.28.48    *               255.255.255.248 U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
10.80.137.0     *               255.255.255.0   U     0      0        0 eth1

I now use
  ip addr add 10.80.137.1/24 brd 10.80.137.255 dev eth1 label eth1:0
to add IPs to the interface.
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11814151
Ok, for some more silly remarks. Shouldn't you be using proxy-arp instead of assigning the nat address to your interface? I don't really have any rock solid reasoning for this, but I vaguely remember reading something to that effect...

So try the following:

remove all the extra addresses you put in.
echo "1" > /proc/sys/net/ipv4/conf/eth1/proxy_arp
arp -i eth1 -Ds 10.80.137.1 eth1 pub

 
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 9

Assisted Solution

by:e-tsik
e-tsik earned 250 total points
ID: 11814548
iptables -F
iptables -t nat -F
iptables -t mangle -F

#For requests to server :
iptables -t nat -A PREROUTING -i eth1 -d 10.80.137.1 -j DNAT --to 192.168.1.3
iptables -A FORWARD  -i eth1 -d 192.168.1.3 -m state --state NEW,INVALID,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.1.3 -m state --state NEW,INVALID,RELATED -j DROP

#For server's replies :
iptables -t nat -A POSTROUTING -s 192.168.1.3 -d 10.80.137.0/24 -j SNAT --to 10.80.137.1
iptables -A FORWARD  -s 192.168.1.3 -d 10.80.137.0/24 -m state --state NEW,INVALID,RELATED -j ACCEPT
iptables -A FORWARD  -s 192.168.1.3 -d 10.80.137.0/24 -m state --state NEW,INVALID,RELATED -j DROP
0
 
LVL 5

Assisted Solution

by:brabard
brabard earned 250 total points
ID: 11817964
e-tsik , I believe the previous post is a typing mistake ... :)
Caligostro , you said you tried all suggestions , but I can't see a big difference between the last and the first firewall .
Note that the core of mine is to use ip addresses instead of physical interface in PREROUTING and POSTROUTING chains .
0
 
LVL 9

Expert Comment

by:e-tsik
ID: 11819227
No it wasn't!

I added the states to the drop lines and changed them to NEW,INVALID,RELATED.
Can you try them again?
0
 
LVL 5

Expert Comment

by:brabard
ID: 11822025
No one packet can reach DROP targer , cause it will be matched from ACEPT target before .
I wonder how will work two different targets with one and the same matches ???
0
 
LVL 9

Expert Comment

by:e-tsik
ID: 11827458
Hi

Brabard, you have a relatively easy issue, and it seems you're even half way through solving it, the problem lies with the way you explain your situation.

If you would post your results of 'ifconfig' and 'route -n' , then I think is would better explain the situation (to me).
*I promise* that you'll have it running if you post it :-)
0
 

Author Comment

by:Caligostro
ID: 11882731
The main problem turned out to be one of the NICs. Really interesting, it still responded to pings and was able to send them, but not much else ... Still, being a beginner with iptables I found your advice very valuable and helpfull. Thanks to all of you for your trouble :-)
0
 
LVL 9

Expert Comment

by:e-tsik
ID: 11889235
Thanks!

For the benefit of the users who google to here, could you post your final working config?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now