Static NAT w/ iptables problem

Hello,

I'm trying to set up a firewall to do static NAT between two networks:

   internal network
    192.168.1.0/24

   server 192.168.1.3
       |
     LAN_IF 192.168.1.7
    Firewall
     EXT_IF 10.80.137.1, 10.80.137.10
       |
      DMZ
    10.80.137.0/24

'server' should be reachable from the DMZ by talking to 10.80.137.1. That
address has no other purpose.
Default policies are currently ACCEPT. All the tables have been cleared before
I installed the rules posted below.
Testing is done by connecting a dedicated computer to each interface and trying
to reach the one on the internal net from the DMZ. The firewall can reach each
computer and each computer can reach the firewall (ping).

My rules so far don't work. I can not reach 'server' by talking to 10.80.137.1
on the external IF of the Firewall. Any idea why?

I hope that the two networks are both private networks does not create a problem
here.

------------------------------------------------
ifconfig eth1 add 10.80.137.1 netmask 255.255.255.0

echo "Clearing current rules ..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# LAN: 192.168.1.0/24
LAN_IF=eth0
# EXT: 10.80.137.0/24
EXT_IF=eth1

# 'server':
EXT_DS=10.80.137.1
DS=192.168.1.195

IPTABLES=/sbin/iptables

# (Connections originating from the DMZ)
$IPTABLES -t nat -A PREROUTING -d $EXT_DS -i $EXT_IF -j DNAT --to-destination $DS
$IPTABLES -A FORWARD -p all -i $EXT_IF -o $LAN_IF -d $DS -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -t filter -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

# (Connections originating from internal)
$IPTABLES -t nat -A POSTROUTING -s $EXT_DS -o $EXT_IF -j SNAT --to-source $DS
$IPTABLES -A FORWARD -t filter -i $LAN_IF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

------------------------------------------------

Thanks in advance
  Markus

---------------------------------------------------------------------------------
| Dipl. Inform. Markus Trümper             |                                    |
|                                          | Daewoo Automobile Deutschland GmbH |
| email:   m.truemper@daewoo-automobile.de | Lindenstraße 110                   |
| www:     http://www.daewoo-automobile.de | 28755 Bremen                       |
| Telefon: +49 (0)421 668-4138             | Germany                            |
| Fax:     +49 (0)421 668-4192             |                                    |
---------------------------------------------------------------------------------
CaligostroAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
brabardConnect With a Mentor Commented:
>>I'm trying to set up a firewall to do static NAT between two networks:

If you want two neighbour private networks only to talk each other , you don't need any NAT . NAT is for internetworking purpose . You need only routes between server and client . No matter of other routes , assuming your server is 192.168.1.3 and your client is 10.80.137.3 , you have to :
1. route add -net 192.168.1.0/24 gw 10.80.137.10 ##on the client
2. route add -net 10.80.137.0/24 gw 192.168.1.7 ##on the server
3. remove iptables -t nat from firewal .

In the second case , if you really need server to be shown as 10.80.137.1 for the clients from 10.80.137.0 network , you have to change iptables on the forewall as follows :
iptables -F
iptables -t nat -F
iptables -t mangle -F

#For requests to server :
iptables -t nat -A PREROUTING -i eth1 -d 10.80.137.1 -j DNAT --to 192.168.1.3
iptables -A FORWARD  -i eth1 -d 192.168.1.3 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.1.3 -j DROP

#For server's replies :
iptables -t nat -A POSTROUTING -s 192.168.1.3 -d 10.80.137.0/24 -j SNAT --to 10.80.137.1
iptables -A FORWARD  -s 192.168.1.3 -d 10.80.137.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD  -s 192.168.1.3 -d 10.80.137.0/24 -j DROP

This will work if you don't have services in active mode . But you can add --state NEW in pre-last line .
0
 
de2ZotjesCommented:
Silly question, but did you enable ip-forwarding?

to get curent state:
cat /proc/sys/net/ipv4/ip_forward

to set forwarding on:
echo 1 > /proc/sys/net/ipv4/ip_forward
0
 
rmharwoodCommented:
Your "diagram" shows your server on 192.168.1.3 but your script has it as 192.168.1.195

Which is the correct one?

Plus, the first rule under "Connections originating from internal", shouldn't you be source-NAT'ing from $DS to $EXT_DS ?

Or maybe I'm completely misunderstanding :)
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
e-tsikConnect With a Mentor Commented:
Hi :-)

1.
First, I assume that you have enabled ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

2.
If all your polices are accept, then all those filter lines do not do anything.

3.
DNAT is required, but without the -i $EXT_IF
$IPTABLES -t nat -A PREROUTING -d $EXT_DS -j DNAT --to-destination $DS

I would also remove the secondary IP address and a static route on the router (and the testing computer)
route add 10.80.137.1 10.80.137.10
(or on linux)
route add 10.80.137.1 gw 10.80.137.10

4.
SNAT will never work, unless you want to define a static route an all your local system(s):
route add 192.168.1.195

Hope it helps...
0
 
CaligostroAuthor Commented:
Sorry, the problem persists. Thanks for all suggestions so far, I tried them all. But the problem persists. And yes, IP-forwarding was enabled. Still, thanks for the reminder.

For clarification because ther was some befuddlement as to why I wanted to snat between
two private networks:
We are part of a larger company (got purchased not too long ago). They want to access some of our servers. They provided a line and the 10.80.137.0/24 subnet with the request to map the first server they want to access to 10.80.137.1. My own internal network is 192.168.1.0/24,
so snat seemed to be the obvious solution. As a special quirk the gateway machine to their network has a completely different address (public, I think) in it's own little (/29) network which is where the address of eth1 really is going to be.

If the nat works i still need to configure some routing but I think I can
do that on my own.

Again, after some modifications that didn't work, my current rule set and routes
:
-------------------------------------
Netfilter/IPTABLES filter status:
-------------------------------------
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            192.168.1.195       state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
-------------------------------------
Netfilter/IPTABLES nat status:
-------------------------------------
Chain PREROUTING (policy DROP 19 packets, 2708 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    3   144 DNAT       all  --  eth1   *       0.0.0.0/0            10.80.137.1         to:192.168.1.195

Chain POSTROUTING (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 SNAT       all  --  *      eth1    192.168.1.195        0.0.0.0/0           to:10.80.137.1

Chain OUTPUT (policy ACCEPT 2 packets, 168 bytes)
 pkts bytes target     prot opt in     out     source               destination        
-------------------------------------

Ziel            Router          Genmask         Flags Metric Ref    Use Iface
172.16.28.48    *               255.255.255.248 U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
10.80.137.0     *               255.255.255.0   U     0      0        0 eth1

I now use
  ip addr add 10.80.137.1/24 brd 10.80.137.255 dev eth1 label eth1:0
to add IPs to the interface.
0
 
de2ZotjesCommented:
Ok, for some more silly remarks. Shouldn't you be using proxy-arp instead of assigning the nat address to your interface? I don't really have any rock solid reasoning for this, but I vaguely remember reading something to that effect...

So try the following:

remove all the extra addresses you put in.
echo "1" > /proc/sys/net/ipv4/conf/eth1/proxy_arp
arp -i eth1 -Ds 10.80.137.1 eth1 pub

 
0
 
e-tsikConnect With a Mentor Commented:
iptables -F
iptables -t nat -F
iptables -t mangle -F

#For requests to server :
iptables -t nat -A PREROUTING -i eth1 -d 10.80.137.1 -j DNAT --to 192.168.1.3
iptables -A FORWARD  -i eth1 -d 192.168.1.3 -m state --state NEW,INVALID,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.1.3 -m state --state NEW,INVALID,RELATED -j DROP

#For server's replies :
iptables -t nat -A POSTROUTING -s 192.168.1.3 -d 10.80.137.0/24 -j SNAT --to 10.80.137.1
iptables -A FORWARD  -s 192.168.1.3 -d 10.80.137.0/24 -m state --state NEW,INVALID,RELATED -j ACCEPT
iptables -A FORWARD  -s 192.168.1.3 -d 10.80.137.0/24 -m state --state NEW,INVALID,RELATED -j DROP
0
 
brabardConnect With a Mentor Commented:
e-tsik , I believe the previous post is a typing mistake ... :)
Caligostro , you said you tried all suggestions , but I can't see a big difference between the last and the first firewall .
Note that the core of mine is to use ip addresses instead of physical interface in PREROUTING and POSTROUTING chains .
0
 
e-tsikCommented:
No it wasn't!

I added the states to the drop lines and changed them to NEW,INVALID,RELATED.
Can you try them again?
0
 
brabardCommented:
No one packet can reach DROP targer , cause it will be matched from ACEPT target before .
I wonder how will work two different targets with one and the same matches ???
0
 
e-tsikCommented:
Hi

Brabard, you have a relatively easy issue, and it seems you're even half way through solving it, the problem lies with the way you explain your situation.

If you would post your results of 'ifconfig' and 'route -n' , then I think is would better explain the situation (to me).
*I promise* that you'll have it running if you post it :-)
0
 
CaligostroAuthor Commented:
The main problem turned out to be one of the NICs. Really interesting, it still responded to pings and was able to send them, but not much else ... Still, being a beginner with iptables I found your advice very valuable and helpfull. Thanks to all of you for your trouble :-)
0
 
e-tsikCommented:
Thanks!

For the benefit of the users who google to here, could you post your final working config?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.