Caligostro
asked on
Static NAT w/ iptables problem
Hello,
I'm trying to set up a firewall to do static NAT between two networks:
internal network
192.168.1.0/24
server 192.168.1.3
|
LAN_IF 192.168.1.7
Firewall
EXT_IF 10.80.137.1, 10.80.137.10
|
DMZ
10.80.137.0/24
'server' should be reachable from the DMZ by talking to 10.80.137.1. That
address has no other purpose.
Default policies are currently ACCEPT. All the tables have been cleared before
I installed the rules posted below.
Testing is done by connecting a dedicated computer to each interface and trying
to reach the one on the internal net from the DMZ. The firewall can reach each
computer and each computer can reach the firewall (ping).
My rules so far don't work. I can not reach 'server' by talking to 10.80.137.1
on the external IF of the Firewall. Any idea why?
I hope that the two networks are both private networks does not create a problem
here.
--------------------------
ifconfig eth1 add 10.80.137.1 netmask 255.255.255.0
echo "Clearing current rules ..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# LAN: 192.168.1.0/24
LAN_IF=eth0
# EXT: 10.80.137.0/24
EXT_IF=eth1
# 'server':
EXT_DS=10.80.137.1
DS=192.168.1.195
IPTABLES=/sbin/iptables
# (Connections originating from the DMZ)
$IPTABLES -t nat -A PREROUTING -d $EXT_DS -i $EXT_IF -j DNAT --to-destination $DS
$IPTABLES -A FORWARD -p all -i $EXT_IF -o $LAN_IF -d $DS -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -t filter -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
# (Connections originating from internal)
$IPTABLES -t nat -A POSTROUTING -s $EXT_DS -o $EXT_IF -j SNAT --to-source $DS
$IPTABLES -A FORWARD -t filter -i $LAN_IF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
--------------------------
Thanks in advance
Markus
--------------------------
| Dipl. Inform. Markus Trümper | |
| | Daewoo Automobile Deutschland GmbH |
| email: m.truemper@daewoo-automobi
| www: http://www.daewoo-automobile.de | 28755 Bremen |
| Telefon: +49 (0)421 668-4138 | Germany |
| Fax: +49 (0)421 668-4192 | |
--------------------------
I'm trying to set up a firewall to do static NAT between two networks:
internal network
192.168.1.0/24
server 192.168.1.3
|
LAN_IF 192.168.1.7
Firewall
EXT_IF 10.80.137.1, 10.80.137.10
|
DMZ
10.80.137.0/24
'server' should be reachable from the DMZ by talking to 10.80.137.1. That
address has no other purpose.
Default policies are currently ACCEPT. All the tables have been cleared before
I installed the rules posted below.
Testing is done by connecting a dedicated computer to each interface and trying
to reach the one on the internal net from the DMZ. The firewall can reach each
computer and each computer can reach the firewall (ping).
My rules so far don't work. I can not reach 'server' by talking to 10.80.137.1
on the external IF of the Firewall. Any idea why?
I hope that the two networks are both private networks does not create a problem
here.
--------------------------
ifconfig eth1 add 10.80.137.1 netmask 255.255.255.0
echo "Clearing current rules ..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# LAN: 192.168.1.0/24
LAN_IF=eth0
# EXT: 10.80.137.0/24
EXT_IF=eth1
# 'server':
EXT_DS=10.80.137.1
DS=192.168.1.195
IPTABLES=/sbin/iptables
# (Connections originating from the DMZ)
$IPTABLES -t nat -A PREROUTING -d $EXT_DS -i $EXT_IF -j DNAT --to-destination $DS
$IPTABLES -A FORWARD -p all -i $EXT_IF -o $LAN_IF -d $DS -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -t filter -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
# (Connections originating from internal)
$IPTABLES -t nat -A POSTROUTING -s $EXT_DS -o $EXT_IF -j SNAT --to-source $DS
$IPTABLES -A FORWARD -t filter -i $LAN_IF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
--------------------------
Thanks in advance
Markus
--------------------------
| Dipl. Inform. Markus Trümper | |
| | Daewoo Automobile Deutschland GmbH |
| email: m.truemper@daewoo-automobi
| www: http://www.daewoo-automobile.de | 28755 Bremen |
| Telefon: +49 (0)421 668-4138 | Germany |
| Fax: +49 (0)421 668-4192 | |
--------------------------
Your "diagram" shows your server on 192.168.1.3 but your script has it as 192.168.1.195
Which is the correct one?
Plus, the first rule under "Connections originating from internal", shouldn't you be source-NAT'ing from $DS to $EXT_DS ?
Or maybe I'm completely misunderstanding :)
Which is the correct one?
Plus, the first rule under "Connections originating from internal", shouldn't you be source-NAT'ing from $DS to $EXT_DS ?
Or maybe I'm completely misunderstanding :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry, the problem persists. Thanks for all suggestions so far, I tried them all. But the problem persists. And yes, IP-forwarding was enabled. Still, thanks for the reminder.
For clarification because ther was some befuddlement as to why I wanted to snat between
two private networks:
We are part of a larger company (got purchased not too long ago). They want to access some of our servers. They provided a line and the 10.80.137.0/24 subnet with the request to map the first server they want to access to 10.80.137.1. My own internal network is 192.168.1.0/24,
so snat seemed to be the obvious solution. As a special quirk the gateway machine to their network has a completely different address (public, I think) in it's own little (/29) network which is where the address of eth1 really is going to be.
If the nat works i still need to configure some routing but I think I can
do that on my own.
Again, after some modifications that didn't work, my current rule set and routes
:
--------------------------
Netfilter/IPTABLES filter status:
--------------------------
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 192.168.1.195 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
--------------------------
Netfilter/IPTABLES nat status:
--------------------------
Chain PREROUTING (policy DROP 19 packets, 2708 bytes)
pkts bytes target prot opt in out source destination
3 144 DNAT all -- eth1 * 0.0.0.0/0 10.80.137.1 to:192.168.1.195
Chain POSTROUTING (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth1 192.168.1.195 0.0.0.0/0 to:10.80.137.1
Chain OUTPUT (policy ACCEPT 2 packets, 168 bytes)
pkts bytes target prot opt in out source destination
--------------------------
Ziel Router Genmask Flags Metric Ref Use Iface
172.16.28.48 * 255.255.255.248 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
10.80.137.0 * 255.255.255.0 U 0 0 0 eth1
I now use
ip addr add 10.80.137.1/24 brd 10.80.137.255 dev eth1 label eth1:0
to add IPs to the interface.
For clarification because ther was some befuddlement as to why I wanted to snat between
two private networks:
We are part of a larger company (got purchased not too long ago). They want to access some of our servers. They provided a line and the 10.80.137.0/24 subnet with the request to map the first server they want to access to 10.80.137.1. My own internal network is 192.168.1.0/24,
so snat seemed to be the obvious solution. As a special quirk the gateway machine to their network has a completely different address (public, I think) in it's own little (/29) network which is where the address of eth1 really is going to be.
If the nat works i still need to configure some routing but I think I can
do that on my own.
Again, after some modifications that didn't work, my current rule set and routes
:
--------------------------
Netfilter/IPTABLES filter status:
--------------------------
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 192.168.1.195 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
--------------------------
Netfilter/IPTABLES nat status:
--------------------------
Chain PREROUTING (policy DROP 19 packets, 2708 bytes)
pkts bytes target prot opt in out source destination
3 144 DNAT all -- eth1 * 0.0.0.0/0 10.80.137.1 to:192.168.1.195
Chain POSTROUTING (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth1 192.168.1.195 0.0.0.0/0 to:10.80.137.1
Chain OUTPUT (policy ACCEPT 2 packets, 168 bytes)
pkts bytes target prot opt in out source destination
--------------------------
Ziel Router Genmask Flags Metric Ref Use Iface
172.16.28.48 * 255.255.255.248 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
10.80.137.0 * 255.255.255.0 U 0 0 0 eth1
I now use
ip addr add 10.80.137.1/24 brd 10.80.137.255 dev eth1 label eth1:0
to add IPs to the interface.
Ok, for some more silly remarks. Shouldn't you be using proxy-arp instead of assigning the nat address to your interface? I don't really have any rock solid reasoning for this, but I vaguely remember reading something to that effect...
So try the following:
remove all the extra addresses you put in.
echo "1" > /proc/sys/net/ipv4/conf/et
arp -i eth1 -Ds 10.80.137.1 eth1 pub
So try the following:
remove all the extra addresses you put in.
echo "1" > /proc/sys/net/ipv4/conf/et
arp -i eth1 -Ds 10.80.137.1 eth1 pub
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No it wasn't!
I added the states to the drop lines and changed them to NEW,INVALID,RELATED.
Can you try them again?
I added the states to the drop lines and changed them to NEW,INVALID,RELATED.
Can you try them again?
No one packet can reach DROP targer , cause it will be matched from ACEPT target before .
I wonder how will work two different targets with one and the same matches ???
I wonder how will work two different targets with one and the same matches ???
Hi
Brabard, you have a relatively easy issue, and it seems you're even half way through solving it, the problem lies with the way you explain your situation.
If you would post your results of 'ifconfig' and 'route -n' , then I think is would better explain the situation (to me).
*I promise* that you'll have it running if you post it :-)
Brabard, you have a relatively easy issue, and it seems you're even half way through solving it, the problem lies with the way you explain your situation.
If you would post your results of 'ifconfig' and 'route -n' , then I think is would better explain the situation (to me).
*I promise* that you'll have it running if you post it :-)
ASKER
The main problem turned out to be one of the NICs. Really interesting, it still responded to pings and was able to send them, but not much else ... Still, being a beginner with iptables I found your advice very valuable and helpfull. Thanks to all of you for your trouble :-)
Thanks!
For the benefit of the users who google to here, could you post your final working config?
For the benefit of the users who google to here, could you post your final working config?
to get curent state:
cat /proc/sys/net/ipv4/ip_forw
to set forwarding on:
echo 1 > /proc/sys/net/ipv4/ip_forw