[Firewall] Help setting up NAT

Lonnie Abelbeck lists at lonnie.abelbeck.com
Fri Aug 24 23:42:06 CEST 2012


Nathan,

> Does that also make it so that outbound traffic initiated by 192.168.1.13 look like it is from 55.55.55.98?  Or do I need to do something else for that?

Of course replies to inbound requests would use 55.55.55.98, but new connections initiated by 192.168.1.13 would appear via the default route's via address. (ip route)

I can't think of an AIF variable or plugin that would do this simply.  If you really need that feature editing "/etc/arno-iptables-firewall/custom-rules" with something like: (Note: untested)

-- /etc/arno-iptables-firewall/custom-rules --
net="192.168.1.13/32"
static_ip="55.55.55.98"
unset IFS
for interface in $EXT_IF; do
  for dport in 80; do
    echo "[CUSTOM RULE] SNAT $net to $static_ip for TCP $dport"
    ip4tables -t nat -A NAT_POSTROUTING_CHAIN -o $interface -s $net ! -d $net -p tcp --dport $dport -j SNAT --to-source $static_ip
  done
done
--
Together with:
--
NAT_FORWARD_TCP="55.55.55.98#0/0~80>192.168.1.13"
--

PLEASE if anyone has a better solution, please correct me. :-)


> Also do I need to list all of my external addresses in my EXT_IF variable? Or assign them all to the external interface?

Your EXT_IF="eth0" (external interface) is all you need.  You may need to add alias addresses for each on eth0 (:1, :2, etc) outside of the firewall.

Lonnie


On Aug 24, 2012, at 3:20 PM, Nathan Ekstrom wrote:

> Thanks Lonnie,
> 
> That helps.  Does that also make it so that outbound traffic initiated by 192.168.1.13 looks like it is from 55.55.55.98?  Or do I need to do something else for that?
> 
> On Fri, Aug 24, 2012 at 11:06 AM, Lonnie Abelbeck <lists at lonnie.abelbeck.com> wrote:
> Hi Nathan,
> 
> The variables NAT_FORWARD_TCP, NAT_FORWARD_UDP and NAT_FORWARD_IP are what you want.  A couple examples should get you going.
> 
> NAT Forward packets to 55.55.55.98 from 0/0 (anyhost) into the internal 192.168.1.13 host for TCP port 80 (HTTP)
> --
> NAT_FORWARD_TCP="55.55.55.98#0/0~80>192.168.1.13~80"
> -- or --
> NAT_FORWARD_TCP="55.55.55.98#0/0~80>192.168.1.13"
> --
> 
> NAT Forward packets to 55.55.55.100 from 0/0 (anyhost) into the internal 192.168.1.14 host for TCP ports 80 and 443 (HTTP & HTTPS)
> --
> NAT_FORWARD_TCP="55.55.55.100#0/0~80,443>192.168.1.14"
> --
> 
> Lonnie
> 
> 
> 
> On Aug 24, 2012, at 11:16 AM, Nathan Ekstrom wrote:
> 
> > I have a 16 address subnet of static ip addresses from my ISP.  I would like to use some of them and have certain machines on an internal network look like they have a public ip address.  Attached is a diagram of my network.
> >
> > All internal network interfaces have addresses in the 192.168.1 subnet. The static ip addresses that I can use are in a range similar to 55.55.55.98-110 while my linux router/firewall running the arno firewall scripts is given an address like 56.56.56.52 for its external ip address from my ISP.  I've done a tcpdump of the firewall's external adapter and know that it is getting packets for addresses in my public subnet I'm just having issues figuring out all the NAT rules.
> >
> > I would appreciate any help, links to tutorials, suggested books, pretty much anything at this point as everything I've found and tried has failed.
> >
> > Thanks
> >
> >
> > <Network_Layout.jpg>_______________________________________________



More information about the Firewall mailing list