[Firewall] Help setting up NAT

Nathan Ekstrom nathan+arno at whiteboxdev.com
Tue Aug 28 02:10:07 CEST 2012


Thanks for you help Lonnie.  Your tips finally put me on the right track to
what I wanted which turned out to be just the two lines below

ip4tables -t nat -A POSTROUTING -s 192.168.1.13/32 -o eth0 -j SNAT --to
55.55.55.98
i4tables -t nat -A PREROUTING -d 55.55.55.98 -i eth0 -j DNAT --to
192.168.1.13

Obviously I probably want to limit what ports are allowed through rather
than all of them but this is the start I needed.


On Fri, Aug 24, 2012 at 3:42 PM, Lonnie Abelbeck
<lists at lonnie.abelbeck.com>wrote:

> Nathan,
>
> > Does that also make it so that outbound traffic initiated by
> 192.168.1.13 look like it is from 55.55.55.98?  Or do I need to do
> something else for that?
>
> Of course replies to inbound requests would use 55.55.55.98, but new
> connections initiated by 192.168.1.13 would appear via the default route's
> via address. (ip route)
>
> I can't think of an AIF variable or plugin that would do this simply.  If
> you really need that feature editing
> "/etc/arno-iptables-firewall/custom-rules" with something like: (Note:
> untested)
>
> -- /etc/arno-iptables-firewall/custom-rules --
> net="192.168.1.13/32"
> static_ip="55.55.55.98"
> unset IFS
> for interface in $EXT_IF; do
>   for dport in 80; do
>     echo "[CUSTOM RULE] SNAT $net to $static_ip for TCP $dport"
>     ip4tables -t nat -A NAT_POSTROUTING_CHAIN -o $interface -s $net ! -d
> $net -p tcp --dport $dport -j SNAT --to-source $static_ip
>   done
> done
> --
> Together with:
> --
> NAT_FORWARD_TCP="55.55.55.98#0/0~80>192.168.1.13"
> --
>
> PLEASE if anyone has a better solution, please correct me. :-)
>
>
> > Also do I need to list all of my external addresses in my EXT_IF
> variable? Or assign them all to the external interface?
>
> Your EXT_IF="eth0" (external interface) is all you need.  You may need to
> add alias addresses for each on eth0 (:1, :2, etc) outside of the firewall.
>
> Lonnie
>
>
> On Aug 24, 2012, at 3:20 PM, Nathan Ekstrom wrote:
>
> > Thanks Lonnie,
> >
> > That helps.  Does that also make it so that outbound traffic initiated
> by 192.168.1.13 looks like it is from 55.55.55.98?  Or do I need to do
> something else for that?
> >
> > On Fri, Aug 24, 2012 at 11:06 AM, Lonnie Abelbeck <
> lists at lonnie.abelbeck.com> wrote:
> > Hi Nathan,
> >
> > The variables NAT_FORWARD_TCP, NAT_FORWARD_UDP and NAT_FORWARD_IP are
> what you want.  A couple examples should get you going.
> >
> > NAT Forward packets to 55.55.55.98 from 0/0 (anyhost) into the internal
> 192.168.1.13 host for TCP port 80 (HTTP)
> > --
> > NAT_FORWARD_TCP="55.55.55.98#0/0~80>192.168.1.13~80"
> > -- or --
> > NAT_FORWARD_TCP="55.55.55.98#0/0~80>192.168.1.13"
> > --
> >
> > NAT Forward packets to 55.55.55.100 from 0/0 (anyhost) into the internal
> 192.168.1.14 host for TCP ports 80 and 443 (HTTP & HTTPS)
> > --
> > NAT_FORWARD_TCP="55.55.55.100#0/0~80,443>192.168.1.14"
> > --
> >
> > Lonnie
> >
> >
> >
> > On Aug 24, 2012, at 11:16 AM, Nathan Ekstrom wrote:
> >
> > > I have a 16 address subnet of static ip addresses from my ISP.  I
> would like to use some of them and have certain machines on an internal
> network look like they have a public ip address.  Attached is a diagram of
> my network.
> > >
> > > All internal network interfaces have addresses in the 192.168.1
> subnet. The static ip addresses that I can use are in a range similar to
> 55.55.55.98-110 while my linux router/firewall running the arno firewall
> scripts is given an address like 56.56.56.52 for its external ip address
> from my ISP.  I've done a tcpdump of the firewall's external adapter and
> know that it is getting packets for addresses in my public subnet I'm just
> having issues figuring out all the NAT rules.
> > >
> > > I would appreciate any help, links to tutorials, suggested books,
> pretty much anything at this point as everything I've found and tried has
> failed.
> > >
> > > Thanks
> > >
> > >
> > > <Network_Layout.jpg>_______________________________________________
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20120827/e676ed21/attachment.html>


More information about the Firewall mailing list