Topic: 1-to-1 NAT and SME7

[jfarschman]

Hello,

  I've been working on adding a second IP to my SME7pre1 server.  Thankfully, I found the 1-to-1 NAT contrib by Abe, Chris Watkins and Mark Drone.  It works great on SME6, but maybe it's a kernel difference or maybe it's an ignorant mistake...  SME7 is giving me trouble.

The background: Wiki has a nice howto show below and at the bottom is snippet from my /etc/rc.d/init.d/masq file.  I'm trying to get FTP working, but I'm failing.  I've tried to connect with other ports, but I also fail.

iptraf shows that the connection is made if I ping, or ftp or http, but it's like ther response is either corrupted or non-existent because the next step never really happens.  For instance... Windows command line ftp simpley shows "Connection closed by remote host."

Thanks in advance for any suggestions... even where to look for help on this one.

HOW-TO
http://no.longer.valid/phpwiki/index.php/How%20to%20have%202%20public%20ip%27s%20on%20external%20NIC%20and%20route%20it%20to%20a%20piece%20of%20hardware%20on%20your%20local%20network

NOTE: I've changed the IP Addresses.

Code: [Select]


#Make new chains
    /sbin/iptables --table nat --new-chain CustomNATin
    /sbin/iptables --table nat --new-chain CustomNATout

# Apply chains to the pre and post routing chains
    /sbin/iptables --table nat --append PREROUTING -p all -j CustomNATin
    /sbin/iptables --table nat --append POSTROUTING -p all -j CustomNATout

# Apply all rules for incoming packets to be NATted
    /sbin/iptables -t nat --append CustomNATin -d 64.76.10.219 -p all -j DNAT --to 192.168.50.19

# Apply all rules for outgoing packets to be NATted
    /sbin/iptables -t nat --append CustomNATout -s 192.168.50.19 -j SNAT --to 64.76.10.219

 /sbin/iptables -A FORWARD -j ACCEPT

ip address add 64.76.10.219 dev eth1



[CharlieBrady]

 I've been working on adding a second IP to my SME7pre1 server.

First of all, why? That'll help people to provide full answers.

Thankfully, I found the 1-to-1 NAT contrib by Abe, Chris Watkins and Mark Drone.

I guess you know this, but that is trying to solve a different issue.

 I'm trying to get FTP working, but I'm failing.

FTP is a tougher protocol than most to get through firewalls, because it uses two TCP connections, and the second can be either inbound or outbound, depending on the connecting client.

Can you avoid using FTP? FTP is best avoided.

[jfarschman]

Sorry... I did not really explain.

This SME7pre1 is acting as the gateway for a small school district.

We need to have access to the SME Server via FTP, but we also need a government agency to have ftp access to a server on the inside.  So I think we need two IP Addresses.  The 1-to-1 Nat should forward everything to this inside machine.

Can I avoid FTP?  Only if the school can give up on federal money.  I wouldn't be doing this but it's a Government requirement.

[calisun]

I have a same situation, here is what I did to work it.
I have one IP
In SME gateway, I did port forward:
Source Port: 31     Destination Host IP Address:192.168.1.200    Destination Port:21
on the inside I have a Mac server on which I have it running FTP in passive mode and I set up passive port to: 20000
And also on my SME gateway I have forwarded port: 20000 to my Mac server.

So now if anybody wants to FTP my SME server they use port 21, and if they want to FTP my Mac server, they use port: 31

The problem in your situation might be that I am not sure if you are able to setup SME server to run in passive mode and if you are able to specify passive port.

Good luck

[jfarschman]

Calisun,

  I'm going to see if I can figure the correct setting for the 1-1 NAT, but if that doesn't work I think I'll need to do something fundamentally diferent with the FTP server.

  Working with alternate ports may not be possible.  But we will see.  Thanks for the help.

[calisun]

If the government needs to use port 21 to the internal server, you can try to  disable FTP on your gateway server and forward port 21 to the internal server.
And the people that need to FTP gateway server, they can use sftp which uses port 22.
But you still might have problem if you are not able to configure SME server to run in passive mode and if you can't set passive port.
That is why I have MAC Xserver, very flexible and very easy to configure.

[calisun]

Actually when you think about it Mac OsX is UNIX and Linux is UNIX, so if you can make that change in Mac, you should be able to make it also in Linux. It might not be as easy as Mac, it might require you to do a lot Googling and a lot of reading, but if there is a will, there is a way.

Good Luck