Topic: 1 to 1 NAT on SME 7

[Pajmon]

Hi

I am trying to do 1 to 1 NAT on SME 7.2. I use modified contrib from version 6 (i only take the iptables rules from that - rest i do myself). Have anyone tried do so?
I can't use port forwardin because i have more than one machine inside my LAN that would be threw the nat outside on the same port (for example 3389).
Here is what i done: (eth1 is my outside and eth0 is my lan)

/sbin/iptables --table nat --new-chain CustomNATin
/sbin/iptables --table nat --new-chain CustomNATout

/sbin/iptables --table nat --append PREROUTING -p all -j CustomNATin
/sbin/iptables --table nat --append POSTROUTING -p all -j CustomNATout

/sbin/iptables --table nat -A CustomNATin -d 212.x.x.10 -p tcp -m multiport --dport 3389,443 -j DNAT --to 192.168.10.10
/sbin/iptables --table nat -A CustomNATout -s 192.168.10.10 -j SNAT --to 212.x.x.10
/sbin/ip address add 212.x.x.10 dev eth1

/sbin/iptables --table nat -A CustomNATin -d 212.x.x.11 -p tcp -m multiport --dport 3389,443 -j DNAT --to 192.168.10.11
/sbin/iptables --table nat -A CustomNATout -s 192.168.10.11 -j SNAT --to 212.x.x.11
/sbin/ip address add 212.x.x.11 dev eth1

What i am doing wrong? There is something what shuld i do? When i add port forwarding on 3389 to 192.168.10.10 it works but i cant add this port to second machine!
Thanks for the reply and i really would be glad if someone look at this.
Pajmon

[mmccarn]

I have no help for you on 1-to-1 NAT, but I can say that I run multiple internal Remote Desktop hosts using simple port forwarding -

1) setup 5 hosts, 192.168.1.50 - .54, all running remote desktop
2) setup 5 port forwards:
  3350 -> 192.168.1.50:3389
  3351 -> 192.168.1.51.3389
  ...
  3354 -> 192.168.1.54:3389
3) Remote users can now access these hosts using Microsoft's remote desktop client by adding ":335x" to the end of the host name (public_ip:3350, for example).

Most services can be forwarded in this manner.

Have you added the extra IP addresses to your SME?  I think that in order to forward from 212...10 and 212...11 to internal hosts you will need to add both IPs to your SME's WAN interface.

[Pajmon]

Thanks for that but not exactly what i am looking for. But that help with some machines that i want to 1to1 nat with remote desktop.
But i have another one that should have stricty the same port for example 443 and another with different services running.

Thanks for your time and for help.

Best regards
Pajmon

[jfarschman]

Pajmon,

  I have some notes on doing this for 7.x.  I found it a bit tricky to setup so I made these notes in case I have to revisit this.  A word of warning... I haven't tested these notes... just wrote them after I built my first 7.x add-on interface.

If you need to add a second IP (alias) to your server:


Create the Network Configuration File Template

mkdir -p /etc/e-smith/templates-custom/etc/sysconfig/network-scripts
# this can also be used to create a 802.1q VLAN interface by using
# ifcfg-eth0.1 (.2, .3, etc.) and modifying the following fragment
# appropriately – use vconfig (man vconfig) as necessary
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/esmith/
templates/etc/sysconfig/network-scripts/ifcfg-eth0\:0
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/e-smith/templatescustom/
etc/sysconfig/network-scripts/ifcfg-eth0\:0

Edit the custom template for your network.

vi /etc/e-smith/templates-custom/etc/sysconfig/network-scripts/ifcfg-eth0\:0

It will look something like:

# Add a second (alias) IP address to eth0 (eth0:0)
TYPE=Ethernet
# use DEVICE=eth0.1 (.2, .3, etc.) for VLAN
DEVICE=eth0:0
USERCTL=no
ONBOOT=yes
PEERDNS=no
IPV6INIT=no
BOOTPROTO=none
# uncomment the following for VLAN
# VLAN=yes
# modify the following for your situation
IPADDR=192.168.1.2
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255

Expand the Template to Create the New Configuration File and Check the Result

/sbin/e-smith/expand-template /etc/sysconfig/network-scripts/ifcfg-eth0:0
cat /etc/sysconfig/network-scripts/ifcfg-eth0:0

Restart Networking and Check the New Interface

service network restart
ifconfig

Inform SME Server of the New Network
If necessary, use the Server Manager to enable the new network or subnetwork. (Local Networks) This would not be necessary if you simply gave the NIC another IP from the already-configured local network for some reason......

   Apparently my notes trailed off here.  I must have lots interest.  I hope this helps.

[Pajmon]

Hi,

Sorry for long answer.
THX for your reply but that isn't that what i am looking for i think.
Its add second alias IP to my external card but nothing else. I want to redirect traffic that is going to my secend external IP to machine on my LAN. (for example remote desktop) but i don't want to change my port. So port forwarding it's not for me.
This iptables rules works only when i add to my local networks hole network from my external IP but when i do that communication with that network stopped (except this host that i have 1 to 1 nat done).
For exapmle i have this configuration: (i change the real IP addresses)
LAN IP: 10.10.10.1
WAN IP: 172.16.16.1
I want to acchive to nat local adres 10.10.10.10 to be seen on Internet as 172.16.16.10 (1 to 1 NAT).
When i add iptables rule from my first post its nothing....i can see that my external card have this another address, i can ping him but its not redirecting my traffic to host on my LAN. But when i add to local networks on server manager network 172.16.16.0 /24 my 1 to 1 nat works but everything else not working. Users cant contact to serwers on my 172.16.16.0/24 network exept that host 172.16.16.10.
I think that i describe all. If someone do this 1 to 1 NAT or know the answer pls help.

Best regards

[CharlieBrady]

I am trying to do 1 to 1 NAT on SME 7.2. I use modified contrib from version 6 ...

Your post is off-topic for this forum. You should have posted to the Contribs forum.

[CharlieBrady]

I have some notes on doing this for 7.x.

Please post your notes in the Bug Tracker, against the relevant New Feature Request (or create a new one if you can't find a matching one).

[byte]

Moving this topic to the SME 7.x contribs forum, it is more appropriate there. Thanks!

[arne]

Pajmon ->

I think there is a some kind of misunderstanding in this tread. (..and if not, I am the one that does the misunderstanding.)

As I read your original question the only thing you actually ask for is an ordinary port forwarding (??!!).

This is a standard function on the server-manager panel, so no modification should be required.

Se text "security" and then - "port forwarding".

I had to think a little bit - what is 1 to 1 NAT, 1 to 1 network address tranlation, and thinking it over, I belive this should be only a ordinary port forwarding. (An the "translation" is performed as the packets arrive at the external port and get their destination address revritten or tranlated to the actual local address.)

Right .. or is it something else ?

[frederikbay]

Hi

I had this working on an older SME 6 a while ago.

1 to 1 NAT is an Extra External IP on the WAN of your SME server where all ports (just the ones you define in iptables) are forwarded to an internal IP.

Say you want a win2003 server to host some webpages, but you can't forward port 80, because you use that on your SME - then 1 to 1 Nat is usefull, because the sme simply forwards the request to the internal winserver.

SME WAN is 10.0.0.1 and 10.0.0.2

where 10.0.0.2 is forwarded to an internal IP say 192.168.1.2

Hope this explains it a little bit.

Have been thinking about trying to make a contrib for this with a panel in server-manager, but the server-manager bit is way out into the future - haven't gotten around to learning Perl yet, and haven't tried  to make it work on SME 7 yet.

[raem]

frederikbay

Have been thinking about trying to make a contrib for this with a panel in server-manager, but the server-manager bit is way out into the future - haven't gotten around to learning Perl yet, and haven't tried  to make it work on SME 7 yet.

Well, more fundamentally important is creating the code, ideally with db commands to configure it.
We don't really need a server manager panel to make a few db settings.
The server manager panel is really straightforward anyway once the code is developed.

Please do any development work in the devinfo mail list and/or in a suitable bug report you open, as you will get assistance from very clever developers there.

[CharlieBrady]

I had to think a little bit - what is 1 to 1 NAT, 1 to 1 network address tranlation, and thinking it over, I belive this should be only a ordinary port forwarding.

I'm quite surprised that you would say that. A little time with google will reveal to you that 1 to 1 NAT and port forwarding are quite different.

[Pajmon]

Ok thx for all replies.
I can see that no one have done it on SME 7.X. You have right i can't use port forwarding (I now that functionality) i must use 1 to 1 NAT.
I use version 5.6 and that's work... i want to install new version 7.3 but i make tests and that's not working so i stay on older version for a while
Thanks to all and for patience -> especially for moderators (thx guys).

[arne]

Yes, I was wrong, and I did not read the initial script slow enough, so I did not see that it was a mapping between two external ip's and two internal ip's that should be able to connect to the same ports.

Exsample:

212.x.x.11:80 <-> 192.168.10.11:80

212.x.x.10:80 <-> 192.168.10.10:80

(Right ??)

I think this problem can be solved in the one way or the other.

Might have some ideas.. (If interested to make some tests.)

[Pajmon]

Yes you have right
If you have any ideas i am interested to do some tests.
I think that some iptables rule or rules are blocking this nat. In iptables log i see that my request are blocking by some rule.

Best regards
Pajmon