Topic: 1 to 1 NAT on SME 7

[Pajmon]

Hi

I am trying to do 1 to 1 NAT on SME 7.2. I use modified contrib from version 6 (i only take the iptables rules from that - rest i do myself). Have anyone tried do so?
I can't use port forwardin because i have more than one machine inside my LAN that would be threw the nat outside on the same port (for example 3389).
Here is what i done: (eth1 is my outside and eth0 is my lan)

/sbin/iptables --table nat --new-chain CustomNATin
/sbin/iptables --table nat --new-chain CustomNATout

/sbin/iptables --table nat --append PREROUTING -p all -j CustomNATin
/sbin/iptables --table nat --append POSTROUTING -p all -j CustomNATout

/sbin/iptables --table nat -A CustomNATin -d 212.x.x.10 -p tcp -m multiport --dport 3389,443 -j DNAT --to 192.168.10.10
/sbin/iptables --table nat -A CustomNATout -s 192.168.10.10 -j SNAT --to 212.x.x.10
/sbin/ip address add 212.x.x.10 dev eth1

/sbin/iptables --table nat -A CustomNATin -d 212.x.x.11 -p tcp -m multiport --dport 3389,443 -j DNAT --to 192.168.10.11
/sbin/iptables --table nat -A CustomNATout -s 192.168.10.11 -j SNAT --to 212.x.x.11
/sbin/ip address add 212.x.x.11 dev eth1

What i am doing wrong? There is something what shuld i do? When i add port forwarding on 3389 to 192.168.10.10 it works but i cant add this port to second machine!
Thanks for the reply and i really would be glad if someone look at this.
Pajmon

[mmccarn]

I have no help for you on 1-to-1 NAT, but I can say that I run multiple internal Remote Desktop hosts using simple port forwarding -

1) setup 5 hosts, 192.168.1.50 - .54, all running remote desktop
2) setup 5 port forwards:
  3350 -> 192.168.1.50:3389
  3351 -> 192.168.1.51.3389
  ...
  3354 -> 192.168.1.54:3389
3) Remote users can now access these hosts using Microsoft's remote desktop client by adding ":335x" to the end of the host name (public_ip:3350, for example).

Most services can be forwarded in this manner.

Have you added the extra IP addresses to your SME?  I think that in order to forward from 212...10 and 212...11 to internal hosts you will need to add both IPs to your SME's WAN interface.

[Pajmon]

Thanks for that but not exactly what i am looking for. But that help with some machines that i want to 1to1 nat with remote desktop.
But i have another one that should have stricty the same port for example 443 and another with different services running.

Thanks for your time and for help.

Best regards
Pajmon

[jfarschman]

Pajmon,

  I have some notes on doing this for 7.x.  I found it a bit tricky to setup so I made these notes in case I have to revisit this.  A word of warning... I haven't tested these notes... just wrote them after I built my first 7.x add-on interface.

If you need to add a second IP (alias) to your server:


Create the Network Configuration File Template

mkdir -p /etc/e-smith/templates-custom/etc/sysconfig/network-scripts
# this can also be used to create a 802.1q VLAN interface by using
# ifcfg-eth0.1 (.2, .3, etc.) and modifying the following fragment
# appropriately – use vconfig (man vconfig) as necessary
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/esmith/
templates/etc/sysconfig/network-scripts/ifcfg-eth0\:0
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/e-smith/templatescustom/
etc/sysconfig/network-scripts/ifcfg-eth0\:0

Edit the custom template for your network.

vi /etc/e-smith/templates-custom/etc/sysconfig/network-scripts/ifcfg-eth0\:0

It will look something like:

# Add a second (alias) IP address to eth0 (eth0:0)
TYPE=Ethernet
# use DEVICE=eth0.1 (.2, .3, etc.) for VLAN
DEVICE=eth0:0
USERCTL=no
ONBOOT=yes
PEERDNS=no
IPV6INIT=no
BOOTPROTO=none
# uncomment the following for VLAN
# VLAN=yes
# modify the following for your situation
IPADDR=192.168.1.2
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255

Expand the Template to Create the New Configuration File and Check the Result

/sbin/e-smith/expand-template /etc/sysconfig/network-scripts/ifcfg-eth0:0
cat /etc/sysconfig/network-scripts/ifcfg-eth0:0

Restart Networking and Check the New Interface

service network restart
ifconfig

Inform SME Server of the New Network
If necessary, use the Server Manager to enable the new network or subnetwork. (Local Networks) This would not be necessary if you simply gave the NIC another IP from the already-configured local network for some reason......

   Apparently my notes trailed off here.  I must have lots interest.  I hope this helps.

[Pajmon]

Hi,

Sorry for long answer.
THX for your reply but that isn't that what i am looking for i think.
Its add second alias IP to my external card but nothing else. I want to redirect traffic that is going to my secend external IP to machine on my LAN. (for example remote desktop) but i don't want to change my port. So port forwarding it's not for me.
This iptables rules works only when i add to my local networks hole network from my external IP but when i do that communication with that network stopped (except this host that i have 1 to 1 nat done).
For exapmle i have this configuration: (i change the real IP addresses)
LAN IP: 10.10.10.1
WAN IP: 172.16.16.1
I want to acchive to nat local adres 10.10.10.10 to be seen on Internet as 172.16.16.10 (1 to 1 NAT).
When i add iptables rule from my first post its nothing....i can see that my external card have this another address, i can ping him but its not redirecting my traffic to host on my LAN. But when i add to local networks on server manager network 172.16.16.0 /24 my 1 to 1 nat works but everything else not working. Users cant contact to serwers on my 172.16.16.0/24 network exept that host 172.16.16.10.
I think that i describe all. If someone do this 1 to 1 NAT or know the answer pls help.

Best regards

[CharlieBrady]

I am trying to do 1 to 1 NAT on SME 7.2. I use modified contrib from version 6 ...

Your post is off-topic for this forum. You should have posted to the Contribs forum.

[CharlieBrady]

I have some notes on doing this for 7.x.

Please post your notes in the Bug Tracker, against the relevant New Feature Request (or create a new one if you can't find a matching one).

[byte]

Moving this topic to the SME 7.x contribs forum, it is more appropriate there. Thanks!

[arne]

Pajmon ->

I think there is a some kind of misunderstanding in this tread. (..and if not, I am the one that does the misunderstanding.)

As I read your original question the only thing you actually ask for is an ordinary port forwarding (??!!).

This is a standard function on the server-manager panel, so no modification should be required.

Se text "security" and then - "port forwarding".

I had to think a little bit - what is 1 to 1 NAT, 1 to 1 network address tranlation, and thinking it over, I belive this should be only a ordinary port forwarding. (An the "translation" is performed as the packets arrive at the external port and get their destination address revritten or tranlated to the actual local address.)

Right .. or is it something else ?

[frederikbay]

Hi

I had this working on an older SME 6 a while ago.

1 to 1 NAT is an Extra External IP on the WAN of your SME server where all ports (just the ones you define in iptables) are forwarded to an internal IP.

Say you want a win2003 server to host some webpages, but you can't forward port 80, because you use that on your SME - then 1 to 1 Nat is usefull, because the sme simply forwards the request to the internal winserver.

SME WAN is 10.0.0.1 and 10.0.0.2

where 10.0.0.2 is forwarded to an internal IP say 192.168.1.2

Hope this explains it a little bit.

Have been thinking about trying to make a contrib for this with a panel in server-manager, but the server-manager bit is way out into the future - haven't gotten around to learning Perl yet, and haven't tried  to make it work on SME 7 yet.

[raem]

frederikbay

Have been thinking about trying to make a contrib for this with a panel in server-manager, but the server-manager bit is way out into the future - haven't gotten around to learning Perl yet, and haven't tried  to make it work on SME 7 yet.

Well, more fundamentally important is creating the code, ideally with db commands to configure it.
We don't really need a server manager panel to make a few db settings.
The server manager panel is really straightforward anyway once the code is developed.

Please do any development work in the devinfo mail list and/or in a suitable bug report you open, as you will get assistance from very clever developers there.

[CharlieBrady]

I had to think a little bit - what is 1 to 1 NAT, 1 to 1 network address tranlation, and thinking it over, I belive this should be only a ordinary port forwarding.

I'm quite surprised that you would say that. A little time with google will reveal to you that 1 to 1 NAT and port forwarding are quite different.

[Pajmon]

Ok thx for all replies.
I can see that no one have done it on SME 7.X. You have right i can't use port forwarding (I now that functionality) i must use 1 to 1 NAT.
I use version 5.6 and that's work... i want to install new version 7.3 but i make tests and that's not working so i stay on older version for a while
Thanks to all and for patience -> especially for moderators (thx guys).

[arne]

Yes, I was wrong, and I did not read the initial script slow enough, so I did not see that it was a mapping between two external ip's and two internal ip's that should be able to connect to the same ports.

Exsample:

212.x.x.11:80 <-> 192.168.10.11:80

212.x.x.10:80 <-> 192.168.10.10:80

(Right ??)

I think this problem can be solved in the one way or the other.

Might have some ideas.. (If interested to make some tests.)

[Pajmon]

Yes you have right
If you have any ideas i am interested to do some tests.
I think that some iptables rule or rules are blocking this nat. In iptables log i see that my request are blocking by some rule.

Best regards
Pajmon

[jfarschman]

pajmon,

  Okay... I did have this successfully working on version 7.1 and I did use my notes (shown above) to build a new custom-template and I know it worked just fine.  Sadly, my notes trailed off...incomplete, but we did have this running at a public school before they purchased a router to handle the NAT.

  So here is my offer.  If I can spare some time I'll give you a hand with this and we can write up the notes.  As I recall my methodology was to look at the the notes from people doing this on version 5.x and 6.x.  That listed out the obstacles pretty clearly.  Things should be simple from there.

Charlie... sorry for the delay.  I was on vacation last week, but if pajmon and I build this I'll document it.

[arne]

Question:

The solution in the first post seems to do two things:

1. It establish an alternative IP that is mapped into one internel server for trafick that is started from the outside.

2. It also apply the same alternative IP as the source adress for traffic started up from the server and out to internet. (At least I think it will work like this, without any testing to comfirm it.)

Is this last function required or will it be enough if the internal server is available via the alternative IP for trafick initiated from internet ? (If so I think this could simplify a bit.)


(Simplified setup:
External client -> will send request to alternative external ip.
External server -> will se the ordinary ip as source ip for received packets.)

[jfarschman]

Arne,

  That's right.

[Normando]

I have some notes on doing this for 7.x.  I found it a bit tricky to setup so I made these notes in case I have to revisit this.  A word of warning... I haven't tested these notes... just wrote them after I built my first 7.x add-on interface.

jfarschman, can you write a how to at the wiki?

[arne]

Posibly something like this ? (Untested.)


#!/bin/bash


#First appy some ip adresses
ifconfig eth0:0 212.10.10.10 broadcast 212.10.10.255  netmask 255.255.255.0
ifconfig eth0:1 212.10.10.11 broadcast 212.10.10.255  netmask 255.255.255.0

#Then insert som prerouting rules at the top of the prerouting rule stack
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.10  -p tcp --dport 443 -j DNAT --to 192.168.10.10
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.10  -p tcp --dport 3389 -j DNAT --to 192.168.10.10
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.11  -p tcp --dport 443 -j DNAT --to 192.168.10.11
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.11  -p tcp --dport 3389 -j DNAT --to 192.168.10.11

#Depending on how the configuration of the SME server it could be neccessary to open some small pinholes.
#The next four next lines might or might not not be neccessary.
iptables -I FORWARD -i eth1 -d 212.10.10.10 -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD -i eth1 -d 212.10.10.10 -p tcp --dport 3389 -j ACCEPT
iptables -I FORWARD -i eth1 -d 212.10.10.11 -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD -i eth1 -d 212.10.10.11 -p tcp --dport 3389 -j ACCEPT

#End


Posibly it could be made more compact using this multiport syntax. I think it is best to do it "basic" from the start. If this work, it should then be possible to look into the other problem, (if needed), the source address from connections set up from the inside.

By the way - if script is runned, it's just to reboot the gateway server and all changes will be gone.
(If edited into /etc/rc.d/rc.local will be applied at each start up.)

....But the method of jfarschman is more "sme alike" and "sme correct".

[Pajmon]

Hi,

Arne i will test it tommorow or in thursday.Thx for your time and for help.

Yours lines are very similar to my:
This is yours:
#First appy some ip adresses
ifconfig eth0:0 212.10.10.10 broadcast 212.10.10.255  netmask 255.255.255.0
ifconfig eth0:1 212.10.10.11 broadcast 212.10.10.255  netmask 255.255.255.0

#Then insert som prerouting rules at the top of the prerouting rule stack
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.10  -p tcp --dport 443 -j DNAT --to 192.168.10.10
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.10  -p tcp --dport 3389 -j DNAT --to 192.168.10.10
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.11  -p tcp --dport 443 -j DNAT --to 192.168.10.11
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.11  -p tcp --dport 3389 -j DNAT --to 192.168.10.11

And this is what i was doing:
/sbin/iptables --table nat --new-chain CustomNATin
/sbin/iptables --table nat --new-chain CustomNATout

/sbin/iptables --table nat --append PREROUTING -p all -j CustomNATin
/sbin/iptables --table nat --append POSTROUTING -p all -j CustomNATout

/sbin/iptables --table nat -A CustomNATin -d 212.x.x.10 -p tcp -m multiport --dport 3389,443 -j DNAT --to 192.168.10.10
/sbin/iptables --table nat -A CustomNATout -s 192.168.10.10 -j SNAT --to 212.x.x.10
/sbin/ip address add 212.x.x.10 dev eth1

I think this is the same, maybe i am wrong? I have "ip address add" and you have "ifconfig eth0:0".
And one more: which NIC in your script is internal and which external? You add alias to eth0 (external???) and then you add a rule for eth1. Is it correct?

One more time thanks.
Pajmon

[arne]

Allmost the same, but still not completely.

You use the -A or append statement that will insert the rule at the bottom of the rule stack, while I use the -I or insert statement that will put it on the top of the "basic rulestacks".

Then you also deklare two new rulestacks (in that "bottom position") while I insert them at the top of the prerouting and the forward rulestack.

I would guess the problem is mainly related to this "at the top" and "at the bottom" broblem.

One also will have to calculate in the the rules will be applied in the reverse order when using -I

These senteneces will do almost the same.

In this sequense at the bottom:

iptables -A <rule1>
iptables -A <rule2>
iptables -A <rule3>

In the reverse order and at the top:

iptables -I <rule3>
iptables -I <rule2>
iptables -I <rule1>

Same sequense of rules in the first case applied at the bottom with priority after all other rules. In the second case insertet at the top (and in reverse order) with priotity before all other rules.

Same problem will also be for the -snat sentence. Should also be inserted at top with priority before the default -snat sentence.
 

[Pajmon]

Ok maybe you have right.
I will check this and tell what's new.
Thx and good night.

[Pajmon]

Hi guys....it took some time (different reasons) but i back to problem and find solution with yours help - especially with arne help (with small modifications).
Maybe someone will need this solution so i decided to write this here.
So that how it's goes:
eth1 is my external interface
eth0 is my internal interface
EXTIP - that is added external IP (added to server that would be natet outside)
INTIP - that internal IP some of machine that hosts some service or application
==============
ifconfig eth1:0 EXTIP broadcast EXTBROADCASTIP netmask NETMASKIP
/sbin/iptables -t nat -I PREROUTING -d EXTIP -p tcp -j DNAT --to INTIP
/sbin/iptables -t nat -I POSTROUTING -s INTIP -p tcp -j SNAT --to EXTIP
/sbin/iptables -I FORWARD -d INTIP -p tcp -j ACCEPT
===============
That's all. That's work for me of course you can restrict ports to nated address (for example Remote Desktop port: 3389). You should modify last line similar to this:
/sbin/iptables -I FORWARD -d INTIP -p tcp --dport 3389 -j ACCEPT

Best regards
Pajmon