Koozali.org: home of the SME Server

1 to 1 NAT on SME 7

Offline jfarschman

  • *
  • 406
  • +0/-0
Re: 1 to 1 NAT on SME 7
« Reply #15 on: February 18, 2008, 06:25:35 PM »
pajmon,

  Okay... I did have this successfully working on version 7.1 and I did use my notes (shown above) to build a new custom-template and I know it worked just fine.  Sadly, my notes trailed off...incomplete, but we did have this running at a public school before they purchased a router to handle the NAT.

  So here is my offer.  If I can spare some time I'll give you a hand with this and we can write up the notes.  As I recall my methodology was to look at the the notes from people doing this on version 5.x and 6.x.  That listed out the obstacles pretty clearly.  Things should be simple from there.

Charlie... sorry for the delay.  I was on vacation last week, but if pajmon and I build this I'll document it.
Jay Farschman
ICQ - 60448985
jay@hitechsavvy.com

Offline arne

  • ****
  • 1,116
  • +0/-4
Re: 1 to 1 NAT on SME 7
« Reply #16 on: February 18, 2008, 06:47:41 PM »
Question:

The solution in the first post seems to do two things:

1. It establish an alternative IP that is mapped into one internel server for trafick that is started from the outside.

2. It also apply the same alternative IP as the source adress for traffic started up from the server and out to internet. (At least I think it will work like this, without any testing to comfirm it.)

Is this last function required or will it be enough if the internal server is available via the alternative IP for trafick initiated from internet ? (If so I think this could simplify a bit.)


(Simplified setup:
External client -> will send request to alternative external ip.
External server -> will se the ordinary ip as source ip for received packets.)
« Last Edit: February 18, 2008, 06:51:12 PM by arne »
......

Offline jfarschman

  • *
  • 406
  • +0/-0
Re: 1 to 1 NAT on SME 7
« Reply #17 on: February 18, 2008, 07:40:09 PM »
Arne,

  That's right.
Jay Farschman
ICQ - 60448985
jay@hitechsavvy.com

Offline Normando

  • *
  • 841
  • +2/-1
    • Unixlan
Re: 1 to 1 NAT on SME 7
« Reply #18 on: February 19, 2008, 12:16:42 AM »
I have some notes on doing this for 7.x.  I found it a bit tricky to setup so I made these notes in case I have to revisit this.  A word of warning... I haven't tested these notes... just wrote them after I built my first 7.x add-on interface.
jfarschman, can you write a how to at the wiki?

Offline arne

  • ****
  • 1,116
  • +0/-4
Re: 1 to 1 NAT on SME 7
« Reply #19 on: February 19, 2008, 01:24:03 AM »
Posibly something like this ? (Untested.)


#!/bin/bash


#First appy some ip adresses
ifconfig eth0:0 212.10.10.10 broadcast 212.10.10.255  netmask 255.255.255.0
ifconfig eth0:1 212.10.10.11 broadcast 212.10.10.255  netmask 255.255.255.0

#Then insert som prerouting rules at the top of the prerouting rule stack
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.10  -p tcp --dport 443 -j DNAT --to 192.168.10.10
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.10  -p tcp --dport 3389 -j DNAT --to 192.168.10.10
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.11  -p tcp --dport 443 -j DNAT --to 192.168.10.11
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.11  -p tcp --dport 3389 -j DNAT --to 192.168.10.11

#Depending on how the configuration of the SME server it could be neccessary to open some small pinholes.
#The next four next lines might or might not not be neccessary.
iptables -I FORWARD -i eth1 -d 212.10.10.10 -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD -i eth1 -d 212.10.10.10 -p tcp --dport 3389 -j ACCEPT
iptables -I FORWARD -i eth1 -d 212.10.10.11 -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD -i eth1 -d 212.10.10.11 -p tcp --dport 3389 -j ACCEPT

#End


Posibly it could be made more compact using this multiport syntax. I think it is best to do it "basic" from the start. If this work, it should then be possible to look into the other problem, (if needed), the source address from connections set up from the inside.

By the way - if script is runned, it's just to reboot the gateway server and all changes will be gone.
(If edited into /etc/rc.d/rc.local will be applied at each start up.)

....But the method of jfarschman is more "sme alike" and "sme correct".
« Last Edit: February 19, 2008, 01:32:58 AM by arne »
......

Offline Pajmon

  • 9
  • +0/-0
Re: 1 to 1 NAT on SME 7
« Reply #20 on: February 19, 2008, 09:38:43 PM »
Hi,

Arne i will test it tommorow or in thursday.Thx for your time and for help.

Yours lines are very similar to my:
This is yours:
#First appy some ip adresses
ifconfig eth0:0 212.10.10.10 broadcast 212.10.10.255  netmask 255.255.255.0
ifconfig eth0:1 212.10.10.11 broadcast 212.10.10.255  netmask 255.255.255.0

#Then insert som prerouting rules at the top of the prerouting rule stack
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.10  -p tcp --dport 443 -j DNAT --to 192.168.10.10
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.10  -p tcp --dport 3389 -j DNAT --to 192.168.10.10
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.11  -p tcp --dport 443 -j DNAT --to 192.168.10.11
iptables -t nat -I PREROUTING -i eth1 -d 212.10.10.11  -p tcp --dport 3389 -j DNAT --to 192.168.10.11

And this is what i was doing:
/sbin/iptables --table nat --new-chain CustomNATin
/sbin/iptables --table nat --new-chain CustomNATout

/sbin/iptables --table nat --append PREROUTING -p all -j CustomNATin
/sbin/iptables --table nat --append POSTROUTING -p all -j CustomNATout

/sbin/iptables --table nat -A CustomNATin -d 212.x.x.10 -p tcp -m multiport --dport 3389,443 -j DNAT --to 192.168.10.10
/sbin/iptables --table nat -A CustomNATout -s 192.168.10.10 -j SNAT --to 212.x.x.10
/sbin/ip address add 212.x.x.10 dev eth1

I think this is the same, maybe i am wrong? I have "ip address add" and you have "ifconfig eth0:0".
And one more: which NIC in your script is internal and which external? You add alias to eth0 (external???) and then you add a rule for eth1. Is it correct?

One more time thanks.
Pajmon

Offline arne

  • ****
  • 1,116
  • +0/-4
Re: 1 to 1 NAT on SME 7
« Reply #21 on: February 19, 2008, 09:50:02 PM »
Allmost the same, but still not completely.

You use the -A or append statement that will insert the rule at the bottom of the rule stack, while I use the -I or insert statement that will put it on the top of the "basic rulestacks".

Then you also deklare two new rulestacks (in that "bottom position") while I insert them at the top of the prerouting and the forward rulestack.

I would guess the problem is mainly related to this "at the top" and "at the bottom" broblem.

One also will have to calculate in the the rules will be applied in the reverse order when using -I

These senteneces will do almost the same.

In this sequense at the bottom:

iptables -A <rule1>
iptables -A <rule2>
iptables -A <rule3>

In the reverse order and at the top:

iptables -I <rule3>
iptables -I <rule2>
iptables -I <rule1>

Same sequense of rules in the first case applied at the bottom with priority after all other rules. In the second case insertet at the top (and in reverse order) with priotity before all other rules.

Same problem will also be for the -snat sentence. Should also be inserted at top with priority before the default -snat sentence.
 
« Last Edit: February 19, 2008, 10:11:23 PM by arne »
......

Offline Pajmon

  • 9
  • +0/-0
Re: 1 to 1 NAT on SME 7
« Reply #22 on: February 19, 2008, 09:55:32 PM »
Ok maybe you have right.
I will check this and tell what's new.
Thx and good night.

Offline Pajmon

  • 9
  • +0/-0
Re: 1 to 1 NAT on SME 7
« Reply #23 on: July 03, 2009, 12:22:56 PM »
Hi guys....it took some time (different reasons) but i back to problem and find solution with yours help - especially with arne help (with small modifications).
Maybe someone will need this solution so i decided to write this here.
So that how it's goes:
eth1 is my external interface
eth0 is my internal interface
EXTIP - that is added external IP (added to server that would be natet outside)
INTIP - that internal IP some of machine that hosts some service or application
==============
ifconfig eth1:0 EXTIP broadcast EXTBROADCASTIP netmask NETMASKIP
/sbin/iptables -t nat -I PREROUTING -d EXTIP -p tcp -j DNAT --to INTIP
/sbin/iptables -t nat -I POSTROUTING -s INTIP -p tcp -j SNAT --to EXTIP
/sbin/iptables -I FORWARD -d INTIP -p tcp -j ACCEPT
===============
That's all. That's work for me of course you can restrict ports to nated address (for example Remote Desktop port: 3389). You should modify last line similar to this:
/sbin/iptables -I FORWARD -d INTIP -p tcp --dport 3389 -j ACCEPT

Best regards
Pajmon