1:1 NAT

1:1 NAT

[Mike]

Can anyone point me to some docs on setting up 1:1 NAT on netfilter?

What I am trying to do is like how its done on cisco PIX i.e
"static (inside,outside) 208.15.232.12 192.168.1.167 netmask 255.255.255.255
0 0"

That way I don't have to do IP alias on my ethernet card.

Thanks,

Mike

Re: 1:1 NAT

[Maciej Soltysiak]

> What I am trying to do is like how its done on cisco PIX i.e
> "static (inside,outside) 208.15.232.12 192.168.1.167 netmask 255.255.255.255
> 0 0"
iptables -A POSTROUTING -t nat -o EXT -s 192.168.1.167 -j SNAT \
	--to 208.15.232.12
iptables -A PREROUTING -t nat -o EXT -d 208.15.232.12 -j DNAT \
	--to 192.168.1.167

Where EXT is your external interface.

This does:
 - change source address of packets comming out of 192.18.1.167 to
208.15.232.12
 - change destination address of packets comming to 208.15.232.12 to
192.18.1.167

The the packets get routed, and you have 1:1 NAT

You can also change ports, eg. make a world available ftp server on port
21 on 208.15.232.12, that really is on port 17 on 192.18.1.167
This way 192.168.1.167 can have 2 ftp servers, one public, one internal,
on different ports.

It is just an example, maybe you could use things like that.

Regards,
Maciej Soltysiak

Re: 1:1 NAT

[Walther]

hi,

from outside to inside:

iptables -t nat -A PREROUTING -d 208.15.232.12 -j DNAT --to 192.168.1.167

the other way around:

iptables -t nat -A POSTROUTING -s 192.168.1.167 -j SNAT --to 208.15.131.12

you should specify the input and output interface as well like this:

iptables -t nat -A PREROUTING -i <external-interface> -o 
<internal-interface> -d 208.15.232.12 -j DNAT --to 192.168.1.167

and 

iptables -t nat -A POSTROUTING -i <internal-interface> -o 
<external-interface> -s 192.168.1.167 -j SNAT --to 208.15.232.12

Best Regards,
MfG.

Stefan Walther
stefan_walther@gehag-dsk.de
dienst.: +4930/89786448
Funk: +49172/3943961
http://www.gehag-dsk.de

-------------------------------------------------------------- 
Linux/UNIX is like an Indian Tipi:
No Windows, no Gates and Apache inside.

Outgoing Mail is certified mistake-free. 
Examined by DOGMATIC infallibility system. 
Version 6.04




"Mike" <mikeeo@msn.com>
Sent by: netfilter-admin@lists.netfilter.org
21.01.2003 17:00

 
        To:     <netfilter@lists.netfilter.org>
        cc: 
        Subject:        1:1 NAT


Can anyone point me to some docs on setting up 1:1 NAT on netfilter?

What I am trying to do is like how its done on cisco PIX i.e
"static (inside,outside) 208.15.232.12 192.168.1.167 netmask 
255.255.255.255
0 0"

That way I don't have to do IP alias on my ethernet card.

Thanks,

Mike

Re: 1:1 NAT

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 1307 bytes --]

There is a patch-o-matic patch called SAME which does 1:1 NAT.

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j SAME
196.4.160.0/24

I forget the exact syntax ....

On Tue, 2003-01-21 at 18:00, Mike wrote:
> Can anyone point me to some docs on setting up 1:1 NAT on netfilter?
> 
> What I am trying to do is like how its done on cisco PIX i.e
> "static (inside,outside) 208.15.232.12 192.168.1.167 netmask 255.255.255.255
> 0 0"
> 
> That way I don't have to do IP alias on my ethernet card.
> 
> Thanks,
> 
> Mike
-- 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(  Raymond Leach                       )
 ) Knowledge Factory                  (
(                                      )
 ) Tel: +27 11 445 8100               (
(  Fax: +27 11 445 8101                )
 )                                    (
(  http://www.knowledgefactory.co.za/  )
 ) http://www.saptg.co.za/            (
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   o                                o
    o                              o
        .--.                  .--.
       | o_o|                |o_o |
       | \_:|                |:_/ |
      / /   \\              //   \ \
     ( |     |)            (|     | )
     /`\_   _/'\          /'\_   _/`\
     \___)=(___/          \___)=(___/

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: 1:1 NAT

[Martin Josefsson]

On Wed, 2003-01-22 at 06:21, Raymond Leach wrote:
> There is a patch-o-matic patch called SAME which does 1:1 NAT.
> 
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j SAME
> 196.4.160.0/24

No it doesn't.

you are thinking of NETMAP not SAME.

-- 
/Martin

Never argue with an idiot. They drag you down to their level, then beat you with experience.

Re: 1:1 NAT

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 1132 bytes --]

On Wed, 2003-01-22 at 08:42, Martin Josefsson wrote:
> On Wed, 2003-01-22 at 06:21, Raymond Leach wrote:
> > There is a patch-o-matic patch called SAME which does 1:1 NAT.
> > 
> > iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j SAME
> > 196.4.160.0/24
> 
> No it doesn't.
> 
> you are thinking of NETMAP not SAME.
OK. Sorry ... what does SAME do?
-- 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(  Raymond Leach                       )
 ) Knowledge Factory                  (
(                                      )
 ) Tel: +27 11 445 8100               (
(  Fax: +27 11 445 8101                )
 )                                    (
(  http://www.knowledgefactory.co.za/  )
 ) http://www.saptg.co.za/            (
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   o                                o
    o                              o
        .--.                  .--.
       | o_o|                |o_o |
       | \_:|                |:_/ |
      / /   \\              //   \ \
     ( |     |)            (|     | )
     /`\_   _/'\          /'\_   _/`\
     \___)=(___/          \___)=(___/

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: 1:1 NAT

[Martin Josefsson]

On Wed, 2003-01-22 at 07:50, Raymond Leach wrote:
> On Wed, 2003-01-22 at 08:42, Martin Josefsson wrote:
> > On Wed, 2003-01-22 at 06:21, Raymond Leach wrote:
> > > There is a patch-o-matic patch called SAME which does 1:1 NAT.
> > > 
> > > iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j SAME
> > > 196.4.160.0/24
> > 
> > No it doesn't.
> > 
> > you are thinking of NETMAP not SAME.
> OK. Sorry ... what does SAME do?

It makes sure a client always gets the same ipaddress after NAT. No
loadbalancing like SNAT.

-- 
/Martin

Never argue with an idiot. They drag you down to their level, then beat you with experience.

Re: 1:1 NAT

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 665 bytes --]

On Wed, 2003-01-22 at 09:02, Martin Josefsson wrote:
> On Wed, 2003-01-22 at 07:50, Raymond Leach wrote:
> > On Wed, 2003-01-22 at 08:42, Martin Josefsson wrote:
> > > On Wed, 2003-01-22 at 06:21, Raymond Leach wrote:
> > > > There is a patch-o-matic patch called SAME which does 1:1 NAT.
> > > > 
> > > > iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j SAME
> > > > 196.4.160.0/24
> > > 
> > > No it doesn't.
> > > 
> > > you are thinking of NETMAP not SAME.
> > OK. Sorry ... what does SAME do?
> 
> It makes sure a client always gets the same ipaddress after NAT. No
> loadbalancing like SNAT.
OK. Sorry again for the confusion.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: 1:1 NAT/Not working

[Mike]

I tried the examples that were shown and I cannot contact the servers. do I
need to alias the IPs on a ethernet card? i.e eth0:1?

from outside to inside:

iptables -t nat -A PREROUTING -d 208.15.232.12 -j DNAT --to 192.168.1.167

the other way around:

iptables -t nat -A POSTROUTING -s 192.168.1.167 -j SNAT --to 208.15.131.12

----- Original Message -----
From: "Mike" <mikeeo@msn.com>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, January 21, 2003 11:00 AM
Subject: 1:1 NAT


> Can anyone point me to some docs on setting up 1:1 NAT on netfilter?
>
> What I am trying to do is like how its done on cisco PIX i.e
> "static (inside,outside) 208.15.232.12 192.168.1.167 netmask
255.255.255.255
> 0 0"
>
> That way I don't have to do IP alias on my ethernet card.
>
> Thanks,
>
> Mike
>
>
>

1:1 NAT

[Federico Cruciani]

> What I am trying to do is like how its done on cisco PIX i.e
> "static (inside,outside) 208.15.232.12 192.168.1.167 netmask
255.255.255.255
> 0 0"		

Cisco PIX does proxy-arp automatically if the external IP address in the nat
statement is not assigned on its outside interface. So, to build something
similar, what you need is to activate proxy-arp on your Iptables box and
publish on the external network the public IP address you want to nat which
are not physically assigned on the iptables box.

Following your example, suppose that your iptables Linux box have an
<fw_outside_address> on the external interface, eth0, different from the one
you want to nat, <public_address> (which is 208.15.232.12 in your example),
to an host in your internal network which has <internal_address>. Eth1 is
the firewall internal  interface with address <fw_internal_address>.

First you need two iptables rules, one for inbound packets and one for
translating outbound packets:

 iptables -t nat -A PREROUTING -i eth0 -d <public_address> -j DNAT
--to-destination <internal_address>

 iptables -t nat -A POSTROUTING -o eth0 -s <internal_address> -j SNAT
--to-source <public_address>

This is not sufficient for Linux and iptables to make the <internal_address>
host work on the internet as expected. We have to add commands to activate
proxy arp and to tell your firewall where the packets for <public_address>
have to be sent.


So, in the second step we have to pubilsh the <public_address> on the
external interface with the arp command:

 arp -Ds <public_address> eth0 pub

(If you like, I have a patched version of the Red Hat /etc/init.d/network
script which read and set static ARPs from a file, /etc/init.d/static-arp)


Finally the most important step consists in adding a static route on the
iptables box for the <public_address> toward the inside interface where the
internal host live:

 route add -host <public_address> dev eth1


This is the solution I have found working and that I'm using in a lot of
different network scenarios.
Hope this could help you.

Iok