Routing Public IPs over NAT Address Space

Routing Public IPs over NAT Address Space

[Aaron Clausen]

Just like the subject says; is there any way to route a public IP/subnet over a NAT address space?

-- 
Aaron Clausen

Re: Routing Public IPs over NAT Address Space

[Shawn]

Just like the subject says is kind of terse, and a little fuzzy.

That depends on how you mean your question. I assume you want the big
"I" to be able to reach your public over one of your routers, through a
NAT so-to-speak?
          -----------------------------------------     some      Your
 ---     | public int   |            | private int |    private   public
| I | -> | pubnet.0/224 | nat-ROUTER | rfc1918/224 | -> IP     -> IP
 ---      -----------------------------------------     space     space

??? Why???

On Mon, 2003-07-14 at 12:52, Aaron Clausen wrote:
> Just like the subject says; is there any way to route a public IP/subnet over a NAT address space?

RE: Routing Public IPs over NAT Address Space

[Rowan Reid]

I'm gonna take a shot and guess your going some vpn routing.  Well
either way the solution is the same .. Don't route the packets meant for
the public domain. Then just route them using a standard routing table
entry. I clipped the following rule from my rules. It basically states
NAT everything outgoing except 10.0.0.0/24 which in this case is my VPN.
After that routing is handled via the routing table.


IPTABLES -t nat -A POSTROUTING -o $EXTIF ! -d 10.0.0.0/24 -j SNAT --to
$EXTIP 

> Just like the subject says; is there any way to route a 
> public IP/subnet over a NAT address space?
> 
> -- 
> Aaron Clausen
> 

Re: Routing Public IPs over NAT Address Space

[Shawn]

Please describe precisely, what you want to accomplish. An example:

I would like for hosts out on the public internet to be able to connect
to my nnn.nnn.nnn.0/24 through my router, whose internet facing
interface is responsible for routing said nnn.nnn.nnn.0/24, but where
nnn.nnn.nnn.0/24 lies across some 10.0.0.0/24 which is "directly
connected" to the other interface of said router.

There are folks out there that would like to help you, but if you can't
be bothered to take the time to describe your question with enough
specificity (and with correct terms), no one can help.

On Mon, 2003-07-14 at 12:52, Aaron Clausen wrote:
> Just like the subject says; is there any way to route a public IP/subnet over a NAT address space?

RE: Routing Public IPs over NAT Address Space

[Aldo S. Lagana]

Read the Tutorial - anyone who configures a firewall and doesn't know the
firewalling technology that he/she is implementing is asking for problems,
to say the least.

Google iptables tutorial and spend some time understanding it.

Soap box: 90% of the questions posed to this group are answered in the
tutorial.  It would make this list much less chatty to hear a lot less
questions about people's 'unique' setups...

"You are as unique as everyone else...just remember that"



-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Shawn
Sent: Monday, July 14, 2003 4:23 PM
To: techlists@alberni.net
Cc: Netfilter Mailing List

Please describe precisely, what you want to accomplish. An example:

I would like for hosts out on the public internet to be able to connect
to my nnn.nnn.nnn.0/24 through my router, whose internet facing
interface is responsible for routing said nnn.nnn.nnn.0/24, but where
nnn.nnn.nnn.0/24 lies across some 10.0.0.0/24 which is "directly
connected" to the other interface of said router.

There are folks out there that would like to help you, but if you can't
be bothered to take the time to describe your question with enough
specificity (and with correct terms), no one can help.

On Mon, 2003-07-14 at 12:52, Aaron Clausen wrote:
> Just like the subject says; is there any way to route a public IP/subnet
over a NAT address space?

RE: Routing Public IPs over NAT Address Space

[Shawn]

1. I'm not the asker. Are you responding to my response?
2. Soap box: 90% of documentation fails to live up to it's purpose. With
such an overwhelming topic, it can be difficult to get over the first
learning hump. Some folks are willing at least to try and help, even if
only to give pointers to documentation, and it's counter productive to
rag on those people.

On Mon, 2003-07-14 at 15:35, Aldo S. Lagana wrote:
> Read the Tutorial - anyone who configures a firewall and doesn't know the
> firewalling technology that he/she is implementing is asking for problems,
> to say the least.
> 
> Google iptables tutorial and spend some time understanding it.
> 
> Soap box: 90% of the questions posed to this group are answered in the
> tutorial.  It would make this list much less chatty to hear a lot less
> questions about people's 'unique' setups...

Re: Routing Public IPs over NAT Address Space

[A. Clausen]

----- Original Message ----- 
From: "Shawn" <core@enodev.com>
To: <techlists@alberni.net>
Cc: "Netfilter Mailing List" <netfilter@lists.netfilter.org>
Sent: Monday, July 14, 2003 13:23
Subject: Re: Routing Public IPs over NAT Address Space


> Please describe precisely, what you want to accomplish. An example:
>
> I would like for hosts out on the public internet to be able to connect
> to my nnn.nnn.nnn.0/24 through my router, whose internet facing
> interface is responsible for routing said nnn.nnn.nnn.0/24, but where
> nnn.nnn.nnn.0/24 lies across some 10.0.0.0/24 which is "directly
> connected" to the other interface of said router.
>
> There are folks out there that would like to help you, but if you can't
> be bothered to take the time to describe your question with enough
> specificity (and with correct terms), no one can help.

Sorry about that.  I'll be more specific.

I work for a small ISP, and we are selling residential and business wireless
service.  Thus far, using iptables NAT, we've had no problems.  It works
well and permits MSN Messenger and the like to work.  For those people who
want a public IP, I simply do forwarding, and this works very well.

However, we've had some inquiries about a few businesses who want actual
subnets (for mail servers, web servers, or whatever).  The problem with NAT
is that I can't guarantee there will be a helper for every protocol.  What I
was wondering was whether I could allocate a subnet and get it across the
private (NAT) network to their router.  I have my doubts as to whether this
is possible, but not being an expert I thought I'd ask.

My thoughts are that VPN may be the way to go.

-- 
Aaron Clausen

Re: Routing Public IPs over NAT Address Space

[Shawn]

To follow up on a private reply, it can be troublesome to have NAT
gateways in between the big "I" and customers anyway.

I think what you're saying is you want your linux router to forward
public subnets to private subnets over at some customer site. Problem
is, if they want to administer their own DNS, they have to figure out
how to correctly configure DNS views, so internal resolvers don't
resolve to external addresses, etc etc. BIG TROUBLE!!!

I suggest simply routing whatever public traffic, or, in addition to
that, implement an MPLS infrastructure if you/they care about privacy.

On Mon, 2003-07-14 at 17:10, A. Clausen wrote:
> ----- Original Message ----- 
> From: "Shawn" <core@enodev.com>
> To: <techlists@alberni.net>
> Cc: "Netfilter Mailing List" <netfilter@lists.netfilter.org>
> Sent: Monday, July 14, 2003 13:23
> Subject: Re: Routing Public IPs over NAT Address Space
> 
> 
> > Please describe precisely, what you want to accomplish. An example:
> >
> > I would like for hosts out on the public internet to be able to connect
> > to my nnn.nnn.nnn.0/24 through my router, whose internet facing
> > interface is responsible for routing said nnn.nnn.nnn.0/24, but where
> > nnn.nnn.nnn.0/24 lies across some 10.0.0.0/24 which is "directly
> > connected" to the other interface of said router.
> >
> > There are folks out there that would like to help you, but if you can't
> > be bothered to take the time to describe your question with enough
> > specificity (and with correct terms), no one can help.
> 
> Sorry about that.  I'll be more specific.
> 
> I work for a small ISP, and we are selling residential and business wireless
> service.  Thus far, using iptables NAT, we've had no problems.  It works
> well and permits MSN Messenger and the like to work.  For those people who
> want a public IP, I simply do forwarding, and this works very well.
> 
> However, we've had some inquiries about a few businesses who want actual
> subnets (for mail servers, web servers, or whatever).  The problem with NAT
> is that I can't guarantee there will be a helper for every protocol.  What I
> was wondering was whether I could allocate a subnet and get it across the
> private (NAT) network to their router.  I have my doubts as to whether this
> is possible, but not being an expert I thought I'd ask.
> 
> My thoughts are that VPN may be the way to go.

RE: Routing Public IPs over NAT Address Space

[Daniel Chemko]

>However, we've had some inquiries about a few businesses who want
actual
>subnets (for mail servers, web servers, or whatever).  The problem with
NAT
>is that I can't guarantee there will be a helper for every protocol.
What I
>was wondering was whether I could allocate a subnet and get it across
the
>private (NAT) network to their router.  I have my doubts as to whether
this
>is possible, but not being an expert I thought I'd ask.


1. Add the ip address block to the internet interface, and make sure
that the internet routes to your firewall/gateway for those IP's in the
netblock given to your customer.

2. Add a route that allows the firewall to find your customer's network.
This can look something like:
route add <business_net> mask <business_msk> <gw to business customer>
-i <iface to business customer>

3. Add passthrough-non-nat rules to allow the traffic through to the
customer's machines with no NAT enabled. This could look like:

iptables -A FORWARD --source 0.0.0.0/0
--destination <business_net>/<business_msk> -j ACCEPT

iptables -A FORWARD --source <business_net>/<business_msk>
--destination 0.0.0.0/0 -j ACCEPT

4. Their subnet has to have this firewall as their default router or the
system will break

5. This limited set of rules gives no protection for your customers. Any
filtering is turned off. If you would like that type of service, then
just change the -j ACCEPT to -j INETTOBUSINESSABC or something then
write a filter list in the INETTOBUSINESSABC chain. It is very easy to
keep track of everything this way.

6. Just make sure that the net/mask is just assigned to your customer.
Otherwise, the system could bleed into existing systems.

7. This system forces you to give the public IP addresses to your
customer. You may or may not like this. It is probably the easiest way
for you though. If you give them private IP's, you are pretty much
enslaved with the NAT/Helper mentality, which I can imagine would bring
much of the hurt you have considered.


PS: I don't think this is a normal iptables function. Yeah, some people
ask newbie questions, but since this IS the frontline iptables group, we
should be the ones taking this on the chin. If there was an ipt-newbs
mailing list then maybe you should put them in their place (that ml),
but since there ARE many people that ask redundant questions please just
live with it, or better, politely send a form letter response of common
howtos and FAQ's.