Internal NAT Translation:

Internal NAT Translation:

[Bryan Martin]

Setup looks like this

            Internet
                 ^
Redhat 9 iptables nat/masq    (200.200.200.200 public address = eth1;
192.168.2.1 private address = eth0)
                 ^
windows web server (192.168.2.254) | windows clients.    (all 192.168.2.X)


Now the rh box is masquerading for the private boxes.  Only thing not
standard is that any inbound http connections to the public address
200.200.200.200 is being dnatted to 192.168.2.254 which is the address of
the windows server.  This is working as expected.  The problem arises when a
internal client tries to connect to the public website.

For instance client request www.mycompany.com and DNS says go here
200.200.200.200 which would be correct if I was sitting on the outside
looking in.  I need iptables to basically say if any http request comes from
the internal network addressed to my public address dnat the public
200.200.200.200 to the private address.  I have tried the following without
success.  Only other thing I know is to setup a internal DNS just so the
internal clients get the internal address.  That would however be an extreme
waste of resources.

-A PREROUTING -i eth1 -d 200.200.200.200 -p tcp --dport 80 -j
DNAT --to-destination 192.168.2.254

Can someone help?

Bryan

Re: Internal NAT Translation:

[John A. Sullivan III]

On Wed, 2004-06-30 at 21:45, Bryan Martin wrote:
> Setup looks like this
> 
>             Internet
>                  ^
> Redhat 9 iptables nat/masq    (200.200.200.200 public address = eth1;
> 192.168.2.1 private address = eth0)
>                  ^
> windows web server (192.168.2.254) | windows clients.    (all 192.168.2.X)
> 
> 
> Now the rh box is masquerading for the private boxes.  Only thing not
> standard is that any inbound http connections to the public address
> 200.200.200.200 is being dnatted to 192.168.2.254 which is the address of
> the windows server.  This is working as expected.  The problem arises when a
> internal client tries to connect to the public website.
> 
> For instance client request www.mycompany.com and DNS says go here
> 200.200.200.200 which would be correct if I was sitting on the outside
> looking in.  I need iptables to basically say if any http request comes from
> the internal network addressed to my public address dnat the public
> 200.200.200.200 to the private address.  I have tried the following without
> success.  Only other thing I know is to setup a internal DNS just so the
> internal clients get the internal address.  That would however be an extreme
> waste of resources.
> 
> -A PREROUTING -i eth1 -d 200.200.200.200 -p tcp --dport 80 -j
> DNAT --to-destination 192.168.2.254
> 
> Can someone help?
> 
> Bryan
I see a couple of potential problems here.  The simple solution is to
add SNAT rules, one that says all traffic coming from 192.168.2.254 and
going out eth1 is translated to 200.200.200.200 and the other which says
that any traffic from your internal network destined for 192.168.2.254
is translated to 200.200.200.200.  I would imagine that the PREROUTING
rule you created is working but when the web server gets the packets, it
sees the original source address, identifies the packets as belonging to
the local network and sends them directly back with it own internal
source address.  The reply packets will not be recognized since the
local workstations sent to packets to 200.200.200.200 and not
192.168.2.254.

However, I have some concerns about this architecture.  Are you allowing
public traffic into your web server and placing that web server directly
on the internal network? If so and if anyone every compromises it, they
may have free reign on your internal network.  If that server is exposed
to the Internet, I would very much recommend placing it on DMZ behind a
third NIC in your firewall.  I believe that will also take care of the
NAT problems.

Regarding split DNS, that is the approach I usually take.  Are you using
an internal DNS? If so, I assume it is not being used by the world to
locate the web server as that would create another major exposure.  You
could thus simply set it to distribute the private address of the web
server.

Hope this helps - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Internal NAT Translation:

[Bryan Martin]

Setup looks like this

            Internet
                 ^
Redhat 9 iptables nat/masq    (200.200.200.200 public address = eth1;
192.168.2.1 private address = eth0)
                 ^
windows web server (192.168.2.254) | windows clients.    (all 192.168.2.X)


Now the rh box is masquerading for the private boxes.  Only thing not
standard is that any inbound http connections to the public address
200.200.200.200 is being dnatted to 192.168.2.254 which is the address of
the windows server.  This is working as expected.  The problem arises when a
internal client tries to connect to the public website.

For instance client request www.mycompany.com and DNS says go here
200.200.200.200 which would be correct if I was sitting on the outside
looking in.  I need iptables to basically say if any http request comes from
the internal network addressed to my public address dnat the public
200.200.200.200 to the private address.  I have tried the following without
success.  Only other thing I know is to setup a internal DNS just so the
internal clients get the internal address.  That would however be an extreme
waste of resources.

-A PREROUTING -i eth1 -d 200.200.200.200 -p tcp --dport 80 -j
DNAT --to-destination 192.168.2.254

Can someone help?

Bryan

Re: Internal NAT Translation:

[Antony Stone]

On Thursday 01 July 2004 2:43 am, Bryan Martin wrote:

> inbound http connections to the public address
> 200.200.200.200 is being dnatted to 192.168.2.254 which is the address of
> the windows server.  This is working as expected.  The problem arises when
> a internal client tries to connect to the public website.
>
> -A PREROUTING -i eth1 -d 200.200.200.200 -p tcp --dport 80 -j
> DNAT --to-destination 192.168.2.254

How many times are we going to see the *exact* *same* question coming up on 
this list???

It's in the docs, it's in the archives....

http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html

Just think about it for a moment:

1. Internal client (say 192.168.2.42) sends a packet to 200.200.200.200
2. Firewall DNATs it to 192.168.2.254
3. Web server replies to client (192.168.2.42)
4. Client is on local subnet, so server just sends reply direct - doesn't have 
to route through the firewall
5. Client gets a response from 192.168.2.254, after sending the request to 
200.200.200.200
6. Does not compute - client unhappy.

Put your publicly-accessible windows web server on a DMZ network instead of 
alongside all your client machines (so that when IIS gets attacked you're not 
letting the web server (now 'owned' by someone else) have free rein to do 
whatever it likes with all the clients and other machines on your LAN), and 
the DNAT won't give you any problems.

Antony.

-- 
"It is easy to be blinded to the essential uselessness of them by the sense of 
achievement you get from getting them to work at all. In other words - and 
this is the rock solid principle on which the whole of the Corporation's 
Galaxy-wide success is founded - their fundamental design flaws are 
completely hidden by their superficial design flaws."

 - Douglas Noel Adams

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Internal NAT Translation:

[ro0ot]

Here is my example below: -

###############################################################################
#
# Destination NAT on the same network
#
###############################################################################
 
$IPTABLES -A FORWARD -i eth1 -o eth1 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -d 192.168.2.254 -s 192.168.2.0/24 -p 
tcp --dport 22 -j SNAT --to 192.168.2.1
$IPTABLES  -t nat -I PREROUTING -d 200.200.200.200 -p tcp --dport 22 -j 
DNAT --to 192.168.2.254
 
Regards,
ro0ot


Bryan Martin wrote:

>Setup looks like this
>
>            Internet
>                 ^
>Redhat 9 iptables nat/masq    (200.200.200.200 public address = eth1;
>192.168.2.1 private address = eth0)
>                 ^
>windows web server (192.168.2.254) | windows clients.    (all 192.168.2.X)
>
>
>Now the rh box is masquerading for the private boxes.  Only thing not
>standard is that any inbound http connections to the public address
>200.200.200.200 is being dnatted to 192.168.2.254 which is the address of
>the windows server.  This is working as expected.  The problem arises when a
>internal client tries to connect to the public website.
>
>For instance client request www.mycompany.com and DNS says go here
>200.200.200.200 which would be correct if I was sitting on the outside
>looking in.  I need iptables to basically say if any http request comes from
>the internal network addressed to my public address dnat the public
>200.200.200.200 to the private address.  I have tried the following without
>success.  Only other thing I know is to setup a internal DNS just so the
>internal clients get the internal address.  That would however be an extreme
>waste of resources.
>
>-A PREROUTING -i eth1 -d 200.200.200.200 -p tcp --dport 80 -j
>DNAT --to-destination 192.168.2.254
>
>Can someone help?
>
>Bryan
>
>
>
>  
>