nat

nat

[Paul Fontenot]

Not sure what the ipfilter lingo is for what i want to do so I will
demonstrate with a Cisco PIX ACL.

access-list outside_access_in permit tcp any host 1.1.1.1 eq 3306

There would be a static for the 1.1.1.1 address:

static (inside,outside) 192.168.1.1 1.1.1.1

Where the MySQL server is running on host 192.168.1.1 and that ip is mapped
via a static translation to 1.1.1.1 on the PIX's outside interface.

Re: nat

[Daniel Chemko]

iptables -t nat -A PREROUTING -i <your inet iface> --destination 1.1.1.1 
-p tcp --dport 3306 -j DNAT --to 192.168.1.1
   If you have sane filtering rules (same as IOS access-list), you will 
also have to open up the FORWARD chain for inbound traffic:
iptables -A FORWARD -i <your inet iface> --destination 192.168.1.1 -p 
tcp --dport 3306 -j ACCEPT

reading the iptables man pages fills in most of the important stuff, and 
if that isn't enough, you could always read the documentation on 
netfilter.org for more info than you'll need.

Paul Fontenot wrote:

>Not sure what the ipfilter lingo is for what i want to do so I will
>demonstrate with a Cisco PIX ACL.
>
>access-list outside_access_in permit tcp any host 1.1.1.1 eq 3306
>
>There would be a static for the 1.1.1.1 address:
>
>static (inside,outside) 192.168.1.1 1.1.1.1
>
>Where the MySQL server is running on host 192.168.1.1 and that ip is mapped
>via a static translation to 1.1.1.1 on the PIX's outside interface.
>
>
>
>  
>

NAT

[Martin Schiøtz]

Hi

I'm going to setup a bridged NAT linux box for many users. I want one
outside IP address to serve for instance 10.0.0.0/22.

I want to be sure that each local IP address always has 1024 NAT
sessions available and that sessions is kept even if the timeout is
reached. If 1024 sessions is reached and a new session is being
established then it will take over the oldest (timed out) session.

Is this possible with iptables?

- Martin

Re: NAT

[Grant Taylor]

On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
> I'm going to setup a bridged NAT linux box for many users. I want one 
> outside IP address to serve for instance 10.0.0.0/22.

Why do this with bridging?  If you have a 10.0.0.0/22 network like you 
say, it is private and thus not globally routable.  So, to reach the 
internet you will have to NAT to a globally routable IP.  Thus you have 
a private subnet and a public subnet which is an ideal environment for a 
layer 3 router.  Even if you are not going to a public IP but rather 
another private IP, the same scenario holds true.

Or are you for some wanting wanting to perform a layer 3 function on 
layer 2?  If so, can I ask why?

> I want to be sure that each local IP address always has 1024 NAT 
> sessions available and that sessions is kept even if the timeout is 
> reached. If 1024 sessions is reached and a new session is being 
> established then it will take over the oldest (timed out) session.

I'm not sure that you will be able to specify how many NAT sessions each 
system will have and / or how to control the expiration there of.  I do 
know that you will have (or did have to in previous kernels) to have a 
fair amount of RAM for the connection tracking table to not wrap on a 
network of that size.

> Is this possible with iptables?

The first part of what you want to do (layer 2 or layer 3) NATing, yes.

As far as controlling how many sessions are reserved / maintained even 
beyond timeouts, I don't know.  I'm betting not, especially to the latter.



Grant. . . .

Re: NAT

[Martin Schiøtz]

On 7/3/07, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
> > I'm going to setup a bridged NAT linux box for many users. I want one
> > outside IP address to serve for instance 10.0.0.0/22.
>
> Why do this with bridging?  If you have a 10.0.0.0/22 network like you
> say, it is private and thus not globally routable.  So, to reach the
> internet you will have to NAT to a globally routable IP.  Thus you have
> a private subnet and a public subnet which is an ideal environment for a
> layer 3 router.  Even if you are not going to a public IP but rather
> another private IP, the same scenario holds true.
>
> Or are you for some wanting wanting to perform a layer 3 function on
> layer 2?  If so, can I ask why?

Ok, I think your right here.

>
> > I want to be sure that each local IP address always has 1024 NAT
> > sessions available and that sessions is kept even if the timeout is
> > reached. If 1024 sessions is reached and a new session is being
> > established then it will take over the oldest (timed out) session.
>
> I'm not sure that you will be able to specify how many NAT sessions each
> system will have and / or how to control the expiration there of.  I do
> know that you will have (or did have to in previous kernels) to have a
> fair amount of RAM for the connection tracking table to not wrap on a
> network of that size.
>
> > Is this possible with iptables?
>
> The first part of what you want to do (layer 2 or layer 3) NATing, yes.
>
> As far as controlling how many sessions are reserved / maintained even
> beyond timeouts, I don't know.  I'm betting not, especially to the latter.
>

I guess the question was more about controlling the number of NAT
sessions pr. lokal IP address?

- Marftin

Re: NAT

[Robert LeBlanc]

On 7/3/07 1:55 AM, "Martin Schiøtz" <malinux@gmail.com> wrote:

> On 7/3/07, Grant Taylor <gtaylor@riverviewtech.net> wrote:
>> On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
>>> I'm going to setup a bridged NAT linux box for many users. I want one
>>> outside IP address to serve for instance 10.0.0.0/22.
>> 
>> Why do this with bridging?  If you have a 10.0.0.0/22 network like you
>> say, it is private and thus not globally routable.  So, to reach the
>> internet you will have to NAT to a globally routable IP.  Thus you have
>> a private subnet and a public subnet which is an ideal environment for a
>> layer 3 router.  Even if you are not going to a public IP but rather
>> another private IP, the same scenario holds true.
>> 
>> Or are you for some wanting wanting to perform a layer 3 function on
>> layer 2?  If so, can I ask why?
> 
> Ok, I think your right here.
> 
>> 
>>> I want to be sure that each local IP address always has 1024 NAT
>>> sessions available and that sessions is kept even if the timeout is
>>> reached. If 1024 sessions is reached and a new session is being
>>> established then it will take over the oldest (timed out) session.
>> 
>> I'm not sure that you will be able to specify how many NAT sessions each
>> system will have and / or how to control the expiration there of.  I do
>> know that you will have (or did have to in previous kernels) to have a
>> fair amount of RAM for the connection tracking table to not wrap on a
>> network of that size.
>> 
>>> Is this possible with iptables?
>> 
>> The first part of what you want to do (layer 2 or layer 3) NATing, yes.
>> 
>> As far as controlling how many sessions are reserved / maintained even
>> beyond timeouts, I don't know.  I'm betting not, especially to the latter.
>> 
> 
> I guess the question was more about controlling the number of NAT
> sessions pr. lokal IP address?

If you give iptables a range, it will try to do as little port mangeling as
possible, so I beilieve it will try to hold onto connections as long as
possible. We saw quite a performance when we moved our 100 users from one
Natted address to 64. I guess the mangeling made that much of a difference.
 
Robert LeBlanc
BioAg Computer Support
Brigham Young University
leblanc@byu.edu
(801)422-1882

Nat

[mafioso1823]

I am very new to iptables and i wanted to know how would i do a hide nat and
a static nat? Any help is very much appreciated.

Re: Nat

[Antony Stone]

On Sunday 06 June 2004 6:36 pm, mafioso1823@contourmediagroup.com wrote:

> I am very new to iptables and i wanted to know how would i do a hide nat
> and a static nat? Any help is very much appreciated.

http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html should explain 
things, and http://iptables-tutorial.frozentux.net/iptables-tutorial.html 
will give you more information on NAT, and netfilter in general.

Please feel free to come back and ask on the list if you have specific 
questions regarding a particular setup.

Regards,

Antony.

-- 
The truth is rarely pure, and never simple.

 - Oscar Wilde

                                                     Please reply to the list;
                                                           please don't CC me.

NAT

[tlussnig]

Hi,
i use iproute2 for statical nat.
My Problem is that connect from intern-extern and extern-intern work fine.
But if i try to connect my external ip from an internal box it does not work.

Intern:
1.1.1.10/24 (ssh-server)
Extern:
217.0.0.10 (ssh-server
Gateway:
1.1.1.1
217.0.0.1


1.1.1.10/24--------[1.1.1.1/217.0.0.1](217.0.0.10)-----------Internet

what i can't do it from 1.1.1.10: telnet 217.0.0.10.
Any hint? I can also use iptables to get this point working.

Cu Thomas Luflnig

Re: NAT

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 617 bytes --]

On Wed, Oct 01, 2003 at 04:11:50AM -0700, tlussnig@bewegungsmelder.de wrote:
> Hi,
> i use iproute2 for statical nat.

then you are totally wrong on this mailinglist, sorry.  Talk to
linux-net or netdev@oss.sgi.com.

> Cu Thomas Lußnig

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Nat

[Mattia Martinello]

Hi.

I wish to create a nat with masquerading to allow my LAN to access to 
Internet.
I have two LANs: 192.168.1.x and 192.168.2.x. The server wich will make 
the masquerading has both two LANs with two ethernet card.
How I can allow only one LAN to access Internet with ppp0 on the server?
I tried these lines, but it doesn't work:

iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -j DROP
iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j 
MASQUERADE

What I can do?

Thank you very much
Bye
Mattia Martinello

Re: Nat

[Antony Stone]

On Sunday 08 September 2002 9:43 pm, Mattia Martinello wrote:

> Hi.
>
> I wish to create a nat with masquerading to allow my LAN to access to
> Internet.
> I have two LANs: 192.168.1.x and 192.168.2.x. The server wich will make
> the masquerading has both two LANs with two ethernet card.
> How I can allow only one LAN to access Internet with ppp0 on the server?
> I tried these lines, but it doesn't work:
>
> iptables -t nat -F POSTROUTING
> iptables -t nat -A POSTROUTING -j DROP

Never, never set a default policy other than ACCEPT on the nat or mangle 
tables !

> iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j
> MASQUERADE

That should work fine.   A pity you can't use the -i option to specify the 
input interface in the POSTROUTING chain, but there you go....

> What I can do?

You could alternatively filter out packets from 192.168.2.0/24 going to ppp0, 
and then just MASQUERADE everything exiting ppp0 ?

Antony.

-- 

It is also possible that putting the birds in a laboratory setting
inadvertently renders them relatively incompetent.

 - Daniel C Dennett

RE: Nat

[R. Sterenborg]

> I tried these lines, but it doesn't work:
>
> iptables -t nat -F POSTROUTING
> iptables -t nat -A POSTROUTING -j DROP
> iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0
> -o ppp0 -j
> MASQUERADE

Try :

iptables -P INPUT DROP
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

iptables -P FORWARD DROP
iptables -A FORWARD -s 192.168.1.0/24 -o ppp0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE


Rob

Re: Nat

[Anders Fugmann]

Mattia Martinello wrote:
> 
> iptables -t nat -F POSTROUTING
> iptables -t nat -A POSTROUTING -j DROP
This drops every packet, leaving the box. This is not what you want.

> iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j 
> MASQUERADE
> 

First masquerade the packets:
$ iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 \
	-j MASQUERADE

Now only allow packets from the network that is to have internet access 
to pass through the firewall. All these packets go through the FORWARD 
chain in the FILTER tables. This is where you want to filter who should 
have internet access or not.

$ iptables -P FORWARD DROP
$ iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -o ppp0 -j ACCEPT

Now allow only packets related to a connection from the lan to pass 
through the firewall from the internet.

$iptables -A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED \
	-j ACCEPT

And lastly close up the firewall, but allow the firewall itself to 
receive replys:

$iptables -P INPUT DROP
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

And allow clients from the lan's to ssh to the firewall.
$ iptables -A INPUT -i eth+ -p tcp --dport ssh -j ACCEPT

Thats it. If you want the two lans to be able to talk to eachother then add:

$ iptables -A FORWARD -i eth+ -o eth+ -j ACCPET

Hope it helps.
If not, then read and unserstand (thats the importent part) the howtos 
and tutorials for iptables.

Regards
Anders Fugmann

--
Author of FIAIF
FIAIF Is An Intelligent Firewall
http://fiaif.fugmann.dhs.org

nat

[saied tabandeh]

test