IP Nat or forward

IP Nat or forward

[Vernon A. Fort]

I need to NAT a VLAN or aliased interface to an internal address:

    192.168.90.1   ->   192.168.1.1

Basically a virtual network/address mapping.  The main reason is I need 
a IPSEC tunnel (openswan) connecting from a vender to an internal server 
but the ip address of our internal server is already used on their end.  
So, when they connect to 192.168.90.1, its redirected/forwarded/nat'd to 
the real internal address.

Can someone get me started.

Vernon

Re: IP Nat or forward

[Vernon A. Fort]

Taylor, Grant wrote:

>Vernon, there are a few issues that pop in to my head right a way.  First of
>all are you wanting to NAT your IPSec connection?  If so you will need to
>make sure that the IPSec implementation(s) that you use has a NAT Traversal
>capability.  I believe that OpenS/WAN and FreeS/WAN both have this
>capability either directly in source or via a patch.  Second What is the
>(internal / private) IP (sub)net that the vendor will be comming from?  I'm
>presuming that they will be comming from a 192.168.1.1 based on the fact
>that you say they already have that address in use?  The reason I ask is I
>like to control which packets traverse my IPTables rulese as much as
>possible thus I match against soruce IP addresses too.  For now I'll go
>along the assumption that you will have an IPSec tunnel to your router /
>firewall and not passing the tunnel traffic through to the internal system
>(terminating on the router vs the internal system).  I'll also assume that
>the source IP address will be something along the lines of 192.168.1.234 for
>the sake of the discussion.  For the sake of the discussion I'm going to use
>eth0 as your external interface and eth1 as your internal interface.
>
># Inbound traffic
>iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.234 -d 192.168.90.1 -j
>DNAT --to-destination 192.168.1.1
>iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.234 -d 192.168.1.1 -j
>SNAT --to-source 192.168.90.234
># Outbound traffic
>iptables -t nat -A PREROUTING -i eth1 -s 192.168.1.1 -d 192.168.90.234 -j
>DNAT --to-destination 192.168.1.234
>iptables -t mangle -A POSTROUTING -s 192.168.1.1 -d 192.168.1.234 -j
>ROUTE --oif eth1
>iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.1 -d 192.168.1.234 -j
>SNAT --to-source 192.168.90.1
>
>I know that this will handle the inbound traffic correctly and I think it
>will handle the outbound traffic correctly.  The trick here is that the
>outbound traffic will want to route back to the internal interface for the
>internal LAN subnet but hopefully via the ROUTE target that can be
>overridden.  If that will not work you will need to do a similar inbound
>NATing on the other end of the tunnel.
>
>Netfilter IPTables ROUTE target
>http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ROUTE
>
>
>
>Grant. . . .
>----- Original Message ----- 
>From: "Vernon A. Fort" <vfort@provident-solutions.com>
>To: <netfilter@lists.netfilter.org>
>Sent: Wednesday, April 06, 2005 1:15 PM
>Subject: IP Nat or forward
>
>
>  
>
>>I need to NAT a VLAN or aliased interface to an internal address:
>>
>>    192.168.90.1   ->   192.168.1.1
>>
>>Basically a virtual network/address mapping.  The main reason is I need
>>a IPSEC tunnel (openswan) connecting from a vender to an internal server
>>but the ip address of our internal server is already used on their end.
>>So, when they connect to 192.168.90.1, its redirected/forwarded/nat'd to
>>the real internal address.
>>
>>Can someone get me started.
>>
>>Vernon
>>    
>>
Thanks!  I want to make sure I understand the IPSEC and NAT.  I'm 
connecting a PUBLIC address to my FIREWALL but NOT including the gateway 
address:

    66.83.239.66 -> IPSEC -> 192.168.90.1      # a host to host / ip to 
ip VPN
THEN
    NAT 192.168.90.1    to  192.168.1.1

Since the NAT takes place AFTER the IPSEC traffic, do I really need the 
NAT-T enabled?

Do I just aliase the 192.168.90.1 address or should I do a VLAN?

Vernon

Re: IP Nat or forward

[Taylor, Grant]

Vernon, there are a few issues that pop in to my head right a way.  First of
all are you wanting to NAT your IPSec connection?  If so you will need to
make sure that the IPSec implementation(s) that you use has a NAT Traversal
capability.  I believe that OpenS/WAN and FreeS/WAN both have this
capability either directly in source or via a patch.  Second What is the
(internal / private) IP (sub)net that the vendor will be comming from?  I'm
presuming that they will be comming from a 192.168.1.1 based on the fact
that you say they already have that address in use?  The reason I ask is I
like to control which packets traverse my IPTables rulese as much as
possible thus I match against soruce IP addresses too.  For now I'll go
along the assumption that you will have an IPSec tunnel to your router /
firewall and not passing the tunnel traffic through to the internal system
(terminating on the router vs the internal system).  I'll also assume that
the source IP address will be something along the lines of 192.168.1.234 for
the sake of the discussion.  For the sake of the discussion I'm going to use
eth0 as your external interface and eth1 as your internal interface.

# Inbound traffic
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.234 -d 192.168.90.1 -j
DNAT --to-destination 192.168.1.1
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.234 -d 192.168.1.1 -j
SNAT --to-source 192.168.90.234
# Outbound traffic
iptables -t nat -A PREROUTING -i eth1 -s 192.168.1.1 -d 192.168.90.234 -j
DNAT --to-destination 192.168.1.234
iptables -t mangle -A POSTROUTING -s 192.168.1.1 -d 192.168.1.234 -j
ROUTE --oif eth1
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.1 -d 192.168.1.234 -j
SNAT --to-source 192.168.90.1

I know that this will handle the inbound traffic correctly and I think it
will handle the outbound traffic correctly.  The trick here is that the
outbound traffic will want to route back to the internal interface for the
internal LAN subnet but hopefully via the ROUTE target that can be
overridden.  If that will not work you will need to do a similar inbound
NATing on the other end of the tunnel.

Netfilter IPTables ROUTE target
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ROUTE



Grant. . . .
----- Original Message ----- 
From: "Vernon A. Fort" <vfort@provident-solutions.com>
To: <netfilter@lists.netfilter.org>
Sent: Wednesday, April 06, 2005 1:15 PM
Subject: IP Nat or forward


> I need to NAT a VLAN or aliased interface to an internal address:
>
>     192.168.90.1   ->   192.168.1.1
>
> Basically a virtual network/address mapping.  The main reason is I need
> a IPSEC tunnel (openswan) connecting from a vender to an internal server
> but the ip address of our internal server is already used on their end.
> So, when they connect to 192.168.90.1, its redirected/forwarded/nat'd to
> the real internal address.
>
> Can someone get me started.
>
> Vernon
>
>

Re: IP Nat or forward

[Taylor, Grant]

Ok, one of us is not understanding the other, and it is likely me.  Normal
IPSec VPNs run on a netowrk as such:

[Host A] --- LAN --- [Host B] .... (INET) .... [Host C] --- LAN --- [Host D]

Where the LAN between Host A and Host B is one IP subnet and the LAN between
Host C and Host D is another IP subnet, prefferably different than the IP
subnet on the first LAN.  The VPN in this scenario would be between Host B
and Host C.  Let's suppose that the hosts have the following IP addresses:

Host A's LAN IP address is 172.16.1.1
Host B's LAN IP address is 172.16.1.254
Host B's INet IP address is 12.34.56.78
Host C's INet IP address is 87.65.43.21
Host C's LAN IP address is 172.31.255.254
Host D's LAN IP address is 172.31.255.1

In this case the IPSec VPN would be between Host B's INet address of
12.34.56.78 and Host C's INet address of 87.65.43.21.  As far as what
traffic would and would not be NATed, you would NAT all traffic going out to
the INet from Host B's INet IP address of 12.34.56.78 except the IPSec VPN
traffic.  More information on how to NAT all traffic but the IPSec VPN
traffic is avaliable with your IPSec VPN software.  Ask if you need more
help configuring your NATing on Host B and / or Host C.  You (or your
counter part an the other LAN would NAT all traffic going out to the INet
from Host C's INet IP address of 87.65.43.21 except the IPSec VPN traffic.
Because you have the VPN passing traffic from one LAN to the other LAN you
don't normaly need to NAT the traffic at all except for in your case you
have the same IP subnet on both LANs which will mess up normal routing and
thus you have to augment it via NATing.  I hope this helps clear up some
things for you.



Grant. . . .

> Thanks!  I want to make sure I understand the IPSEC and NAT.  I'm
> connecting a PUBLIC address to my FIREWALL but NOT including the gateway
> address:
>
>     66.83.239.66 -> IPSEC -> 192.168.90.1      # a host to host / ip to
> ip VPN
> THEN
>     NAT 192.168.90.1    to  192.168.1.1
>
> Since the NAT takes place AFTER the IPSEC traffic, do I really need the
> NAT-T enabled?
>
> Do I just aliase the 192.168.90.1 address or should I do a VLAN?
>
> Vernon
>
>

Re: IP Nat or forward

[Vernon A. Fort]

Taylor, Grant wrote:

>Ok, one of us is not understanding the other, and it is likely me.  Normal
>IPSec VPNs run on a netowrk as such:
>
>[Host A] --- LAN --- [Host B] .... (INET) .... [Host C] --- LAN --- [Host D]
>
>Where the LAN between Host A and Host B is one IP subnet and the LAN between
>Host C and Host D is another IP subnet, prefferably different than the IP
>subnet on the first LAN.  The VPN in this scenario would be between Host B
>and Host C.  Let's suppose that the hosts have the following IP addresses:
>
>Host A's LAN IP address is 172.16.1.1
>Host B's LAN IP address is 172.16.1.254
>Host B's INet IP address is 12.34.56.78
>Host C's INet IP address is 87.65.43.21
>Host C's LAN IP address is 172.31.255.254
>Host D's LAN IP address is 172.31.255.1
>
>In this case the IPSec VPN would be between Host B's INet address of
>12.34.56.78 and Host C's INet address of 87.65.43.21.  As far as what
>traffic would and would not be NATed, you would NAT all traffic going out to
>the INet from Host B's INet IP address of 12.34.56.78 except the IPSec VPN
>traffic.  More information on how to NAT all traffic but the IPSec VPN
>traffic is avaliable with your IPSec VPN software.  Ask if you need more
>help configuring your NATing on Host B and / or Host C.  You (or your
>counter part an the other LAN would NAT all traffic going out to the INet
>from Host C's INet IP address of 87.65.43.21 except the IPSec VPN traffic.
>Because you have the VPN passing traffic from one LAN to the other LAN you
>don't normaly need to NAT the traffic at all except for in your case you
>have the same IP subnet on both LANs which will mess up normal routing and
>thus you have to augment it via NATing.  I hope this helps clear up some
>things for you.
>
>
>
>Grant. . . .
>
>  
>
>>Thanks!  I want to make sure I understand the IPSEC and NAT.  I'm
>>connecting a PUBLIC address to my FIREWALL but NOT including the gateway
>>address:
>>
>>    66.83.239.66 -> IPSEC -> 192.168.90.1      # a host to host / ip to
>>ip VPN
>>THEN
>>    NAT 192.168.90.1    to  192.168.1.1
>>
>>Since the NAT takes place AFTER the IPSEC traffic, do I really need the
>>NAT-T enabled?
>>
>>Do I just aliase the 192.168.90.1 address or should I do a VLAN?
>>
>>Vernon
>>    
>>
OK - I have a VPN working WITHOUT nat.  I did try the NAT per your 
example and several others as well as added the nat_traversal=yes in the 
ipsec.conf.  Both servers are stock Fedora Core 3.  The iptables version 
on both does NOT support the --oif option so this may have been the 
reason.  I also cannot confirm if the NAT-Traversal patch in  the kernel 
- I did look.  Heres the layout

    HOSTA   (Vender)      63.171.212.10 (172.16.1.0/24)
    HOSTB   (ME)            66.83.239.70 (192.168.90.0/24)

The real hosts this vendor needs access to is 192.168.1.1 but they 
already have a VPN defined with this subnet.  I set this up in a test 
enviorment using an additional FC3 box as the real host.  I was able to 
set an aliases ip address within the 192.168.90 subnet and set a 
postrouting to preform snat and it WORKED - I know this is natting 
outside of the VPN.

An additional thought - the site listed above has a CISCO 2811 router as 
the main WAN router (not internet) and it 'APPEARS' to have NAT 
capabilities.  I guess the easiest way to get this running to configure 
the router to preform DNAT/SNAT if the source and destination matches.  
I can fumble around on the router and know the basic commands but I'm no 
expert.  So, If anyone on the list knows the exact commands to NAT this 
real host - your assistance would be greatly appreciated!  Otherwise, 
I'm off to study the cisco ip nat command structure.

Vernon