nat

nat

[saied tabandeh]

test

Nat

[Mattia Martinello]

Hi.

I wish to create a nat with masquerading to allow my LAN to access to 
Internet.
I have two LANs: 192.168.1.x and 192.168.2.x. The server wich will make 
the masquerading has both two LANs with two ethernet card.
How I can allow only one LAN to access Internet with ppp0 on the server?
I tried these lines, but it doesn't work:

iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -j DROP
iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j 
MASQUERADE

What I can do?

Thank you very much
Bye
Mattia Martinello

Re: Nat

[Antony Stone]

On Sunday 08 September 2002 9:43 pm, Mattia Martinello wrote:

> Hi.
>
> I wish to create a nat with masquerading to allow my LAN to access to
> Internet.
> I have two LANs: 192.168.1.x and 192.168.2.x. The server wich will make
> the masquerading has both two LANs with two ethernet card.
> How I can allow only one LAN to access Internet with ppp0 on the server?
> I tried these lines, but it doesn't work:
>
> iptables -t nat -F POSTROUTING
> iptables -t nat -A POSTROUTING -j DROP

Never, never set a default policy other than ACCEPT on the nat or mangle 
tables !

> iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j
> MASQUERADE

That should work fine.   A pity you can't use the -i option to specify the 
input interface in the POSTROUTING chain, but there you go....

> What I can do?

You could alternatively filter out packets from 192.168.2.0/24 going to ppp0, 
and then just MASQUERADE everything exiting ppp0 ?

Antony.

-- 

It is also possible that putting the birds in a laboratory setting
inadvertently renders them relatively incompetent.

 - Daniel C Dennett

RE: Nat

[R. Sterenborg]

> I tried these lines, but it doesn't work:
>
> iptables -t nat -F POSTROUTING
> iptables -t nat -A POSTROUTING -j DROP
> iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0
> -o ppp0 -j
> MASQUERADE

Try :

iptables -P INPUT DROP
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

iptables -P FORWARD DROP
iptables -A FORWARD -s 192.168.1.0/24 -o ppp0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE


Rob

Re: Nat

[Anders Fugmann]

Mattia Martinello wrote:
> 
> iptables -t nat -F POSTROUTING
> iptables -t nat -A POSTROUTING -j DROP
This drops every packet, leaving the box. This is not what you want.

> iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j 
> MASQUERADE
> 

First masquerade the packets:
$ iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 \
	-j MASQUERADE

Now only allow packets from the network that is to have internet access 
to pass through the firewall. All these packets go through the FORWARD 
chain in the FILTER tables. This is where you want to filter who should 
have internet access or not.

$ iptables -P FORWARD DROP
$ iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -o ppp0 -j ACCEPT

Now allow only packets related to a connection from the lan to pass 
through the firewall from the internet.

$iptables -A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED \
	-j ACCEPT

And lastly close up the firewall, but allow the firewall itself to 
receive replys:

$iptables -P INPUT DROP
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

And allow clients from the lan's to ssh to the firewall.
$ iptables -A INPUT -i eth+ -p tcp --dport ssh -j ACCEPT

Thats it. If you want the two lans to be able to talk to eachother then add:

$ iptables -A FORWARD -i eth+ -o eth+ -j ACCPET

Hope it helps.
If not, then read and unserstand (thats the importent part) the howtos 
and tutorials for iptables.

Regards
Anders Fugmann

--
Author of FIAIF
FIAIF Is An Intelligent Firewall
http://fiaif.fugmann.dhs.org

NAT

[tlussnig]

Hi,
i use iproute2 for statical nat.
My Problem is that connect from intern-extern and extern-intern work fine.
But if i try to connect my external ip from an internal box it does not work.

Intern:
1.1.1.10/24 (ssh-server)
Extern:
217.0.0.10 (ssh-server
Gateway:
1.1.1.1
217.0.0.1


1.1.1.10/24--------[1.1.1.1/217.0.0.1](217.0.0.10)-----------Internet

what i can't do it from 1.1.1.10: telnet 217.0.0.10.
Any hint? I can also use iptables to get this point working.

Cu Thomas Luflnig

Re: NAT

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 617 bytes --]

On Wed, Oct 01, 2003 at 04:11:50AM -0700, tlussnig@bewegungsmelder.de wrote:
> Hi,
> i use iproute2 for statical nat.

then you are totally wrong on this mailinglist, sorry.  Talk to
linux-net or netdev@oss.sgi.com.

> Cu Thomas Lußnig

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

nat

[Paul Fontenot]

Not sure what the ipfilter lingo is for what i want to do so I will
demonstrate with a Cisco PIX ACL.

access-list outside_access_in permit tcp any host 1.1.1.1 eq 3306

There would be a static for the 1.1.1.1 address:

static (inside,outside) 192.168.1.1 1.1.1.1

Where the MySQL server is running on host 192.168.1.1 and that ip is mapped
via a static translation to 1.1.1.1 on the PIX's outside interface.

Re: nat

[Daniel Chemko]

iptables -t nat -A PREROUTING -i <your inet iface> --destination 1.1.1.1 
-p tcp --dport 3306 -j DNAT --to 192.168.1.1
   If you have sane filtering rules (same as IOS access-list), you will 
also have to open up the FORWARD chain for inbound traffic:
iptables -A FORWARD -i <your inet iface> --destination 192.168.1.1 -p 
tcp --dport 3306 -j ACCEPT

reading the iptables man pages fills in most of the important stuff, and 
if that isn't enough, you could always read the documentation on 
netfilter.org for more info than you'll need.

Paul Fontenot wrote:

>Not sure what the ipfilter lingo is for what i want to do so I will
>demonstrate with a Cisco PIX ACL.
>
>access-list outside_access_in permit tcp any host 1.1.1.1 eq 3306
>
>There would be a static for the 1.1.1.1 address:
>
>static (inside,outside) 192.168.1.1 1.1.1.1
>
>Where the MySQL server is running on host 192.168.1.1 and that ip is mapped
>via a static translation to 1.1.1.1 on the PIX's outside interface.
>
>
>
>  
>

Nat

[mafioso1823]

I am very new to iptables and i wanted to know how would i do a hide nat and
a static nat? Any help is very much appreciated.

Re: Nat

[Antony Stone]

On Sunday 06 June 2004 6:36 pm, mafioso1823@contourmediagroup.com wrote:

> I am very new to iptables and i wanted to know how would i do a hide nat
> and a static nat? Any help is very much appreciated.

http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html should explain 
things, and http://iptables-tutorial.frozentux.net/iptables-tutorial.html 
will give you more information on NAT, and netfilter in general.

Please feel free to come back and ask on the list if you have specific 
questions regarding a particular setup.

Regards,

Antony.

-- 
The truth is rarely pure, and never simple.

 - Oscar Wilde

                                                     Please reply to the list;
                                                           please don't CC me.

NAT

[Martin Schiøtz]

Hi

I'm going to setup a bridged NAT linux box for many users. I want one
outside IP address to serve for instance 10.0.0.0/22.

I want to be sure that each local IP address always has 1024 NAT
sessions available and that sessions is kept even if the timeout is
reached. If 1024 sessions is reached and a new session is being
established then it will take over the oldest (timed out) session.

Is this possible with iptables?

- Martin

Re: NAT

[Grant Taylor]

On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
> I'm going to setup a bridged NAT linux box for many users. I want one 
> outside IP address to serve for instance 10.0.0.0/22.

Why do this with bridging?  If you have a 10.0.0.0/22 network like you 
say, it is private and thus not globally routable.  So, to reach the 
internet you will have to NAT to a globally routable IP.  Thus you have 
a private subnet and a public subnet which is an ideal environment for a 
layer 3 router.  Even if you are not going to a public IP but rather 
another private IP, the same scenario holds true.

Or are you for some wanting wanting to perform a layer 3 function on 
layer 2?  If so, can I ask why?

> I want to be sure that each local IP address always has 1024 NAT 
> sessions available and that sessions is kept even if the timeout is 
> reached. If 1024 sessions is reached and a new session is being 
> established then it will take over the oldest (timed out) session.

I'm not sure that you will be able to specify how many NAT sessions each 
system will have and / or how to control the expiration there of.  I do 
know that you will have (or did have to in previous kernels) to have a 
fair amount of RAM for the connection tracking table to not wrap on a 
network of that size.

> Is this possible with iptables?

The first part of what you want to do (layer 2 or layer 3) NATing, yes.

As far as controlling how many sessions are reserved / maintained even 
beyond timeouts, I don't know.  I'm betting not, especially to the latter.



Grant. . . .

Re: NAT

[Martin Schiøtz]

On 7/3/07, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
> > I'm going to setup a bridged NAT linux box for many users. I want one
> > outside IP address to serve for instance 10.0.0.0/22.
>
> Why do this with bridging?  If you have a 10.0.0.0/22 network like you
> say, it is private and thus not globally routable.  So, to reach the
> internet you will have to NAT to a globally routable IP.  Thus you have
> a private subnet and a public subnet which is an ideal environment for a
> layer 3 router.  Even if you are not going to a public IP but rather
> another private IP, the same scenario holds true.
>
> Or are you for some wanting wanting to perform a layer 3 function on
> layer 2?  If so, can I ask why?

Ok, I think your right here.

>
> > I want to be sure that each local IP address always has 1024 NAT
> > sessions available and that sessions is kept even if the timeout is
> > reached. If 1024 sessions is reached and a new session is being
> > established then it will take over the oldest (timed out) session.
>
> I'm not sure that you will be able to specify how many NAT sessions each
> system will have and / or how to control the expiration there of.  I do
> know that you will have (or did have to in previous kernels) to have a
> fair amount of RAM for the connection tracking table to not wrap on a
> network of that size.
>
> > Is this possible with iptables?
>
> The first part of what you want to do (layer 2 or layer 3) NATing, yes.
>
> As far as controlling how many sessions are reserved / maintained even
> beyond timeouts, I don't know.  I'm betting not, especially to the latter.
>

I guess the question was more about controlling the number of NAT
sessions pr. lokal IP address?

- Marftin

Re: NAT

[Robert LeBlanc]

On 7/3/07 1:55 AM, "Martin Schiøtz" <malinux@gmail.com> wrote:

> On 7/3/07, Grant Taylor <gtaylor@riverviewtech.net> wrote:
>> On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
>>> I'm going to setup a bridged NAT linux box for many users. I want one
>>> outside IP address to serve for instance 10.0.0.0/22.
>> 
>> Why do this with bridging?  If you have a 10.0.0.0/22 network like you
>> say, it is private and thus not globally routable.  So, to reach the
>> internet you will have to NAT to a globally routable IP.  Thus you have
>> a private subnet and a public subnet which is an ideal environment for a
>> layer 3 router.  Even if you are not going to a public IP but rather
>> another private IP, the same scenario holds true.
>> 
>> Or are you for some wanting wanting to perform a layer 3 function on
>> layer 2?  If so, can I ask why?
> 
> Ok, I think your right here.
> 
>> 
>>> I want to be sure that each local IP address always has 1024 NAT
>>> sessions available and that sessions is kept even if the timeout is
>>> reached. If 1024 sessions is reached and a new session is being
>>> established then it will take over the oldest (timed out) session.
>> 
>> I'm not sure that you will be able to specify how many NAT sessions each
>> system will have and / or how to control the expiration there of.  I do
>> know that you will have (or did have to in previous kernels) to have a
>> fair amount of RAM for the connection tracking table to not wrap on a
>> network of that size.
>> 
>>> Is this possible with iptables?
>> 
>> The first part of what you want to do (layer 2 or layer 3) NATing, yes.
>> 
>> As far as controlling how many sessions are reserved / maintained even
>> beyond timeouts, I don't know.  I'm betting not, especially to the latter.
>> 
> 
> I guess the question was more about controlling the number of NAT
> sessions pr. lokal IP address?

If you give iptables a range, it will try to do as little port mangeling as
possible, so I beilieve it will try to hold onto connections as long as
possible. We saw quite a performance when we moved our 100 users from one
Natted address to 64. I guess the mangeling made that much of a difference.
 
Robert LeBlanc
BioAg Computer Support
Brigham Young University
leblanc@byu.edu
(801)422-1882

check a simple set of rules

[richard]

Hi,

i'm relatively new to putting together my own set of iptables as opposed 
to just using a tool that build them for me. Hence, i'm not very 
confident in a set that I have manually constructed.
I was wondering whether anybody would be good enough to scan over the 
set below and point any blunders/omissions?

My set up is such that I have a firewall with 2 network cards, one 
attached to the LAN and one external facing. I have a webserver that 
sits on a box behind the firewall. I also have a number of boxes on the 
LAN that I want to be able to ssh to remotely. I also want users on the 
LAN to be able to browse to the web server by using the external facing 
address.

Thanks in advance,

Rich

#!/bin/sh
#

###########################################################################
#
# 1. Configuration options.
#

#
# Internet Configuration.
#

INET_IP="*.*.*.*"
INET_IFACE="eth0"
INET_BROADCAST="*.*.*.*"

# Local Area Network configuration.
#


LAN_IP="192.168.1.118"
LAN_IP_RANGE="192.168.1.0/24"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"


IPTABLES="/sbin/iptables"

#
# Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# Non-Required modules
#

/sbin/modprobe ip_conntrack_ftp     #need this to allow outgoing ftp 
connections

/sbin/modprobe ip_nat_ftp        #need this to allow outgoing ftp 
connections



############################################################################
# 3. rules set up.
#

######
# Filter table
#

#
# Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state 
--state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG 
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#


$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2222 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2223 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2224 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2225 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed


#
# UDP ports
#


$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT 
# allow ntp


#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST 
--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 
--destination-port 67:68 -j DROP

#
# ICMP rules
#

#$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT #don't 
allow people to ping us
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

###############################################
# INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state 
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG 
--log-level DEBUG --log-prefix "IPT INPUT packet died: "


#####
# FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG 
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#####
# OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG 
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "


###########################################################################
#
# 4. /proc set up.
#

#
# Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward


###########################################################################




###########################################################################
# 5. nat table

#
# PREROUTING chain
#
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 
192.168.1.110:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 
192.168.1.110:443
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to 
192.168.1.110:22
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2223 -j DNAT --to 
192.168.1.154:22
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2224 -j DNAT --to 
192.168.1.153:22
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2225 -j DNAT --to 
192.168.1.141:22

#
# POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d $INET_IP 
--dport 80 -j SNAT --to-source $LAN_IP #deal with connections to the web 
server on the external address that originate from the LAN
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP