Altering firewall rules to enable NAT Reflection

Altering firewall rules to enable NAT Reflection

[Simon]

Hi There,

Sorry if IPCOP is a bad word here :) but i could do with some
assistance OR a better suggestion!

We currently have a linksys ADSL modem with a fixed IP address on the
internet side and 192.168.1.0 on the internal side. We port forward
various ports to various ips on the internal network, including port
443 to our MS Exchange server. This all runs nice as the linksys does
"NAT Reflection" (is that the correct term?) so internal clients can
just connect to the external IP to get services from internal servers.

Now we have upgraded to VDSL (40Mbit, up from 5Mbit on ADSL) and the
router they have supplied does not do this. Well thats OK.. i can
setup the internal DNS so the external address points to internal IPs
- All well and good... until:

Iphones. According to Apple: The iphones push email setup does not
work if "your Exchange ActiveSync server has a different IP address
for intranet and Internet clients" (see
http://support.apple.com/kb/TS1868). And i can state that this is
correct.

So the first thing i thought, putting on my nubie hat, was to install
some sort of linux-based firewall so we can alter the firewall rules
to achieve the same. IPCOP is what i have used in the past, but no one
on the IPCOP forum or list can seem to be able to (or want to) help me
with this issue (no disrepect intended).

Any assistance in getting it sorted OR a better suggestion would be
very appeciated (please dont tell me to get new phones!)

Thanks

Simon

Re: Altering firewall rules to enable NAT Reflection

[Grant Taylor]

On 11/06/08 17:25, Simon wrote:
> Sorry if IPCOP is a bad word here :) but i could do with some 
> assistance OR a better suggestion!

IMHO this list is a fine place to ask IPTables related questions.  As 
long as the questions boil down to IPTables questions, and not something 
specific to the IPTables wrapper I don't see a problem.

> We currently have a linksys ADSL modem with a fixed IP address on the 
> internet side and 192.168.1.0 on the internal side. We port forward 
> various ports to various ips on the internal network, including port 
> 443 to our MS Exchange server. This all runs nice as the linksys does 
> "NAT Reflection" (is that the correct term?) so internal clients can 
> just connect to the external IP to get services from internal 
> servers.

I've not heard the phrase "NAT Reflection" per say, but if I understand 
what you are wanting to do correctly, I don't see a problem with said 
phrase.  (See below for more details.)

> Now we have upgraded to VDSL (40Mbit, up from 5Mbit on ADSL) and the 
> router they have supplied does not do this. Well thats OK.. i can 
> setup the internal DNS so the external address points to internal IPs 
> - All well and good... until:
> 
> Iphones. According to Apple: The iphones push email setup does not 
> work if "your Exchange ActiveSync server has a different IP address 
> for intranet and Internet clients" (see 
> http://support.apple.com/kb/TS1868). And i can state that this is 
> correct.

Dough!

> So the first thing i thought, putting on my nubie hat, was to install 
> some sort of linux-based firewall so we can alter the firewall rules 
> to achieve the same. IPCOP is what i have used in the past, but no 
> one on the IPCOP forum or list can seem to be able to (or want to) 
> help me with this issue (no disrepect intended).

I think I can help.  I also think you might be running in to a 
restriction of IPCOP, which in my opinion is a ""wrapper to IPTables. 
I've found that a lot of ""wrappers can't truly provide an easy way to 
do what really can be done.

In short what you want to do from an IPTables point of view is to cause 
any internal client that initiates a connection to the external IP to 
really and unknowingly be connecting to the internal IP.  Sort of 
/reflected/ off the firewall.  (This is why I don't have a problem with 
the phrase "NAT Reflection".)

You will have the obvious rules for any inbound traffic (coming in to 
the external interface) that is destined to the IP and / or port of the 
service DNATed over to the internal IP / port.  I.e.

    iptables -t nat -A PREROUTING -i eth0 -d $PUBLIC_IP -p tcp --dport 
443 -j DNAT --to-destination $PRIVATE_IP

What you want to do is have a very similar rule to DNAT any outbound 
traffic (coming in the internal interface to go out the external 
interface) that is destined to the IP and / or port of the service 
DNATed over to the internal IP / port as well.  I.e.

    iptables -t nat -A PREROUTING -i eth1 -d $PUBLIC_IP -p tcp --dport 
443 -j DNAT --to-destination $PRIVATE_IP

Now to prevent what I call a "TCP Triangle" you will need to SNAT the 
internal traffic that is being redirected back to the $PRIVATE_IP so 
that replies pass back through the router and back to the original 
client rather than the $PRIVATE_IP replying directly to the original 
client.  (See 'Julian's TCP Triangle' page 
"http://jengelh.medozas.de/images/dnat-mistake.png" for a diagram.)

    iptables -t nat -A POSTROUTING -o eth1 -s $PRIVATE_LAN/$NM -d 
$PRIVATE_IP -j MASQUERADE

Note:  You can use either the MASQUERADE or SNAT target depending on 
your preferences or what ever is compiled in to your kernel.  I chose 
MASQUERADE so I did not have to take your routers internal IP in to 
account in the rule(s) above.

> Any assistance in getting it sorted OR a better suggestion would be 
> very appeciated (please dont tell me to get new phones!)

Try the above and see if things work.

> Thanks

*nod*



Grant. . . .

Re: Altering firewall rules to enable NAT Reflection

[Pascal Hambourg]

Hello,

Grant Taylor a écrit :
> 
> What you want to do is have a very similar rule to DNAT any outbound 
> traffic (coming in the internal interface to go out the external 
> interface) that is destined to the IP and / or port of the service 
> DNATed over to the internal IP / port as well.  I.e.
> 
>    iptables -t nat -A PREROUTING -i eth1 -d $PUBLIC_IP -p tcp --dport 
> 443 -j DNAT --to-destination $PRIVATE_IP

And make sure that traffic forwarded from eth1 to eth1 is ACCEPTed in 
the filter/FORWARD chain.

> Now to prevent what I call a "TCP Triangle" you will need to SNAT the 
> internal traffic that is being redirected back to the $PRIVATE_IP so 
> that replies pass back through the router and back to the original 
> client rather than the $PRIVATE_IP replying directly to the original 
> client.  (See 'Julian's TCP Triangle' page 
> "http://jengelh.medozas.de/images/dnat-mistake.png" for a diagram.)
> 
>    iptables -t nat -A POSTROUTING -o eth1 -s $PRIVATE_LAN/$NM -d 
> $PRIVATE_IP -j MASQUERADE
> 
> Note:  You can use either the MASQUERADE or SNAT target depending on 
> your preferences or what ever is compiled in to your kernel.  I chose 
> MASQUERADE so I did not have to take your routers internal IP in to 
> account in the rule(s) above.

Note both SNAT and MASQUERADE hide the real source address from the 
server, which may be annoying for logging or access control purposes. 
Source NAT is not required to avoid the "routing triangle" if the server 
itself can route the return traffic to the NAT router. This can be 
achieved with advanced routing on Linux. Alternatively, the router may 
use the NETMAP target instead of SNAT or MASQUERADE to do a 1-to-1 
mapping of the source address range into another range, so the original 
source address can be retrieved.

Re: Altering firewall rules to enable NAT Reflection

[Grant Taylor]

On 11/8/2008 5:21 AM, Pascal Hambourg wrote:
> And make sure that traffic forwarded from eth1 to eth1 is ACCEPTed in 
> the filter/FORWARD chain.

*nod*

> Note both SNAT and MASQUERADE hide the real source address from the 
> server, which may be annoying for logging or access control purposes. 
> Source NAT is not required to avoid the "routing triangle" if the server 
> itself can route the return traffic to the NAT router. This can be 
> achieved with advanced routing on Linux. Alternatively, the router may 
> use the NETMAP target instead of SNAT or MASQUERADE to do a 1-to-1 
> mapping of the source address range into another range, so the original 
> source address can be retrieved.

Interesting points.

First, I'd make sure to note that I would SNAT / MASQUERADE / <what 
ever> /only/ the traffic from the local LAN (same subnet) and not /all/ 
the traffic that is being DNATed.  So... when the target server receives 
traffic it can know that any traffic coming from the NATing device's IP 
that the traffic is from said NATing device or the local LAN (same 
subnet).  This does not completely negate the negative impact on 
logging, but IMHO it does greatly reduce it.

I had not considered using advanced routing to cause the server to 
direct ""reply traffic to the local LAN by way of the NATing device. 
What / how would you go about doing this?  (I ask because I have not 
thought about it for more than 15 seconds.)  I suppose you could choose 
the alternate routing table based on a combination of the source port(s) 
and the destination IP address of the reply packets.  I.e. if the reply 
is coming from a service that has been DNATed and is going back to the 
local LAN then go ahead and send it by way of the NATing device.



Grant. . . .

Re: Altering firewall rules to enable NAT Reflection

[Simon]

On Sat, Nov 8, 2008 at 8:00 AM, Grant Taylor <gtaylor@riverviewtech.net> wrote:

> Try the above and see if things work.

Thanks for the replies todate!

I had a look thru the firewall rules that are created by the web
interface and have this in the /etc/firewall/portfw/iptablesportfw
file:

iptables -t nat -F PORTFW
iptables -t nat -F POSTPORTFW
iptables -F PORTFWACCESS
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 80
--to-destination 192.168.1.241:80
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.1.241 -p tcp
--dport 80 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 443
--to-destination 192.168.1.250:443
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.1.250 -p tcp
--dport 443 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 2222
--to-destination 192.168.1.241:22
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.1.241 -p tcp
--dport 22 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 2525
--to-destination 192.168.1.250:25
iptables -t filter -A PORTFWACCESS -s 210.xx.xx.xxx -d 192.168.1.250
-p tcp --dport 25 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 4125
--to-destination 192.168.1.250:4125
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.1.250 -p tcp
--dport 4125 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 20
--to-destination 192.168.1.241:20
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.1.241 -p tcp
--dport 20 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 21
--to-destination 192.168.1.241:21
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.1.241 -p tcp
--dport 21 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p udp --dport 4569
--to-destination 192.168.1.247:4569
iptables -t filter -A PORTFWACCESS -s 202.xx.xx.xxx -d 192.168.1.247
-p udp --dport 4569 -j ALLOW

Which is close, but not the same as your example above... have i got
the right section here?

Simon

Re: Altering firewall rules to enable NAT Reflection

[Grant Taylor]

On 11/07/08 17:14, Simon wrote:
> Thanks for the replies todate!

You are welcome.

> I had a look thru the firewall rules that are created by the web 
> interface and have this in the /etc/firewall/portfw/iptablesportfw file:

<snip>

> Which is close, but not the same as your example above... have i got the 
> right section here?

With out knowing any thing about what "... the web interface ..." is I 
can't say any thing about where you are at.

However your rules look like they are doing the DNATing (presuming that 
your ""external IP is 192.168.2.2) properly (presuming that 
192.168.1.<something> is your internal IP).  However you are not doing 
any SNATing to hide the fact that your internal LAN clients are being 
redirected back to the the internal server when they try to reach the 
external IP.



Grant. . . .

Re: Altering firewall rules to enable NAT Reflection

[Simon]

On Mon, Nov 10, 2008 at 2:26 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:

> With out knowing any thing about what "... the web interface ..." is I can't
> say any thing about where you are at.
>
> However your rules look like they are doing the DNATing (presuming that your
> ""external IP is 192.168.2.2) properly (presuming that 192.168.1.<something>
> is your internal IP).  However you are not doing any SNATing to hide the
> fact that your internal LAN clients are being redirected back to the the
> internal server when they try to reach the external IP.

OK.. Ive got it. I changed the external interface to PPPoE and also
changed from IPCOP to Endian firewall. In Endian, there is a nice
pretty GUI with a "Enable SNAT" checkbox.

ohh Ahh its working!

Thanks for your help anyways, i learnt some more!

Simon

Re: Altering firewall rules to enable NAT Reflection

[Grant Taylor]

On 11/9/2008 9:06 PM, Simon wrote:
> OK.. Ive got it. I changed the external interface to PPPoE and also 
> changed from IPCOP to Endian firewall. In Endian, there is a nice 
> pretty GUI with a "Enable SNAT" checkbox.

*nod*

> ohh Ahh its working!

Good!

> Thanks for your help anyways, i learnt some more!

You are welcome.

For the record and those who might be searching the archives in the 
future, will you please do a quick overview of what you did to make this 
work?  Thanks.



Grant. . . .

Re: Altering firewall rules to enable NAT Reflection

[Simon]

On Mon, Nov 10, 2008 at 5:39 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:

> For the record and those who might be searching the archives in the future,
> will you please do a quick overview of what you did to make this work?
>  Thanks.

Sure! Changed from IPCOP to Endian firewall and enabled the SNAT
function on the port forward rule :)