NAT WAN IP to internal range?

NAT WAN IP to internal range?

[Andrew Stone]

Hello,

I am having a bit of trouble following the documentation on assigning
a range of NATed IPs.
My router has a several External IP’s assigned to the WAN interface:

WANIF=`get_wanface`
ifconfig $WANIF:1 a.b.c.241 netmask 255.255.255.248 broadcast a.b.c.247
ifconfig $WANIF:2 a.b.c.242 netmask 255.255.255.248 broadcast a.b.c.247
ifconfig $WANIF:3 a.b.c.243 netmask 255.255.255.248 broadcast a.b.c.247

Then I have successfully configured a single internal machine natted
with the 241 address like so:

iptables -t nat -I PREROUTING -d a.b.c.241 -j DNAT --to-destination 192.168.1.69
iptables -t nat -I POSTROUTING -s 192.168.1.69 -j SNAT --to-source a.b.c.241

That works great, but I need the second IP (242) to be the external IP
for a _range_ of internal IPs

I have tried this however it does not appear to work:

iptables -t nat -A PREROUTING -d a.b.c.242 -j DNAT --to-destination
192.168.1.100-192.168.1.150
iptables -t nat -A POSTROUTING -s 192.168.1.100-192.168.1.150 -j SNAT
--to-source 150.101.194.242

This article suggests (at least to me) that this is possible:
http://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-range-of-ip-addresses-or-ports.html

The ‘Nat how to docs’ seem to suggest that a range can be specified,
but I suspect my usage is wrong?
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.2


How do I NAT a WAN IP to a range of internal IPs?

Thanks and kind regards,
Andrew Stone.

Re: NAT WAN IP to internal range?

[Andrew Beverley]

On Mon, 2011-12-19 at 14:20 +1100, Andrew Stone wrote:
> Hello,
> 
> I am having a bit of trouble following the documentation on assigning
> a range of NATed IPs.

Sorry, meant to reply to this earlier but forgot. The previous netfilter
message just reminded me.

> My router has a several External IP’s assigned to the WAN interface:
> 
> WANIF=`get_wanface`
> ifconfig $WANIF:1 a.b.c.241 netmask 255.255.255.248 broadcast a.b.c.247
> ifconfig $WANIF:2 a.b.c.242 netmask 255.255.255.248 broadcast a.b.c.247
> ifconfig $WANIF:3 a.b.c.243 netmask 255.255.255.248 broadcast a.b.c.247

Have you tried configuring the interface using iproute2 instead?

Something like:

ip address add a.b.c.241/29 dev $WANIF broadcast a.b.c.247

Andy

Re: NAT WAN IP to internal range?

[Andrew Stone]

Hi Andy,

> Have you tried configuring the interface using iproute2 instead?
>
> Something like:
>
> ip address add a.b.c.241/29 dev $WANIF broadcast a.b.c.247

Thanks for your advice... but still no dice... ?

I now have:

ip address add a.b.c.240/29 dev ppp0 broadcast a.b.c.247

iptables -t nat -I PREROUTING -d a.b.c.241 -j DNAT --to-destination 192.168.1.69
iptables -t nat -I POSTROUTING -s 192.168.1.69 -j SNAT --to-source a.b.c.241

iptables -t nat -A PREROUTING -d a.b.c.242 -j DNAT --to-destination
192.168.1.100-192.168.1.150
iptables -t nat -A POSTROUTING -s 192.168.1.100-192.168.1.150 -j SNAT
--to-source a.b.c.242


The .69 machine correctly has .241 ... however the machines located in
the range do not have .242 ?

Is this is correct way to specify a nat range with iptables?

Cheers,
Andrew.

Re: NAT WAN IP to internal range?

[Vigneswaran R]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="windows-1252"; format="flowed", Size: 1156 bytes --]

On Thursday 29 December 2011 03:12 PM, Andrew Stone wrote:
> I now have:
>
> ip address add a.b.c.240/29 dev ppp0 broadcast a.b.c.247
>
> iptables -t nat -I PREROUTING -d a.b.c.241 -j DNAT --to-destination 192.168.1.69
> iptables -t nat -I POSTROUTING -s 192.168.1.69 -j SNAT --to-source a.b.c.241
>
> iptables -t nat -A PREROUTING -d a.b.c.242 -j DNAT --to-destination
> 192.168.1.100-192.168.1.150
> iptables -t nat -A POSTROUTING -s 192.168.1.100-192.168.1.150 -j SNAT
> --to-source a.b.c.242
>
>
> The .69 machine correctly has .241 ... however the machines located in
> the range do not have .242 ?
>
> Is this is correct way to specify a nat range with iptables?

 From 'man iptables',

"""
In Kernels up to 2.6.10 you can add several --to-destination options. 
For those kernels, if you specify more than one des‐
tination address, either via an address range or multiple 
--to-destination options, a simple round-robin (one after another
in cycle) load balancing takes place between these addresses. Later 
Kernels (>= 2.6.11-rc1) don't have the ability to NAT
to multiple ranges anymore.
"""

Regards,
Vignesh

Re: NAT WAN IP to internal range?

[Vigneswaran R]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="windows-1252"; format="flowed", Size: 1450 bytes --]

On Thursday 29 December 2011 04:24 PM, Vigneswaran R wrote:
> On Thursday 29 December 2011 03:12 PM, Andrew Stone wrote:
>> I now have:
>>
>> ip address add a.b.c.240/29 dev ppp0 broadcast a.b.c.247
>>
>> iptables -t nat -I PREROUTING -d a.b.c.241 -j DNAT --to-destination
>> 192.168.1.69
>> iptables -t nat -I POSTROUTING -s 192.168.1.69 -j SNAT --to-source
>> a.b.c.241
>>
>> iptables -t nat -A PREROUTING -d a.b.c.242 -j DNAT --to-destination
>> 192.168.1.100-192.168.1.150
>> iptables -t nat -A POSTROUTING -s 192.168.1.100-192.168.1.150 -j SNAT
>> --to-source a.b.c.242
>>
>>
>> The .69 machine correctly has .241 ... however the machines located in
>> the range do not have .242 ?
>>
>> Is this is correct way to specify a nat range with iptables?
>
>  From 'man iptables',
>
> """
> In Kernels up to 2.6.10 you can add several --to-destination options.
> For those kernels, if you specify more than one des‐
> tination address, either via an address range or multiple
> --to-destination options, a simple round-robin (one after another
> in cycle) load balancing takes place between these addresses. Later
> Kernels (>= 2.6.11-rc1) don't have the ability to NAT
> to multiple ranges anymore.
> """

And it seems, to specify a source address range, we need to use 
address/mask or a comma (not '-') separated list of such combination.

Syntax:

-s, --source address[/mask][,...]


Regards,
Vignesh

Re: NAT WAN IP to internal range?

[Andrew Stone]

>> """
>> In Kernels up to 2.6.10 you can add several --to-destination options.
>> For those kernels, if you specify more than one des‐
>> tination address, either via an address range or multiple
>> --to-destination options, a simple round-robin (one after another
>> in cycle) load balancing takes place between these addresses. Later
>> Kernels (>= 2.6.11-rc1) don't have the ability to NAT
>> to multiple ranges anymore.
>> """

Yeah I read that... It does not describe what I’m trying to
accomplish… hence the confusion on my part…
I’m trying to configure a one to many NAT.  (One WAN address to a
range of internal addresses)

So… Looks like I’m trying an incorrect approach... how is one to
configure a one to many NAT? Is there a different approach I can take
to achieve this?

Any pointers appreciated.

Kind regards,
Andrew.

Re: NAT WAN IP to internal range?

[Vigneswaran R]

On Thursday 29 December 2011 04:40 PM, Andrew Stone wrote:
> Yeah I read that... It does not describe what I’m trying to
> accomplish… hence the confusion on my part…
> I’m trying to configure a one to many NAT.  (One WAN address to a
> range of internal addresses)

What are you trying to achieve? Do you want to allow the the internal 
machines to access Internet? If so, SNAT is sufficient.

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o $WANIF -j SNAT 
--to-source a.b.c.241

Here I am assuming that 192.168.1.0/24 is your internal network and you 
want to allow all the machines. If you want to allow only a few 
machines, put a comma separated "address[/mask]" list.


Regards,
Vignesh

Re: NAT WAN IP to internal range?

[Andrew Stone]

Thanks Vignesh!

>iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o $WANIF -j SNAT --to-source a.b.c.241
>Here I am assuming that 192.168.1.0/24 is your internal network and you want to allow all the machines. If you want to allow only a few machines, put a comma separated "address[/mask]" list.

Solved it for me... in the end I used:
iptables -t nat -I POSTROUTING -s 192.168.1.96/27 -o ppp0 -j SNAT
--to-source a.b.c.241
and matched the range to my DHCP leases. (96 to 127)

Cheers,
Andrew