#1  
Old 11th January 2009, 19:03
Seth Seth is offline
Junior Member
 
Join Date: Jan 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default 1:1 NAT on Ubuntu Server

Asking here due to the excellent Howto: "Gateway, Iptables, Port Forwarding, DNS And DHCP Setup - Ubuntu 8.10"

I am moving from a freeBSD router/gateway computer to Ubuntu Server, and am stuck on 1:1 Nat'ing.

I have a class C subnet from my ISP, and connect using PPPoE. ( Class C? I get 8 IPs, one for routing, one on the other end for broadcast, so 6 usable )

In freeBSD the PPP daemon could do nat'ing, and was as easy as:

ppp.conf: ( public IPs changed to protect me )

...

nat enable yes
nat addr 192.168.1.2 x.x.x.170
nat addr 192.168.1.3 x.x.x.171
nat addr 192.168.1.4 x.x.x.172
nat addr 192.168.1.5 x.x.x.173
nat addr 192.168.1.6 x.x.x.174
nat same_ports yes
nat use_sockets yes

...

( 192.168.1.1 is the route/computer/gateway, at x.x.x.169 )

Would someone have some suggestions on how to configure iptables to provide this behavior? ( Or whatever else can do it )

( selected IPs get an external IP through NAT ( snat? ), all other IPs get normal NAT )

I find a distinct lack of google-able material on this subject, seems odd, I didn't think I was doing anything too exotic.

I installed ipmasq, and its getting me what I expect as a normal NAT for now.

Thanks,
Seth
Reply With Quote
Sponsored Links
  #2  
Old 12th January 2009, 06:16
Seth Seth is offline
Junior Member
 
Join Date: Jan 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Played around a LOT with iptables, crash course and all that.

I have something that is working, curious if anyone can poke holes in it.

Here is what I add ( this is added after ipmasq starts ):
iptables -t nat -I PREROUTING -i ppp0 -j DNAT -d $EXT --to $INT
iptables -t nat -I POSTROUTING -j SNAT -s $INT --to $EXT
iptables -I FORWARD -d $INT -j ACCEPT

And that seems to give me the behavior I want, namely anything from the $INT IP gets to the external world as coming from the $EXT IP, and hits to the $EXT IP show up on the $INT IP address.

I tested both with ping from work, and shields up.

I understand its as if the $INT IP is right on the internet at the $EXT IP Address, and have the machine locked down ( I hope ) to allow that.

Will this mess anyting else up? I'm thinking I ought to constrain the second iptables command to -o ppp0, so machine to machine doesn't go weird. Also, why do I forward the INT, not the EXT? ( That's what worked ). Does that take place before ( PREROUTING ) the forward?

( I think I just lucked out, I just started messing with iptables in ways that looked right, and got to this ).

Any and all comments/criticisms welcome.

Seth
Reply With Quote
  #3  
Old 15th January 2009, 22:24
jeff_k jeff_k is offline
Junior Member
 
Join Date: Jan 2009
Location: San Diego, CA USA
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I am not familiar with 1:1 NAT, but you have a great lab there to get up to speed... which sounds like what you have done. The best iptables tutorial I know of is http://iptables-tutorial.frozentux.n...-tutorial.html, you might have already found it. No one can argue with a setup that works. It sounds like you already have tested it from the outside... I'd recommend using nmap for checking the inside, to see what the various nodes can see inside your network. You could use netcat (may be nc from the command line, depending on linux version/flavor) for trying some connections between the machines, to verify that they can see each other on the ports you expect to be open to one another. There are some good tutorials around on netcat, let me know if you need links.
Reply With Quote
  #4  
Old 16th January 2009, 02:39
archerjd archerjd is offline
Member
 
Join Date: Dec 2006
Posts: 66
Thanks: 6
Thanked 6 Times in 6 Posts
Default

Hi Seth,
I understand where you are coming from as I have personally had to configure a server that a similar configuration. I had a pppoe connection with the same setup and all addresses are static. This being the case I configured all my interfaces with static addresses. I had to map several ports from one public address to an internal web and DNS server. I bagan to use ipmasq for the firewall as it did everything automatically, but eventually ran into some issues.
ipmasq seemed a little inadequate for my configuration. I needed something that I could easily make modifications with. I haven't found any web interface or gui that was simple enough or had enough advanced options for ipmasq so I dumped the iptables config to a file and uninstalled ipmasq.

Code:
sudo -s
iptables-save >/root/iptables-rules
apt-get remove ipmasq
When ipmasq is shutdown the ipdables rules get reset.
So I reloaded the rules that I saved before.

Code:
iptables-restore < /root/iptables-rules
I have had some experience with webmin's linux firewall GUI so I installed webmin.

Code:
echo deb http://download.webmin.com/download/repository sarge contrib >>/etc/apt/sources.list
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
apt-get update
apt-get install webmin
After Installing webmin you can connect to it via this address:
https://localhost:10000/

Webmin generates a self-signed certificate so you will have to accept the cert. Webmin's linux firewall module is a very powerfull firewall editor but it can be confusing. Let me know if you need further assistance.

BTW, jeff_k's post with the link is a very exhaustive and informative document as I have referenced it my self on occasion.
Kudos to Oskar Andreasson for writing this.

I have found netfilter to be a very extensive and complete firewall and it even exceeds the capability of Cisco firewalls when iproute is installed.
It's amazing what you can do with policy routing and netfilter.

-Archer
__________________
The very powerful and the very stupid have one thing in common.
Instead of altering their views to fit the facts, they alter the facts
to fit their views ... which can be very uncomfortable if you happen to
be one of the facts that needs altering.

-- Doctor Who, "Face of Evil"
Reply With Quote
  #5  
Old 21st January 2009, 01:52
Seth Seth is offline
Junior Member
 
Join Date: Jan 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thank you both for your suggestions.

jeff_k, that is an excellent site, and helped me understand more what I was doing. I will check out the suggested applications.

Thanks a lot archerjd, I found your commands very useful. I found the /etc/ppp/ip-up.d/<scripts> setup, and put the iptables-reload into there, along with the additions for the 1:1 nat'ing, and its working fine.

Webadmin is pretty slick too .

Now I just need to figure out a dynamic response to the DNS spoofing or cache poisoning I'm seeing:
Jan 20 17:52:11 main named[4821]: client 66.230.160.1#38678: query (cache) './NS/IN' denied
Jan 20 17:52:11 main named[4821]: client 66.230.160.1#14730: query (cache) './NS/IN' denied
Jan 20 17:52:12 main named[4821]: client 66.230.128.15#25347: query (cache) './NS/IN' denied

( Followed a couple threads about it, manually stopped addresses, but it keeps changing... )

Seth
Reply With Quote
  #6  
Old 21st January 2009, 02:19
Seth Seth is offline
Junior Member
 
Join Date: Jan 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

And from here:
http://www.linuxquestions.org/questi...-think-629574/

Found:
http://rob.pectol.com/dnsexploit.txt

Which is doing a nice job of dynamically denying the requests.

Now to figure out where to make it a permanent service ( for now ).

Seth
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
What can be wrong martin_rudowicz Installation/Configuration 9 11th May 2008 19:42
cacti problem - graphs have huge gaps Chip Installation/Configuration 7 7th February 2008 23:24
The Perfect Setup - Ubuntu 6.10 Server Question n74jw HOWTO-Related Questions 5 27th January 2008 12:14
Problems with Postfix Mysql Courier PatrickAdrichem Installation/Configuration 3 13th April 2007 15:44
Logging on to an ubuntu server DMJ HOWTO-Related Questions 3 8th January 2006 00:24


All times are GMT +2. The time now is 13:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.