1:1 NAT on Ubuntu Server

Discussion in 'HOWTO-Related Questions' started by Seth, Jan 11, 2009.

  1. Seth

    Seth New Member

    Asking here due to the excellent Howto: "Gateway, Iptables, Port Forwarding, DNS And DHCP Setup - Ubuntu 8.10"

    I am moving from a freeBSD router/gateway computer to Ubuntu Server, and am stuck on 1:1 Nat'ing.

    I have a class C subnet from my ISP, and connect using PPPoE. ( Class C? I get 8 IPs, one for routing, one on the other end for broadcast, so 6 usable )

    In freeBSD the PPP daemon could do nat'ing, and was as easy as:

    ppp.conf: ( public IPs changed to protect me )

    ...

    nat enable yes
    nat addr 192.168.1.2 x.x.x.170
    nat addr 192.168.1.3 x.x.x.171
    nat addr 192.168.1.4 x.x.x.172
    nat addr 192.168.1.5 x.x.x.173
    nat addr 192.168.1.6 x.x.x.174
    nat same_ports yes
    nat use_sockets yes

    ...

    ( 192.168.1.1 is the route/computer/gateway, at x.x.x.169 )

    Would someone have some suggestions on how to configure iptables to provide this behavior? ( Or whatever else can do it )

    ( selected IPs get an external IP through NAT ( snat? ), all other IPs get normal NAT )

    I find a distinct lack of google-able material on this subject, seems odd, I didn't think I was doing anything too exotic.

    I installed ipmasq, and its getting me what I expect as a normal NAT for now.

    Thanks,
    Seth
     
  2. Seth

    Seth New Member

    Played around a LOT with iptables, crash course and all that.

    I have something that is working, curious if anyone can poke holes in it.

    Here is what I add ( this is added after ipmasq starts ):
    iptables -t nat -I PREROUTING -i ppp0 -j DNAT -d $EXT --to $INT
    iptables -t nat -I POSTROUTING -j SNAT -s $INT --to $EXT
    iptables -I FORWARD -d $INT -j ACCEPT

    And that seems to give me the behavior I want, namely anything from the $INT IP gets to the external world as coming from the $EXT IP, and hits to the $EXT IP show up on the $INT IP address.

    I tested both with ping from work, and shields up.

    I understand its as if the $INT IP is right on the internet at the $EXT IP Address, and have the machine locked down ( I hope :) ) to allow that.

    Will this mess anyting else up? I'm thinking I ought to constrain the second iptables command to -o ppp0, so machine to machine doesn't go weird. Also, why do I forward the INT, not the EXT? ( That's what worked ). Does that take place before ( PREROUTING ) the forward?

    ( I think I just lucked out, I just started messing with iptables in ways that looked right, and got to this :) ).

    Any and all comments/criticisms welcome.

    Seth
     
  3. jeff_k

    jeff_k New Member

    I am not familiar with 1:1 NAT, but you have a great lab there to get up to speed... which sounds like what you have done. The best iptables tutorial I know of is http://iptables-tutorial.frozentux.net/iptables-tutorial.html, you might have already found it. No one can argue with a setup that works. It sounds like you already have tested it from the outside... I'd recommend using nmap for checking the inside, to see what the various nodes can see inside your network. You could use netcat (may be nc from the command line, depending on linux version/flavor) for trying some connections between the machines, to verify that they can see each other on the ports you expect to be open to one another. There are some good tutorials around on netcat, let me know if you need links.
     
  4. archerjd

    archerjd ISPConfig Developer

    Hi Seth,
    I understand where you are coming from as I have personally had to configure a server that a similar configuration. I had a pppoe connection with the same setup and all addresses are static. This being the case I configured all my interfaces with static addresses. I had to map several ports from one public address to an internal web and DNS server. I bagan to use ipmasq for the firewall as it did everything automatically, but eventually ran into some issues.
    ipmasq seemed a little inadequate for my configuration. I needed something that I could easily make modifications with. I haven't found any web interface or gui that was simple enough or had enough advanced options for ipmasq so I dumped the iptables config to a file and uninstalled ipmasq.

    Code:
    sudo -s
    iptables-save >/root/iptables-rules
    apt-get remove ipmasq
    When ipmasq is shutdown the ipdables rules get reset.
    So I reloaded the rules that I saved before.

    Code:
    iptables-restore < /root/iptables-rules
    I have had some experience with webmin's linux firewall GUI so I installed webmin.

    Code:
    echo deb http://download.webmin.com/download/repository sarge contrib >>/etc/apt/sources.list
    cd /root
    wget http://www.webmin.com/jcameron-key.asc
    apt-key add jcameron-key.asc
    apt-get update
    apt-get install webmin
    After Installing webmin you can connect to it via this address:
    https://localhost:10000/

    Webmin generates a self-signed certificate so you will have to accept the cert. Webmin's linux firewall module is a very powerfull firewall editor but it can be confusing. Let me know if you need further assistance.

    BTW, jeff_k's post with the link is a very exhaustive and informative document as I have referenced it my self on occasion.
    Kudos to Oskar Andreasson for writing this.

    I have found netfilter to be a very extensive and complete firewall and it even exceeds the capability of Cisco firewalls when iproute is installed.
    It's amazing what you can do with policy routing and netfilter.

    -Archer
     
  5. Seth

    Seth New Member

    Thank you both for your suggestions.

    jeff_k, that is an excellent site, and helped me understand more what I was doing. I will check out the suggested applications.

    Thanks a lot archerjd, I found your commands very useful. I found the /etc/ppp/ip-up.d/<scripts> setup, and put the iptables-reload into there, along with the additions for the 1:1 nat'ing, and its working fine.

    Webadmin is pretty slick too :).

    Now I just need to figure out a dynamic response to the DNS spoofing or cache poisoning I'm seeing:
    Jan 20 17:52:11 main named[4821]: client 66.230.160.1#38678: query (cache) './NS/IN' denied
    Jan 20 17:52:11 main named[4821]: client 66.230.160.1#14730: query (cache) './NS/IN' denied
    Jan 20 17:52:12 main named[4821]: client 66.230.128.15#25347: query (cache) './NS/IN' denied

    ( Followed a couple threads about it, manually stopped addresses, but it keeps changing... )

    Seth
     
  6. Seth

    Seth New Member

Share This Page