Asking here due to the excellent Howto: "Gateway, Iptables, Port Forwarding, DNS And DHCP Setup - Ubuntu 8.10" I am moving from a freeBSD router/gateway computer to Ubuntu Server, and am stuck on 1:1 Nat'ing. I have a class C subnet from my ISP, and connect using PPPoE. ( Class C? I get 8 IPs, one for routing, one on the other end for broadcast, so 6 usable ) In freeBSD the PPP daemon could do nat'ing, and was as easy as: ppp.conf: ( public IPs changed to protect me ) ... nat enable yes nat addr 192.168.1.2 x.x.x.170 nat addr 192.168.1.3 x.x.x.171 nat addr 192.168.1.4 x.x.x.172 nat addr 192.168.1.5 x.x.x.173 nat addr 192.168.1.6 x.x.x.174 nat same_ports yes nat use_sockets yes ... ( 192.168.1.1 is the route/computer/gateway, at x.x.x.169 ) Would someone have some suggestions on how to configure iptables to provide this behavior? ( Or whatever else can do it ) ( selected IPs get an external IP through NAT ( snat? ), all other IPs get normal NAT ) I find a distinct lack of google-able material on this subject, seems odd, I didn't think I was doing anything too exotic. I installed ipmasq, and its getting me what I expect as a normal NAT for now. Thanks, Seth
Played around a LOT with iptables, crash course and all that. I have something that is working, curious if anyone can poke holes in it. Here is what I add ( this is added after ipmasq starts ): iptables -t nat -I PREROUTING -i ppp0 -j DNAT -d $EXT --to $INT iptables -t nat -I POSTROUTING -j SNAT -s $INT --to $EXT iptables -I FORWARD -d $INT -j ACCEPT And that seems to give me the behavior I want, namely anything from the $INT IP gets to the external world as coming from the $EXT IP, and hits to the $EXT IP show up on the $INT IP address. I tested both with ping from work, and shields up. I understand its as if the $INT IP is right on the internet at the $EXT IP Address, and have the machine locked down ( I hope ) to allow that. Will this mess anyting else up? I'm thinking I ought to constrain the second iptables command to -o ppp0, so machine to machine doesn't go weird. Also, why do I forward the INT, not the EXT? ( That's what worked ). Does that take place before ( PREROUTING ) the forward? ( I think I just lucked out, I just started messing with iptables in ways that looked right, and got to this ). Any and all comments/criticisms welcome. Seth
I am not familiar with 1:1 NAT, but you have a great lab there to get up to speed... which sounds like what you have done. The best iptables tutorial I know of is http://iptables-tutorial.frozentux.net/iptables-tutorial.html, you might have already found it. No one can argue with a setup that works. It sounds like you already have tested it from the outside... I'd recommend using nmap for checking the inside, to see what the various nodes can see inside your network. You could use netcat (may be nc from the command line, depending on linux version/flavor) for trying some connections between the machines, to verify that they can see each other on the ports you expect to be open to one another. There are some good tutorials around on netcat, let me know if you need links.
Hi Seth, I understand where you are coming from as I have personally had to configure a server that a similar configuration. I had a pppoe connection with the same setup and all addresses are static. This being the case I configured all my interfaces with static addresses. I had to map several ports from one public address to an internal web and DNS server. I bagan to use ipmasq for the firewall as it did everything automatically, but eventually ran into some issues. ipmasq seemed a little inadequate for my configuration. I needed something that I could easily make modifications with. I haven't found any web interface or gui that was simple enough or had enough advanced options for ipmasq so I dumped the iptables config to a file and uninstalled ipmasq. Code: sudo -s iptables-save >/root/iptables-rules apt-get remove ipmasq When ipmasq is shutdown the ipdables rules get reset. So I reloaded the rules that I saved before. Code: iptables-restore < /root/iptables-rules I have had some experience with webmin's linux firewall GUI so I installed webmin. Code: echo deb http://download.webmin.com/download/repository sarge contrib >>/etc/apt/sources.list cd /root wget http://www.webmin.com/jcameron-key.asc apt-key add jcameron-key.asc apt-get update apt-get install webmin After Installing webmin you can connect to it via this address: https://localhost:10000/ Webmin generates a self-signed certificate so you will have to accept the cert. Webmin's linux firewall module is a very powerfull firewall editor but it can be confusing. Let me know if you need further assistance. BTW, jeff_k's post with the link is a very exhaustive and informative document as I have referenced it my self on occasion. Kudos to Oskar Andreasson for writing this. I have found netfilter to be a very extensive and complete firewall and it even exceeds the capability of Cisco firewalls when iproute is installed. It's amazing what you can do with policy routing and netfilter. -Archer
Thank you both for your suggestions. jeff_k, that is an excellent site, and helped me understand more what I was doing. I will check out the suggested applications. Thanks a lot archerjd, I found your commands very useful. I found the /etc/ppp/ip-up.d/<scripts> setup, and put the iptables-reload into there, along with the additions for the 1:1 nat'ing, and its working fine. Webadmin is pretty slick too . Now I just need to figure out a dynamic response to the DNS spoofing or cache poisoning I'm seeing: Jan 20 17:52:11 main named[4821]: client 66.230.160.1#38678: query (cache) './NS/IN' denied Jan 20 17:52:11 main named[4821]: client 66.230.160.1#14730: query (cache) './NS/IN' denied Jan 20 17:52:12 main named[4821]: client 66.230.128.15#25347: query (cache) './NS/IN' denied ( Followed a couple threads about it, manually stopped addresses, but it keeps changing... ) Seth
And from here: http://www.linuxquestions.org/questions/linux-security-4/dns-poisoning-attempts-i-think-629574/ Found: http://rob.pectol.com/dnsexploit.txt Which is doing a nice job of dynamically denying the requests. Now to figure out where to make it a permanent service ( for now ). Seth