SNAT DNAT ??

Protecting your Linux box
sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

SNAT DNAT ??

Postby sevensins » Thu Oct 13, 2005 6:16 pm

Salaam,
I am running an FC2 box with transparent squid and masq...

e.g
eth0 202.52.196.1/24 WAN
eth1 190.1.5.1/24 LAN

I have lets say 254 ip pool of wan address as above and would like to have a static mapping to few lan addresses...
e.g

190.1.5.10 --> 202.52.196.10
190.1.5.11 --> 202.52.196.11
190.1.5.12 --> 202.52.196.12


would this be the right configuration?
ifconfig eth0:0 202.52.196.10 netmask 255.255.255.0
ifconfig eth0:1 202.52.196.11 netmask 255.255.255.0
ifconfig eth0:2 202.52.196.12 netmask 255.255.255.0

iptables -t nat -A PREROUTING -d 202.52.193.10 -j DNAT --to-destination 190.1.5.10
iptables -t nat -A POSTROUTING -s 190.1.5.10 -j SNAT --to-destination 202.52.196.10

iptables -t nat -A PREROUTING -d 202.52.193.11 -j DNAT --to-destination 190.1.5.11
iptables -t nat -A POSTROUTING -s 190.1.5.11 -j SNAT --to-destination 202.52.196.11

iptables -t nat -A PREROUTING -d 202.52.193.12 -j DNAT --to-destination 190.1.5.12
iptables -t nat -A POSTROUTING -s 190.1.5.12 -j SNAT --to-destination 202.52.196.12

what I would like is that these 3 internal ip's 190.1.5.10-12 should always be nated as their public IP's and when ever there is a connection from outside (external) to the respective public ip's, they should be redirected to the respective internal ip's..??

Regards,
Shehzad
Regards,

-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!

lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Re: SNAT DNAT ??

Postby lambda » Fri Oct 14, 2005 9:17 pm

sevensins wrote:would this be the right configuration?

your configuration looks okay. did you try it? does it work? you know you can use tcpdump to watch packets go out and return, right?

sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Postby sevensins » Sat Oct 15, 2005 9:44 pm

AOA,
I did try this and after a little googlin....and head banging......this is how I got it to work...


dont know why ifconfig eth0:0 didnt work.... ?
anyways...

ifconfig eth0:1 202.52.196.10 netmask 255.255.255.0
ifconfig eth0:2 202.52.196.11 netmask 255.255.255.0
ifconfig eth0:3 202.52.196.12 netmask 255.255.255.0

iptables -t nat -A PREROUTING -d 202.52.193.10 -j DNAT --to-destination 190.1.5.10
iptables -t nat -A POSTROUTING -s 190.1.5.10 -j SNAT --to 202.52.196.10

iptables -t nat -A PREROUTING -d 202.52.193.11 -j DNAT --to-destination 190.1.5.11
iptables -t nat -A POSTROUTING -s 190.1.5.11 -j SNAT --to 202.52.196.11

iptables -t nat -A PREROUTING -d 202.52.193.12 -j DNAT --to-destination 190.1.5.12
iptables -t nat -A POSTROUTING -s 190.1.5.12 -j SNAT --to 202.52.196.12

regards,
Shehzad
Regards,



-----------------------------------------------------------------

A wise monkey never monkies w/ another monkey's monkey!

LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Postby LinuxFreaK » Sun Oct 16, 2005 7:24 pm

Dear sevensins,
Salam,

Yes eth0:0 in script or iptables does not works. this happens to me so i did changed my NIC to dual NIC !!

Best Regards.
Farrukh Ahmed

syed
Subedar Major
Posts: 439
Joined: Thu Jul 28, 2005 3:51 pm

Help me

Postby syed » Tue Apr 25, 2006 4:51 pm

Mr. Shahzad AOA ,

Can u help me , because I am working for the same solution but not getting any results: my configurations as similar to yours with slight change as shown below:
ifconfig eth0:1 202.52.196.10 netmask 255.255.255.0
ifconfig eth0:2 202.52.196.11 netmask 255.255.255.0
ifconfig eth0:3 202.52.196.12 netmask 255.255.255.0

iptables -t nat -A PREROUTING -d 202.52.193.10 -j DNAT --to-destination 190.1.5.10
iptables -t nat -A POSTROUTING -s 190.1.5.10 -j SNAT --to-source 202.52.196.10

iptables -t nat -A PREROUTING -d 202.52.193.11 -j DNAT --to-destination 190.1.5.11
iptables -t nat -A POSTROUTING -s 190.1.5.11 -j SNAT --to-source 202.52.196.11

iptables -t nat -A PREROUTING -d 202.52.193.12 -j DNAT --to-destination 190.1.5.12
iptables -t nat -A POSTROUTING -s 190.1.5.12 -j SNAT --to-source 202.52.196.12

I have also enabled forwarding on my Linux box , but my clients are not able to access the internet.

Slight difference is that u have used just "--to " but I have used "to-source" in SNAT section. So is this the reason for my failure. and u also mentioned about Lan card problem , what is that in fatc? If u guide me I will remain thankful to u.

Best Wishes

Syed Mohammad Raza

LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Postby LinuxFreaK » Wed Apr 26, 2006 12:54 pm

Dear syed,
Salam,

Try this rule it will solve your problem.

# iptables -t -nat -A POSTROUTING -o eth0 -j MASQUREDE

Best Regards.
Farrukh Ahmed

syed
Subedar Major
Posts: 439
Joined: Thu Jul 28, 2005 3:51 pm

ok

Postby syed » Wed Apr 26, 2006 5:42 pm

AOA 2 ALL

I think this rule is used if we get dynamic ip (DHCP server assigns ip to our machine/firewall)correct me if i am wrong !!!!!!


Best Wishes

Syed Mohammad Raza

kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Postby kbukhari » Fri Apr 28, 2006 11:53 am

ifconfig eth0:1 202.52.196.10 netmask 255.255.255.0
ifconfig eth0:2 202.52.196.11 netmask 255.255.255.0
ifconfig eth0:3 202.52.196.12 netmask 255.255.255.0


use
ip addr add dev eth0 202.52.196.10/24
ip addr add dev eth0 202.52.196.11/24
ip addr add dev eth0 202.52.196.12/24

it will add all IPs on eth0
dont use virtual interface you cant use tham in bash scripting
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com

LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re: ok

Postby LinuxFreaK » Sat Apr 29, 2006 8:29 am

Dear syed,
Salam,

syed wrote:I think this rule is used if we get dynamic ip (DHCP server assigns ip to our machine/firewall)correct me if i am wrong !!!!!!


FYI, http://www.ussrback.com/docs/papers/pro ... g.html.txt

Best Regards.
Farrukh Ahmed

syed
Subedar Major
Posts: 439
Joined: Thu Jul 28, 2005 3:51 pm

OK

Postby syed » Tue May 09, 2006 12:44 pm

AOA ,
Mr. Bukhari ,

OK if i use you suggested commands and ip tables rules i mentioned then will it work for my purpose?????????????
id not then what else I need to modify?

Waiting for a prompt and kind response!!

"May All U be Under the Shelter Of Allah"


Syed Mohammad Raza

lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Re: OK

Postby lambda » Tue May 09, 2006 1:29 pm

syed wrote:OK if i use you suggested commands and ip tables rules i mentioned then will it work for my purpose?????????????

don't you have a linux system? if you do, why don't you experiment with the rules on it? why are you waiting for other people (who don't have access to your network setup) to test the rules for you?

syed
Subedar Major
Posts: 439
Joined: Thu Jul 28, 2005 3:51 pm

Cooooooooool

Postby syed » Wed May 10, 2006 3:09 pm

AOA 2 all

what is ur name i dont know , but cooooooooooooooool down!!!
In fact we have got a live network so It is difficult to make a test , I have already made an attempt and arranged for testing but failed but doing or arranging again for testing is a big problem so I need to make sure what exactly is needed.Ok people dont have access to my network but they may have experienced same situation which I am.

So if u r hearted then I am really sorry for that!!!

"May All U be Under Shelter of Allah"

Syed Mohammad Raza[/quote]

lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Re: Cooooooooool

Postby lambda » Wed May 10, 2006 3:30 pm

syed wrote:what is ur name i dont know , but cooooooooooooooool down!!!

my name is everywhere. next time, click on the "homepage" link.

you can always set up a few linux systems on xen and do your testing on that.

So if u r hearted then I am really sorry for that!!!

i was born with a heart.

syed
Subedar Major
Posts: 439
Joined: Thu Jul 28, 2005 3:51 pm

Ok

Postby syed » Wed May 10, 2006 3:55 pm

Nice !!!

Now u see to have become cool Mr. Farid. This is way of nice man dont get shoot up ! not a good sign for nice man like u.

Wish u all the best !!!

Syed Mohammad Raza Shah

syed
Subedar Major
Posts: 439
Joined: Thu Jul 28, 2005 3:51 pm

ok

Postby syed » Mon May 15, 2006 2:28 pm

AOA


I have used these commands :

ip addr add dev eth0 202.52.196.10/24
ip addr add dev eth0 202.52.196.11/24
ip addr add dev eth0 202.52.196.12/24

when I use ifconfig to see the all interfaces then just loop back and real NIC ip is shown , no additional interface is there in list.

So how to make sure they are added on my machine.

Best Wishes

Syed mohammd Raza


Return to “Security”

Who is online

Users browsing this forum: No registered users and 3 guests