SNAT DNAT ??

Protecting your Linux box

SNAT DNAT ??

Postby sevensins » Thu Oct 13, 2005 6:16 pm

Salaam,
I am running an FC2 box with transparent squid and masq...

e.g
eth0 202.52.196.1/24 WAN
eth1 190.1.5.1/24 LAN

I have lets say 254 ip pool of wan address as above and would like to have a static mapping to few lan addresses...
e.g

190.1.5.10 --> 202.52.196.10
190.1.5.11 --> 202.52.196.11
190.1.5.12 --> 202.52.196.12


would this be the right configuration?
ifconfig eth0:0 202.52.196.10 netmask 255.255.255.0
ifconfig eth0:1 202.52.196.11 netmask 255.255.255.0
ifconfig eth0:2 202.52.196.12 netmask 255.255.255.0

iptables -t nat -A PREROUTING -d 202.52.193.10 -j DNAT --to-destination 190.1.5.10
iptables -t nat -A POSTROUTING -s 190.1.5.10 -j SNAT --to-destination 202.52.196.10

iptables -t nat -A PREROUTING -d 202.52.193.11 -j DNAT --to-destination 190.1.5.11
iptables -t nat -A POSTROUTING -s 190.1.5.11 -j SNAT --to-destination 202.52.196.11

iptables -t nat -A PREROUTING -d 202.52.193.12 -j DNAT --to-destination 190.1.5.12
iptables -t nat -A POSTROUTING -s 190.1.5.12 -j SNAT --to-destination 202.52.196.12

what I would like is that these 3 internal ip's 190.1.5.10-12 should always be nated as their public IP's and when ever there is a connection from outside (external) to the respective public ip's, they should be redirected to the respective internal ip's..??

Regards,
Shehzad
Regards,

-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
sevensins
Havaldaar
 
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
ICQ: 3655945
Website: http://www.us-cert.gov/
WLM: shehzad_h@hotmail.com
Yahoo Messenger: shehzadhamid@yahoo.com
Location: PAKISTAN

Re: SNAT DNAT ??

Postby lambda » Fri Oct 14, 2005 9:17 pm

sevensins wrote:would this be the right configuration?

your configuration looks okay. did you try it? does it work? you know you can use tcpdump to watch packets go out and return, right?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby sevensins » Sat Oct 15, 2005 9:44 pm

AOA,
I did try this and after a little googlin....and head banging......this is how I got it to work...


dont know why ifconfig eth0:0 didnt work.... ?
anyways...

ifconfig eth0:1 202.52.196.10 netmask 255.255.255.0
ifconfig eth0:2 202.52.196.11 netmask 255.255.255.0
ifconfig eth0:3 202.52.196.12 netmask 255.255.255.0

iptables -t nat -A PREROUTING -d 202.52.193.10 -j DNAT --to-destination 190.1.5.10
iptables -t nat -A POSTROUTING -s 190.1.5.10 -j SNAT --to 202.52.196.10

iptables -t nat -A PREROUTING -d 202.52.193.11 -j DNAT --to-destination 190.1.5.11
iptables -t nat -A POSTROUTING -s 190.1.5.11 -j SNAT --to 202.52.196.11

iptables -t nat -A PREROUTING -d 202.52.193.12 -j DNAT --to-destination 190.1.5.12
iptables -t nat -A POSTROUTING -s 190.1.5.12 -j SNAT --to 202.52.196.12

regards,
Shehzad
Regards,



-----------------------------------------------------------------

A wise monkey never monkies w/ another monkey's monkey!
sevensins
Havaldaar
 
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
ICQ: 3655945
Website: http://www.us-cert.gov/
WLM: shehzad_h@hotmail.com
Yahoo Messenger: shehzadhamid@yahoo.com
Location: PAKISTAN

Re:

Postby LinuxFreaK » Sun Oct 16, 2005 7:24 pm

Dear sevensins,
Salam,

Yes eth0:0 in script or iptables does not works. this happens to me so i did changed my NIC to dual NIC !!

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Help me

Postby syed » Tue Apr 25, 2006 4:51 pm

Mr. Shahzad AOA ,

Can u help me , because I am working for the same solution but not getting any results: my configurations as similar to yours with slight change as shown below:
ifconfig eth0:1 202.52.196.10 netmask 255.255.255.0
ifconfig eth0:2 202.52.196.11 netmask 255.255.255.0
ifconfig eth0:3 202.52.196.12 netmask 255.255.255.0

iptables -t nat -A PREROUTING -d 202.52.193.10 -j DNAT --to-destination 190.1.5.10
iptables -t nat -A POSTROUTING -s 190.1.5.10 -j SNAT --to-source 202.52.196.10

iptables -t nat -A PREROUTING -d 202.52.193.11 -j DNAT --to-destination 190.1.5.11
iptables -t nat -A POSTROUTING -s 190.1.5.11 -j SNAT --to-source 202.52.196.11

iptables -t nat -A PREROUTING -d 202.52.193.12 -j DNAT --to-destination 190.1.5.12
iptables -t nat -A POSTROUTING -s 190.1.5.12 -j SNAT --to-source 202.52.196.12

I have also enabled forwarding on my Linux box , but my clients are not able to access the internet.

Slight difference is that u have used just "--to " but I have used "to-source" in SNAT section. So is this the reason for my failure. and u also mentioned about Lan card problem , what is that in fatc? If u guide me I will remain thankful to u.

Best Wishes

Syed Mohammad Raza
syed
Subedar Major
 
Posts: 439
Joined: Thu Jul 28, 2005 3:51 pm

Re:

Postby LinuxFreaK » Wed Apr 26, 2006 12:54 pm

Dear syed,
Salam,

Try this rule it will solve your problem.

# iptables -t -nat -A POSTROUTING -o eth0 -j MASQUREDE

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

ok

Postby syed » Wed Apr 26, 2006 5:42 pm

AOA 2 ALL

I think this rule is used if we get dynamic ip (DHCP server assigns ip to our machine/firewall)correct me if i am wrong !!!!!!


Best Wishes

Syed Mohammad Raza
syed
Subedar Major
 
Posts: 439
Joined: Thu Jul 28, 2005 3:51 pm

Postby kbukhari » Fri Apr 28, 2006 11:53 am

ifconfig eth0:1 202.52.196.10 netmask 255.255.255.0
ifconfig eth0:2 202.52.196.11 netmask 255.255.255.0
ifconfig eth0:3 202.52.196.12 netmask 255.255.255.0


use
ip addr add dev eth0 202.52.196.10/24
ip addr add dev eth0 202.52.196.11/24
ip addr add dev eth0 202.52.196.12/24

it will add all IPs on eth0
dont use virtual interface you cant use tham in bash scripting
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
kbukhari
Major General
 
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Website: http://kashifbukhari.com
Location: Lahore

Re: ok

Postby LinuxFreaK » Sat Apr 29, 2006 8:29 am

Dear syed,
Salam,

syed wrote:I think this rule is used if we get dynamic ip (DHCP server assigns ip to our machine/firewall)correct me if i am wrong !!!!!!


FYI, http://www.ussrback.com/docs/papers/pro ... g.html.txt

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

OK

Postby syed » Tue May 09, 2006 12:44 pm

AOA ,
Mr. Bukhari ,

OK if i use you suggested commands and ip tables rules i mentioned then will it work for my purpose?????????????
id not then what else I need to modify?

Waiting for a prompt and kind response!!

"May All U be Under the Shelter Of Allah"


Syed Mohammad Raza
syed
Subedar Major
 
Posts: 439
Joined: Thu Jul 28, 2005 3:51 pm

Re: OK

Postby lambda » Tue May 09, 2006 1:29 pm

syed wrote:OK if i use you suggested commands and ip tables rules i mentioned then will it work for my purpose?????????????

don't you have a linux system? if you do, why don't you experiment with the rules on it? why are you waiting for other people (who don't have access to your network setup) to test the rules for you?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Cooooooooool

Postby syed » Wed May 10, 2006 3:09 pm

AOA 2 all

what is ur name i dont know , but cooooooooooooooool down!!!
In fact we have got a live network so It is difficult to make a test , I have already made an attempt and arranged for testing but failed but doing or arranging again for testing is a big problem so I need to make sure what exactly is needed.Ok people dont have access to my network but they may have experienced same situation which I am.

So if u r hearted then I am really sorry for that!!!

"May All U be Under Shelter of Allah"

Syed Mohammad Raza[/quote]
syed
Subedar Major
 
Posts: 439
Joined: Thu Jul 28, 2005 3:51 pm

Re: Cooooooooool

Postby lambda » Wed May 10, 2006 3:30 pm

syed wrote:what is ur name i dont know , but cooooooooooooooool down!!!

my name is everywhere. next time, click on the "homepage" link.

you can always set up a few linux systems on xen and do your testing on that.

So if u r hearted then I am really sorry for that!!!

i was born with a heart.
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Ok

Postby syed » Wed May 10, 2006 3:55 pm

Nice !!!

Now u see to have become cool Mr. Farid. This is way of nice man dont get shoot up ! not a good sign for nice man like u.

Wish u all the best !!!

Syed Mohammad Raza Shah
syed
Subedar Major
 
Posts: 439
Joined: Thu Jul 28, 2005 3:51 pm

ok

Postby syed » Mon May 15, 2006 2:28 pm

AOA


I have used these commands :

ip addr add dev eth0 202.52.196.10/24
ip addr add dev eth0 202.52.196.11/24
ip addr add dev eth0 202.52.196.12/24

when I use ifconfig to see the all interfaces then just loop back and real NIC ip is shown , no additional interface is there in list.

So how to make sure they are added on my machine.

Best Wishes

Syed mohammd Raza
syed
Subedar Major
 
Posts: 439
Joined: Thu Jul 28, 2005 3:51 pm


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 2 guests

cron