# Gentoo Firewalling and DNAT

## splooge

I've asked this question before in another thread, but I think I used some terms that may have shy'd people away from answering the question, or I didn't get the answer I was looking for, so I will try to put it in different terms.

Basically, I really need to know if this is just *feasible.*

I have a full T1 line to the internet.  It is currently unfirewalled.  We run multiple web servers, mail servers, and terminal servers.  We've got a block of 32 IP addresses (29 +1 for the gateway, +1 for the network, and +1 for the broadcast address)

Basically, I would like to plug the T1 line in straight from the ethernet port on the router directly to the ethernet port in my Gentoo box, and have gentoo manage every single 'public' IP.  Say, my eth0 card would be assigned 123.456.789.2 through .30 (all 29 addresses).

The machines that once had public IP addresses will now have private addresses and will be put behind the firewall on (let's say) eth1.

I guess my question is this:  can iptables handle DNATing (Is this what I want?) multiple inbound public IP addresses to multiple internal private addresses?  For example:

123.456.789.2 --> Gentoo --> DNAT All ports to 10.1.1.2

123.456.789.3 --> Gentoo --> DNAT All ports to 10.1.1.3

123.456.789.4 --> Gentoo --> DNAT All ports to 10.1.1.4

And if so could someone give me an example of the correct iptables syntax that I would need to use? (or a close version, I can probably figure it out if I just see a couple lines for this)

(I'll crank down the ports later, and add source-based (?) firewalling which only allows packets in from certain hosts, but that's for another time)  We believe one of our ex employees (the old sysadmin) who went to work for the competition still has access to our pricing database, etc., and is doing who knows what with it.

----------

## m.mascherpa

yes.

iptables can handle this kind of situation.

a "raw" command would be:

iptables -t nat -A PREROUTING -p tcp -d <public address> -j DNAT --to <private address>

please note that this is a VERY SIMPLE behaviour and you might want

to setup in a more secure way your network

take a look at iptables documentation, it should clarify

everything about the command i just wrote.

as well i suggest you to have a look at some security and router configuration

doc.

have fun!  :Smile: 

----------

## ronmon

Your current setup is like walking around a leather bar with your pants around your ankles. Someone is likely to see it as an invitation and take you up on your offer.  :Smile: 

Really though, what you have described is SNAT, or Source NAT. I do a little of it on my home network for ntp, ssh, etc., but I cheat and use shorewall to configure my iptables. A quick google search turned up this tidbit on the subject. I'm sure there's plenty more. Google is your friend.

----------

## splooge

Yeah, I understand what the network looks like.  And yes, after I make esure it works with all the ports open I will start only keeping selective ports open.  Anyways, so, I have to use a combination of snat and dnat to acheive this?  Is this what I'm hearing?  Source nat to get out, Destination nat to get in?

# this lets me in?

iptables -t nat -A PREROUTING -d 123.456.789.2 -j DNAT --to 10.1.1.2

#this lets me out?

iptables -t nat -A POSTROUTING -s 10.1.1.2 -j SNAT --to 123.456.789.2

#then rinse and repeat for every public ip I want mapped internally?

iptables -t nat -A PREROUTING -d 123.456.789.3 -j DNAT --to 10.1.1.3

iptables -t nat -A POSTROUTING -s 10.1.1.3 -j SNAT --to 123.456.789.3

Is that correct?

----------

## splooge

Ok I am having issues with this trying it on my home firewall:

Doing a portscan from my work machine to my firewall I get this (as expected):

(The 1534 ports scanned but not shown below are in state: filtered)

Port       State       Service

20/tcp     closed      ftp-data

21/tcp     closed      ftp

22/tcp     open        ssh

25/tcp     open        smtp

53/tcp     closed      domain

80/tcp     open        http

443/tcp    open        https

7002/tcp   closed      afs3-prserver

But then I add these lines to iptables for the SNAT and DNAT to point to my internal windows box:

iptables -t nat -A PREROUTING -d 67.120.26.98 -j DNAT --to 10.1.1.200

iptables -t nat -A POSTROUTING -s 10.1.1.200 -j SNAT --to 67.120.26.98

With those lines, I can browse the web from the internal machine (10.1.1.200) but when I portscan my public IP address from it doesn't seem to be DNAT(?)ing to the internal box:

(The 1534 ports scanned but not shown below are in state: filtered)

Port       State       Service

20/tcp     closed      ftp-data

21/tcp     closed      ftp

22/tcp     closed      ssh

25/tcp     closed      smtp

53/tcp     closed      domain

80/tcp     closed      http

443/tcp    closed      https

7002/tcp   closed      afs3-prserver

What I was expecting to show up were the open ports on 10.1.1.200:

(The 1595 ports scanned but not shown below are in state: closed)

Port       State       Service

135/tcp    open        loc-srv

139/tcp    open        netbios-ssn

445/tcp    open        microsoft-ds

1025/tcp   open        NFS-or-IIS

1033/tcp   open        netinfo

5000/tcp   open        UPnP

What have I done wrong?  =/  iptables -t net -L shows:

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

DNAT       all  --  anywhere             67.120.26.98       to:10.1.1.200

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

SNAT       all  --  mud                  anywhere           to:67.120.26.98

I'm losing hair =(

----------

## tryn

 *splooge wrote:*   

> Ok I am having issues with this trying it on my home firewall:

 

  Here are two places that might help you do what you want. 

for dnat information

for snat nformation  :Very Happy: 

----------

## splooge

Thanks, I've read the fricking manual, and according to it, it I should have DNAT working.

Would someone like to tell me why this line:

```
iptables -t nat -A PREROUTING -d 67.120.26.98 -j DNAT --to 10.1.1.200
```

does not work?  I get no errors, I just get no redirection to the internal PC.  This line:

```
iptables -t nat -A POSTROUTING -s 10.1.1.200 -j SNAT --to 67.120.26.98
```

Works as it should.

My modules I have compiled into the kernel are as follows:

```
ipt_MARK                 696   0

ipt_mark                 440   0

iptable_mangle          2008   0

ipt_MASQUERADE          1560   0

ip_nat_ftp              3376   0  (unused)

ip_nat_irc              2640   0  (unused)

iptable_nat            16984   3  [ipt_MASQUERADE ip_nat_ftp ip_nat_irc]

ip_conntrack_ftp        4048   1

ip_conntrack_irc        2992   1

iptable_filter          1612   0

ipt_state                536   0

ip_conntrack           23136   4  [ipt_MASQUERADE ip_nat_ftp ip_nat_irc iptable_nat ip_conntrack_ftp ip_conntrack_irc ipt_state]

ip_tables              11288   9  [ipt_MARK ipt_mark iptable_mangle ipt_MASQUERADE iptable_nat iptable_filter ipt_state]
```

iptables -t nat -L reports:

```
root # iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

DNAT       all  --  anywhere             67.120.26.98       to:10.1.1.200

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

SNAT       all  --  mud                  anywhere           to:67.120.26.98
```

ifconfig:

 *Quote:*   

> eth0      Link encap:Ethernet  HWaddr 00:50:DA:B9:73:DA
> 
> inet addr:10.1.1.1  Bcast:10.1.1.255  Mask:255.255.255.0
> 
> UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> ...

 

I can ping the internal host from the box:

```
mail root # ping 10.1.1.200

PING 10.1.1.200 (10.1.1.200): 56 octets data

64 octets from 10.1.1.200: icmp_seq=0 ttl=128 time=0.4 ms

64 octets from 10.1.1.200: icmp_seq=1 ttl=128 time=0.3 ms

64 octets from 10.1.1.200: icmp_seq=2 ttl=128 time=0.3 ms

64 octets from 10.1.1.200: icmp_seq=3 ttl=128 time=0.3 ms
```

I can ping externally from the box:

```
mail root # ping www.gentoo.org

PING www.gentoo.org (216.110.76.37): 56 octets data

64 octets from 216.110.76.37: icmp_seq=0 ttl=48 time=57.4 ms

64 octets from 216.110.76.37: icmp_seq=1 ttl=48 time=56.1 ms

64 octets from 216.110.76.37: icmp_seq=2 ttl=48 time=56.9 ms

64 octets from 216.110.76.37: icmp_seq=3 ttl=48 time=56.7 ms
```

IP forwarding is:

```
mail root # cat /proc/sys/net/ipv4/ip_forward

1
```

What is left to check?

----------

## jukka

what does

```
$ /sbin/route -n
```

say?

----------

## btg308

 *Quote:*   

> 
> 
> when I portscan my public IP address from it doesn't seem to be DNAT(?)ing to the internal box: 
> 
> 

 

Have you tried from really outside the local network? Could be that you just need to make sure the firewall knows how to route stuff back in. This is what I have:

```

$IPTABLES -A POSTROUTING -t nat -d 192.168.0.2 -s 192.168.0.0/24 -p tcp -j SNAT --to 192.168.0.1

```

where 192.168.0.1 is the firewall and 192.168.0.2 the internal server I want to access from the inside. If this is the problem, the port-forwarding works from the outside, it's just accessing the public IP from inside the firewall that doesn't work.

----------

## securiteaze

This was shamelessly ripped from my firewall. (slightly mangled to protect the innocent/guilty  :Wink:  )  

This alone is by no means secure  :Exclamation:   But this should give you the idea.

${IPTables} -t nat -A PREROUTING -i ${ExtIF} -p www -s 0/0 -d ${ExtIP1} --dport 80 -j DNAT --to ${IntWWW1}:80 &&

${IPTables} -A FORWARD -m state --state NEW -i ${ExtIF} -s 0/0 -d ${IntWWW1} -j ACCEPT

----------

## splooge

Thanks guys for the help, however it's still not working.

I am using nmap from a different isp to do the testing from so I am definitely on a separate network.  (pacificnet.net to be precise).

nmap should give me a portscan of the internal box, right?  Or does it do something special that would only stop at my firewall?

----------

## btg308

Strange. However, if you're really serious about getting a good firewall up and running, I'd recommend you start in the other end - getting a tried firewall script that you can learn from and hack as necessary. I started off with http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html and I seem to have worked out fine. :-)

I've gotten used to building chains of tables, almost visualising the packets flowing through the system like water droplets after a spring rain... Well, you get the idea. :-D It's difficult to just take a few iptables rules out of their context and see what they do. It's a bit of a learning curve, but Oskar's tutorial above and Rusty's stuff from iptables.org (like http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html) should go a long way. I started laying it out on paper first until it 'clicked'.

You could try adding a port range to your code, though. It's supposed to be optional but I have never tried doing it without a port (I start in the other direction, instead of forwarding all ports and then block a few, I block all ports and then forward the ones I need)

```

iptables A PREROUTING  -t nat --dport 1:65535 -d 67.120.26.98 -j DNAT --to 10.1.1.200 

```

Another thing to watch out for (you won't have this problem since you have to do it IP-based anyway, it just popped into my head and I figured anyone searching the forums later would benefit from it):

If you want to be able to connect to the internal boxes from inside your network using their external addresses (ie bouncing off the firewall instead of talking to the machines directly) you will need to specify the DNAT stuff using the IP addresses (like you are), not the interface, otherwise that nifty route-back-in example I gave earlier won't work.

----------

## splooge

Amazing.

Well, I must reply to at least show what the cause of the problem was, no matter how embarrassing.

nmap apparently doesn't work through DNAT.  At the time, nmap was the only utility I had at the time to do what I 'thought' should be right.

Even though nmap returns the ports on the firewall itself (instead of the internal host, which was the cause of my confusion) other services -- such as ftp -- will still be forwarded internally.  I falsely assumed that nmap would portscan the internal computer.  It doesn't.

Everything I wanted to work is working.  nmap was just the wrong tool to test it with.  I put up an FTP server on my windows box internally and it works fine.

Sorry to everyone.

----------

## delta407

Indeed; nmap gets confused with kernel-level IP translation. Always ssh to a remote box when trying to scan oneself.

Other than that (and on a completely unrelated note), I recently found that despite a big fat ALLOW rule in the FORWARD table, I had to add a specific ALLOW rule for inbound port forwarding. It was silly.  :Rolling Eyes: 

----------

