www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

nat reflection
Goto page Previous  1, 2
 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
gordonf



Joined: 26 Feb 2012
Posts: 89

PostPosted: Mon Mar 03, 2014 2:31 pm    Post subject: Re: The dead are risen. ZeroShell and "NAT Reflection& Reply with quote

matth wrote:
Has anyone been able to make this work with dynamic WAN addresses?


I was just thinking about this one...

ZS 3.0.0 still requires this kind of post-boot scripting if you want NAT reflection (hair-pinning) to work and still correctly log external and internal IP addresses:

Code:
iptables -t nat -A PREROUTING -d pub.ip.ad.dr -p tcp --dport 80 -j DNAT --to internal.ip.ad.dr
iptables -t nat -A POSTROUTING -s internal.ip.subnet.0/24 -p tcp --dport 80 -d internal.ip.ad.dr -j MASQUERADE


...but since this is a script, I wondered if it were possible to retrieve the external IPv4 address and store it as an environment variable. I know 'ifconfig' retrieves interface info but it's a lot of info at once, and I'm no regex guru.

But, in your Startup / Cron NAT and Virtual Servers script, if you're clever with ifconfig and regex, you can extract your IP addresses and store them as environment variables. Then you can modify the above script thusly:

Code:
ifconfig > /tmp/ifconfig-out.txt
(insert magic IP extractor here that saves IPs to $ETHxxIPv4)
iptables -t nat -A PREROUTING -d $ETHxxIPv4 -p tcp --dport 80 -j DNAT --to internal.ip.ad.dr
iptables -t nat -A POSTROUTING -s internal.ip.subnet.0/24 -p tcp --dport 80 -d internal.ip.ad.dr -j MASQUERADE


"ETHxxIPv4" would contain the IP for each interface where "xx" is the interface number. The information might already be available in some file somewhere.
Back to top
View user's profile Send private message
eight_ball



Joined: 17 Jan 2016
Posts: 1

PostPosted: Sun Jan 17, 2016 10:56 pm    Post subject: Reply with quote

Still a bit confused on this. If I have a static IP to the outside, say 208.75.9.204, and a web app running on an internal machine at 192.168.0.145 on port 8092. mywebsite.com resolves to the 208 addr. I want machines on the LAN to be able to hit 192.168.0.145:8092 by going to the mywebsite.com from the inside. I was trying to configure PAT through Router -> Virtual Server with:

Interface: ANY
IP: 208.75.904
Port: 8092
Remote Machine: 192.168.0.145
Port: 8092

But, it didn't work. Did I completely botch the configuration? Am I even on the right track? Quite new to this...

Thank you
Back to top
View user's profile Send private message
redfive



Joined: 27 Aug 2009
Posts: 232

PostPosted: Mon Jan 18, 2016 6:50 pm    Post subject: Reply with quote

If your server is in the same lan of your devices (not so good, for such things would be better use a DMZ....) in addition to the rule in the 'virtual server', you have to add also a rule for the POSTROUTING, as described in the post above by @gordonf, so, eg in ' Setup', 'Scripts/Cron', ' NAT and Virtual Servers'
Code:
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -p tcp --dport 8092 -d 192.168.0.145 -j MASQUERADE
I used the -I instead of -A in the rule, with -I the rule is inserted as 1st (you are sure that will be executed, even if you have other rules ...)
This is needed because, if you try to reach the server via public ip address, but from within the same network, the server, sees that the connection is coming from an host which belongs to its own network, so, the server tries to respond directly (after an ARP req.).
Enable the script, then, via ssh
Code:
iptables -t nat -nvL POSTROUTING
You should see the rule at the top of the chain.....
You can also, rather than use the ssh, create a new job ('Setup', 'Scripts/Cron', 'add job' button), calling it eg 'check postrouting', insert the same command as above, and use the 'test' button (after the test, save ...)
Regards
Back to top
View user's profile Send private message
reaperz



Joined: 13 Apr 2012
Posts: 83

PostPosted: Thu Jan 21, 2016 10:42 am    Post subject: Reply with quote

I still have not got it working.

I am using scrtip under NAT/Virtual server:

iptables -t nat -I POSTROUTING -s ***MY_INTERNAL_NET*** -p tcp --dport 80 -d ***SERVER_INTERNAL_IP*** -j MASQUERADE

And under Router - Virtual Server I have:

ANY/***MY_EXTERNAL_IP*** TCP 80 ***SERVER_INTERNAL_IP***

Really, why is it this hard to get working?

This should be just one checkbox in configuration...
Back to top
View user's profile Send private message
redfive



Joined: 27 Aug 2009
Posts: 232

PostPosted: Thu Jan 21, 2016 12:04 pm    Post subject: Reply with quote

Try by adding -o [output iface], if your internal interface is ETH00,
Code:
iptables -t nat -I POSTROUTING -s ***MY_INTERNAL_NET*** -o ETH00 -p tcp --dport 80 -d ***SERVER_INTERNAL_IP*** -j MASQUERADE

Regards
Back to top
View user's profile Send private message
reaperz



Joined: 13 Apr 2012
Posts: 83

PostPosted: Fri Jan 22, 2016 11:32 am    Post subject: Reply with quote

Unfortunately still nothing. Added following line:

iptables -t nat -I POSTROUTING -s ***MY_INTERNAL_NET*** -o BRIDGE01 -p tcp --dport 80 -d ***SERVER_INTERNAL_IP*** -j MASQUERADE

Also added in Virtual server page:

BRIDGE01 / ***MY_EXTERNAL_IP*** TCP 80 ***SERVER_INTERNAL_IP*** :80
Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 89

PostPosted: Fri Jan 22, 2016 1:38 pm    Post subject: Don't do both of those Reply with quote

I wouldn't use both the virtual servers page and the post-boot script. The examples I use are just in the script. That might be part of the confusion as to why it isn't working as expected.

I started a Wiki a few months ago and have this article that explains NAT haipinning:

http://zswiki.pan-am.ca/wiki/NAT_Hairpin

By the way, both of you (redfive and reaperz) have Admin accounts on this Wiki. Check your private messages for instructions and passwords, and change your passwords right away. You can do anything except make more admins.
--
Back to top
View user's profile Send private message
pgbuz



Joined: 05 Aug 2016
Posts: 33

PostPosted: Fri Sep 02, 2016 5:49 pm    Post subject: enable loopback on a NAT with Zeroshell Reply with quote

matth wrote:
Has anyone been able to make this work with dynamic WAN addresses?

HELP!


hope can help
https://wiki.afm.co/display/PUBL/How+to+enable+loopback+on+a+NAT+with+Zeroshell

I have a similar problem to solve
http://www.zeroshell.org/forum/viewtopic.php?t=5746&highlight=


Last edited by pgbuz on Fri Sep 02, 2016 7:02 pm; edited 2 times in total
Back to top
View user's profile Send private message
pgbuz



Joined: 05 Aug 2016
Posts: 33

PostPosted: Tue Sep 06, 2016 6:58 pm    Post subject: Re: enable loopback on a NAT with Zeroshell Reply with quote

pgbuz wrote:
matth wrote:
Has anyone been able to make this work with dynamic WAN addresses?

HELP!


hope can help
https://wiki.afm.co/display/PUBL/How+to+enable+loopback+on+a+NAT+with+Zeroshell

I have a similar problem to solve
http://www.zeroshell.org/forum/viewtopic.php?t=5746&highlight=


SOLVED!
http://www.zeroshell.org/forum/viewtopic.php?t=5746&highlight=
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group