www.zeroshell.org

[wifiguy]

Hello all,

Right now I am sitting in a test environment. I have the WAN port on the ZS server statically assigned. We have a direct allocation from ARIN (American Registry for Internet Numbers), it's a /22 and it's our VLAN74.

Right now VLAN20, 30 and 70 are private VLANs and are NAT'd. I used the following IPtables to NAT them.

[ppalias]

1) Make sure eth1 is the wan interface.
2) Print here the output of

[wifiguy]

[Marcelo]

It can be ETH00. I actually use ETH00 as the WAN and ETH01 as LAN.

You just have to be careful as 99% of the examples shown here are the opposite, so you'll have to remember that...

Regads,

[wifiguy]

I'll run the above command from the server when I get back to the office on Monday.

Thanks all,

[wifiguy]

Alright, here is the output from the iptables -t nat -L -v command.

[ppalias]

There is a huge mixup here. ZS is NATing everything going out of interface ETH00 and you are trying to NAT some VLANs on interface ETH01. Firstly make sure which interface is the outside and then remove the general NAT that ZS does on interface ETH00.

[wifiguy]

[ppalias]

First of all which one is the WAN interface...

[wifiguy]

[ppalias]

Okay remove the ETH00 from the "NAT Enabled Interfaces". Then add a specific iptables command.

[wifiguy]

[ppalias]

There seems to be something wrong with the interfaces you are using, as the iptables command is correct.


-t nat = apply this command in "nat" table.
-I POSTROUTING 1 = install this command in POSTROUTING chain in line 1
--src x.x.x.x/yy = the source IP is x.x.x.x/yy
-o ETH00 = the output interface is "ETH00"
-j MASQUERADE = masquerade the source IP with the IP of the interface ETH00

[wifiguy]

[wifiguy]

I am stumped.....We use this same config (minus the WAN IP) on a production router that we have, and all works well.

Anyway you would be willing to take a peek at our config file?

[wifiguy]

The second I add ETH00 back to the NAT Enabled Interfaces, I can then ping the gateway, and get out to the outside. The only that worries me, is once behind our WAN port (in our test environment) I have no routing set up for vlan74 or 90, and right now those interfaces can also get out to the outside world.......

[ppalias]

Yes I can take a peek at the config file.
Give me the output of

[wifiguy]

[ppalias]

ok first clear any entries

[wifiguy]

[wifiguy]

We are getting you cannot use I with post routing error message.

[ppalias]

Don't use

[wifiguy]

I still have not been able to get this to work. I would love to use this as our firewall, but so far I can't get certain VLAN's not to be NAT'd.

[ppalias]

I admit that I totally neglected it, my apologies. I will find some time in the forthcoming weekend to do it.

[wifiguy]

I appreciate this. Thank you!

[ppalias]

Okay good news.
I tried the scenario. It seems to be working fine for me.
[img]http://www.flickr.com/photos/35949154@N02/4451705013/[/img]
as you can see on the picture (or here if you cannot see it clearly) on the upper left window is the command I gave to ZS to allow only one subnet to NAT out of ETH00.
On the middle left window is the 2 pings I ran. The one towards 10.14.149.3 was initially not NATed and then I enabled NAT. You can see the change on the Wireshark window on the right. Source address changed from 192.168.20.2 (not NATed) to 10.14.149.25 (ETH00 address of ZS). On the lower left window is a tcpdump of another pc which accepted ping from the other VLAN of ZS, the 192.168.30.2 and it never changed it's source IP address.
So to conclude the iptables command is correct