www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

nat reflection
Goto page 1, 2  Next
 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
endre



Joined: 12 Apr 2007
Posts: 5

PostPosted: Wed Jun 06, 2007 10:03 am    Post subject: nat reflection Reply with quote

Hi, does anyone know if it is possible to set up NAT reflection rules with zeroshell (how ? Very Happy )

Also has anyone successfully abused this router ? i mean to the length of 50 new connections (or more) per second... how does it handle that?
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1070

PostPosted: Wed Jun 06, 2007 8:01 pm    Post subject: Reply with quote

What do you mean with "NAT Reflection"?
I found with Google that pfSense and m0n0wall have implemented this feature. I suppose that the NAT reflection looks like the Destination NAT with which Zeroshell implements the Virtual Server feature, but I am not sure. Please, correct me if I am wrong.

Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
endre



Joined: 12 Apr 2007
Posts: 5

PostPosted: Thu Jun 07, 2007 5:27 am    Post subject: Hi Reply with quote

yes, pfsense and monowall have those features, maybe they ended up naming it like that

behaviour: when you are on the lan side and you try to make a connection to one of your wan ip's ... you will get squat...
nat reflection fixes this, now i don't really remember if zeroshell behaved like this or not...

one thing though... even with this, the source ip of the connection is still your lan ip, this would be a pain in the a.. if you are hosting a bittorrent tracker Smile

nonetheless it is still a good thing to be able to open for example, the webserver on your pc by opening http://wan.ip.wan.ip/ instead of http://localhost
Back to top
View user's profile Send private message
Borage



Joined: 04 Feb 2007
Posts: 5

PostPosted: Mon Jun 11, 2007 11:59 am    Post subject: Reply with quote

pfSense and m0n0wall uses ipfilter, zeroshell uses iptables, so you don't need a workaround like them. You can use a rule like this one to get it working.

Code:
iptables -t nat -A prerouting_rule -d WAN_IP -p tcp --dport 80 -j DNAT --to 192.168.0.10
iptables -A forwarding_rule -p tcp --dport 80 -d 192.168.0.10 -j ACCEPT
iptables -t nat -A postrouting_rule -s 192.168.0.0/24 -p tcp --dport 80 -d 192.168.0.10 -j MASQUERADE


All traffic on port 80 from LAN (192.168.0.0/24) to WAN (WAN_IP) will be redirected to the internal webserver (192.168.0.10).
Back to top
View user's profile Send private message
endre



Joined: 12 Apr 2007
Posts: 5

PostPosted: Thu Jun 14, 2007 4:21 pm    Post subject: Reply with quote

yes of course you can do that if you know iptables.. it's just a matter of checkbox versus 3 lines and years of using iptables. i'm sure you have time for it if you're a net admin.
Back to top
View user's profile Send private message
Borage



Joined: 04 Feb 2007
Posts: 5

PostPosted: Sat Jun 16, 2007 12:26 am    Post subject: Reply with quote

This is standard in most linux firewalls. You just have to forward a port, and you'll be able to reach the natted server through the WAN port. I have not installed zeroshell yet, but I think its time to do that now.

Last edited by Borage on Sat Feb 14, 2009 10:07 am; edited 1 time in total
Back to top
View user's profile Send private message
thund3rman



Joined: 12 Jan 2009
Posts: 7

PostPosted: Tue Jan 13, 2009 12:49 am    Post subject: Reply with quote

Well, first things first, so: fluvio, thanks for this great product! I've been using zeroshell after trying both pfsense and monowall and this seems to be the best and most complete product for my needs.

Now that the tanks are taken care of, I'm going to bring this topic back from the dead.

NAT Reflection is one "feature" that allows you to access to servers behind PAT through your WAN ip. For example, you have a public name that has a public address... If you try to access this inside your local network, your packets are going to be directed to your firewall and don't go through the WAN interface... So, if you have PAT defined with interface instead of the public ip, it doesn't get done. I know that in beta11 we can define PAT through ip address but the previous scenario is especially necessary in cases where you have a dynamic public ip address...

I've been exploring the guts of zeroshell and i think it can be done with two changes:
1. Add the following line to the script router_patconfig: "iptables -t nat -A PREROUTING $IP -p $PROTOCOL --dport $LOCALPORT -j DNAT --to $REMOTEIP:$REMOTEPORT" where $IP=-d WAN_IP. This ip should be the WAN_IP address when it is defined to dhcp.
2. Using the hooks of the dhclient-script, refresh the ip in the nat table whenever dhclient updates WAN_IP.

Maybe step 2 can be the only one, I think the initial setup may be unnecessary...
What do you think? Can this be done? If so, in time for beta12? If not, how do you recommend me to solve this problem? In my opinion this is very important, especially in SOHO market, where most companies keep the internet connection behind a dynamic IP...

Thanks!
Back to top
View user's profile Send private message
matthew.a.squires



Joined: 03 Jul 2008
Posts: 110

PostPosted: Tue Jan 13, 2009 5:12 pm    Post subject: What is NAT Reflection? Reply with quote

What is NAT Reflection?

What exactly does it allow me to do?
_________________
Thank You;
Matthew Squires
Back to top
View user's profile Send private message Send e-mail
thund3rman



Joined: 12 Jan 2009
Posts: 7

PostPosted: Wed Jan 14, 2009 12:25 pm    Post subject: Reply with quote

When configuring PAT, you have two options (at least in beta11 from what I read in this forums):
1. Apply PAT rule to the WAN interface;
2. Apply the PAT rule to the WAN IP.

If you choose option 1, when inside the local network, if you try to access to the WAN IP, you connect directly to the firewall and not to the server you wanted, because your traffic doesn't go through the WAN interface.

Option 2 is only a real option if you have a static ip in your WAN interface. If you have a dynamic ip address, as the configuration for option 2 requires an IP address and you don't know it, you can't use it.

NAT reflection is a feature of several other products that allows you to have the behaviour of option 2 when using option 1.
In zeroshell you don't have a possibility to configure that behaviour. Maybe a checkbox in option 1 could define a rule that did this through the hooks of dhcp (to refresh the rules on dhcp renewall)
Back to top
View user's profile Send private message
baboo



Joined: 02 May 2007
Posts: 27

PostPosted: Wed Jan 14, 2009 2:23 pm    Post subject: Reply with quote

I am trying to do the same thing. I have dsl and static ips. I want to be able to reach my webserver with its domain name from within my lan.

I am not sure if I followed this topic correctly, but has this been solved?

Do I need to implement Borage's solution?

Any help would be very appreciated.

thanks
Back to top
View user's profile Send private message
thund3rman



Joined: 12 Jan 2009
Posts: 7

PostPosted: Wed Jan 14, 2009 2:33 pm    Post subject: Reply with quote

If you have the latest release of zeroshell the problem (yours) is solved I think. Just configure PAT through IP instead of interface...

For those with dynamic IP the problem remains unsolved...
Back to top
View user's profile Send private message
baboo



Joined: 02 May 2007
Posts: 27

PostPosted: Wed Jan 14, 2009 2:50 pm    Post subject: Reply with quote

thanks thund3rman for the reply. Just one thing Embarassed , I don't know what PAT is or where in zeroshell you configure it.

Could you point me to it?

thanks alot for your help.
Back to top
View user's profile Send private message
thund3rman



Joined: 12 Jan 2009
Posts: 7

PostPosted: Wed Jan 14, 2009 4:54 pm    Post subject: Reply with quote

Sorry...
PAT = Port Address Translation (http://en.wikipedia.org/wiki/Port_address_translation).

In zeroshell: router -> Virtual Servers
One virtual server is one PAT entry in the firewall.

Don't forget to user IP instead of interface...
Back to top
View user's profile Send private message
baboo



Joined: 02 May 2007
Posts: 27

PostPosted: Wed Jan 14, 2009 5:16 pm    Post subject: Reply with quote

thanks! Your the man!

really appreciate the help
Back to top
View user's profile Send private message
matthew.a.squires



Joined: 03 Jul 2008
Posts: 110

PostPosted: Wed Jan 14, 2009 5:24 pm    Post subject: Reply with quote

Can I use PAT / Virtual Servers to forward all packets from a particular Interface or IP Address to another Zeroshell router on the other end of my VPN connection. I want to user the other Zeroshell router at the Internet Access.

I tried forwarding port 80 through the VPN, but when I check IPCHICKEN.COM for the ISP IP Address being used, it showing source router ISP address.

Is it possible, or is my though process completely incorrect?

What am I missing?
_________________
Thank You;
Matthew Squires
Back to top
View user's profile Send private message Send e-mail
HakanL



Joined: 10 Apr 2008
Posts: 10

PostPosted: Thu Mar 05, 2009 7:50 pm    Post subject: Reply with quote

I also have this issue, I tried to modify router_patconfig with the suggestion above, but it still doesn't work.

I think it would be just AWESOME if next to each virtual server you have a checkbox that says "Reflection" (or hairpin) and if you check it ZS will create the 2? extra iptables commands to allow access to the WAN ip port forwards from the internal range.

/Hakan
Back to top
View user's profile Send private message
thund3rman



Joined: 12 Jan 2009
Posts: 7

PostPosted: Thu Jul 23, 2009 7:14 pm    Post subject: Reply with quote

Any news on this?

Maybe it would be a good thing to run on dhcp time (after getting the ip) for solutions with dynamic ip address.
Back to top
View user's profile Send private message
giancagianca



Joined: 23 Aug 2007
Posts: 36

PostPosted: Thu Jul 23, 2009 10:07 pm    Post subject: Reply with quote

If you access your internal server not with ip but with a simbolic name you can set simbolic name associated with internal ip in dns.

example internal server 192.168.0.100 you can create a A record with myserver 192.168.0.100

Now if use simbolic name in broser you are connected to 192.168.0.100.

Also commercial router have this problem. For example zyxel.

Bye.
Back to top
View user's profile Send private message
zevlag



Joined: 14 Jul 2009
Posts: 27

PostPosted: Fri Jul 24, 2009 1:29 am    Post subject: Reply with quote

I'm about to release a patch to b11/b12 that will allow something like this. Watch for it soon.

The default rules aren't actually the ones you want, but it is a good start, they are easily modified.
Back to top
View user's profile Send private message
thund3rman



Joined: 12 Jan 2009
Posts: 7

PostPosted: Sun Oct 18, 2009 9:12 pm    Post subject: Reply with quote

Any development on this patch you mention?
Back to top
View user's profile Send private message
jeffrhysjones



Joined: 12 Sep 2008
Posts: 38

PostPosted: Mon Oct 11, 2010 10:38 am    Post subject: Reply with quote

Hi zevlag!

Firstly - thanks very much again for your patch for the > 100 virtual servers - I don't know what we would have done without it! Works a treat!

We would also like a solution for this PAT / VS issue. I think it's the same one - basically, we have an email server configured on a VS on a public IP which NATs through to a private VLAN - lets call it VLANA).

The email server can send and receive email fine to all users / servers on the WAN interface (outside).

However we have servers inside the firewall - say on VLANB that also need to be able to send email to this server - alas - it's not possible.

I have had to do a horrible 'internal DNS / email domain' fix which isn't perfect.

So I would really like to be able to achieve this 'NAT Reflection' functionality in our setup - as one person pointed out on this list - it works great in PFSense.

I only need this on one or two VS's so if it's a line in a script somewhere that would also work.

Cheers - hope you are well!

Jeff
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Wed Oct 13, 2010 11:06 am    Post subject: Reply with quote

Jeff could you post here the iptables rule? Most likely you will only need an iptables rule to avoid NAT when the connection is established to a client from VLANb.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
jeffrhysjones



Joined: 12 Sep 2008
Posts: 38

PostPosted: Wed Oct 13, 2010 11:33 am    Post subject: Reply with quote

aha. I am working on this now!

I have just added the following to the 'NAT and Virtual Servers Script' on a test system here:

Code:


iptables -t nat -A PREROUTING -d 192.168.0.252 -p tcp --dport 80 -j DNAT --to 192.168.254.200
iptables -A FORWARD -p tcp --dport 80 -d 192.168.0.200 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -p tcp --dport 80 -d 192.168.0.200 -j MASQUERADE


WAN IP in my case in this test setup is 192.168.0.252. LAN web server is 192.168.254.200.

This initially did not work - I did notice that it added the following line to POSTROUTING - this looked right and I thought it *should* work. Alas no.
Code:

MASQUERADE  tcp  --  *      *       192.168.0.0/24       192.168.0.200       tcp dpt:80


However - if I enable the LAN interface (ETH0) as NAT (move it from left to right in the NAT settings page) - then all of a sudden it works! Hurrah! The additional line added to POSTROUTING when enabling NAT on the LAN interface was:
Code:

MASQUERADE  all  --  *      ETH03   0.0.0.0/0            0.0.0.0/0   

I only had NAT enabled on the WAN interface - that just seemed to work fine and there was never a need to enable NAT on the LAN interfaces as well.....

I then experimented - thinking perhaps I could remove the first two lines - but alas - this only works with all three lines - even if I already configured a Virtual Server to route traffic from WAN to LAN.

So now I have this working in my test setup - I just have to take a deep breath and apply it to live. Adding NAT to ETH3 seems like a bit of a blunderbuss method - if someone has an idea of how to achieve a working solution without having to NAT everything on ETH3 -or can spot why this script isn't working on its own - that would be my preferred solution I think.

Nearly there with this anyway....

Jeff
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Wed Oct 13, 2010 1:00 pm    Post subject: Reply with quote

You are not providing enough info for us to help you. How many and which are your WAN interfaces?
I suppose you are doing PAT on your WAN link(s), is that correct?
Now you want a server that resides in the INSIDE zone of the firewall to communicate with the mail server. Are these two in the same LAN or in different? If the latter applies what are the firewall rules for the intervlan communication?
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
jeffrhysjones



Joined: 12 Sep 2008
Posts: 38

PostPosted: Wed Oct 13, 2010 3:20 pm    Post subject: Reply with quote

Oh dear - it would help, when asking for help - if I actually type in scripts correctly - it looks like I really cocked stuff up!

For the sake of completeness (and hopefully clarity) here are the settings and (hopefully) correct resolution:

Interface IPs on ZS Box:

ETH0 = WAN Interface 192.168.0.252 (192.168.0.0)
ETH3 = VLAN A Interface 192.168.254.254 (192.168.254.0/24)
ETH3 = VLAN B Interface 192.168.253.254 (192.168.253.0/24)

LAN Server IPs

Server A, VLAN A = 192.168.254.200
Server B, VLAN B = 192.168.253.100

This device is being used only for routing PAT / NAT as we have a transparent firewall device handling firewall stuff.

The desired functionality is for Server A to have PAT from WAN, but also this should work for servers in the same subnet / VLAN as Server A (VLAN A) - *AND* also for Server B in VLAN B.

SO. After finally figuring out that I just plain typed up the script totally **wrong**, the following script now works - with no NAT mods required - with just the following TWO lines:

Code:

iptables -t nat -A PREROUTING -d 192.168.0.252 -p tcp --dport 80 -j DNAT --to 192.168.254.200
iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -p tcp --dport 80 -d 192.168.254.200 -j MASQUERADE


I am assuming therefore, if I wanted (as per the above example) Server B to be able to connect to Server A but using the PAT on ETH0/WAN interface - I would need to add a third line, for an extra POSTROUTING entry for Server Bs subnet? So the final rule would look like this:


Code:

iptables -t nat -A PREROUTING -d 192.168.0.252 -p tcp --dport 80 -j DNAT --to 192.168.254.200
iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -p tcp --dport 80 -d 192.168.254.200 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.253.0/24 -p tcp --dport 80 -d 192.168.254.200 -j MASQUERADE


This looks good to you guys?

The reason why the first PREROUTING line is required, when there is already a Virtual Server entry set up to forward traffic from the WAN to Server A, is that this Virtual Server rule is set only to ETH0 as 'in' - which does not work for my case, as I am wanting the 'in' interface to also include traffic coming in from ETH3.

Sure enough, if I remove the interface specific Virtual Server rule and re-add it, this time with the interface set as 'ANY' - the 'NAT Reflection' works with just the POSTROUTING entries only.

Jeff
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Wed Oct 13, 2010 8:18 pm    Post subject: Reply with quote

Jeff what you want to do is pretty simple and I don't understand why you have messed it with command line iptables.
In ZS web gui go Network->Router->NAT and enable ETH00
Network->Router->Virtual Server add a rule INPUT INTERFACE=ETH00, IP ADDRESS=ANY. PROTOCOL=TCP, LOCAL PORT=80, REMOTE IP=192.168.254.200, REMOTE PORT=80 and click the + button.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
jeffrhysjones



Joined: 12 Sep 2008
Posts: 38

PostPosted: Wed Oct 13, 2010 9:04 pm    Post subject: Reply with quote

Thanks - but your GUI suggestion doesn't seem right to me.

Firstly, I already have NAT enabled on ETH0 in the GUI.
Secondly, your virtual server suggestion would see all WAN IPs forward port 80 to the web server on the LAN. Although my example only has one IP interface on ETH0 - the live system actually has multiple IPs on the WAN interface. I didn't mention this before - sorry.

So it's not as simple as you think, and certainly not possible via the GUI without POSTROUTING scripts - if it was - this thread would not have been started in the first place - would it? Very Happy

Jeff
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Fri Oct 15, 2010 7:29 am    Post subject: Reply with quote

Doesn't make any difference Jeff. In the VS instead of
Code:
 INPUT INTERFACE=ETH00, IP ADDRESS=ANY...
use
Code:
 INPUT INTERFACE=ETH00, IP ADDRESS=1.2.3.4 ...

Now only the desired IP address will be forwarded to the server you want for port 80. Is that what you wished?
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
gordonf



Joined: 26 Feb 2012
Posts: 88

PostPosted: Thu Mar 01, 2012 12:42 am    Post subject: Accessing LAN server via WAN IP: Any changes since v12? Reply with quote

I'm raising a long dead thread here, so please point me to a correct thread if there is one.

I just installed Zeroshell 1.0 v16 this week and I'm replacing a Snapgear SG300 with it -- both are Linux-based firewall routers. I need to be able to access internal servers via their WAN IPs because the host names have to match in some cases, both for HTTP host headers and for SSL / TLS so the certificate names match the host names. Yes, I know for SSL I can use subject alternative names, but this will be a public-facing server and commercial SAN certs are pricey. Host headers are even more difficult to work around.

Testing jeffrhyjones' NAT startup script example... I have static IPs so this works perfectly for both internal and external access to my server via the WAN IP:
Code:
iptables -t nat -A PREROUTING -d pub.ip.ad.dr -p tcp --dport 80 -j DNAT --to internal.ip.ad.dr
iptables -t nat -A POSTROUTING -s internal.ip.subnet.0/24 -p tcp --dport 80 -d internal.ip.ad.dr -j MASQUERADE

I also found that I didn't need to specify a virtual server setting in the Router pages if I scripted this at post-startup.

Having come away from Snapgear, I miss the luxury of point-and-drool router configs. The SG did this "NAT reflection" for me automatically. But this Zeroshell thread was for v12. Is there a setting I missed in v16 to enable this without having to script it?

I did find that if I enabled NAT on my internal interface like one fellow did here, it works but the source IP looks like the router's IP and any logging or access lists that depend on source IPs don't work right at all.
Back to top
View user's profile Send private message
matth



Joined: 13 Apr 2009
Posts: 14
Location: Michigan, USA

PostPosted: Wed May 08, 2013 12:41 am    Post subject: The dead are risen. ZeroShell and "NAT Reflection" Reply with quote

Has anyone been able to make this work with dynamic WAN addresses?

I'd really like to continue using ZeroShell, but this would really be a killer for my application.

I'd love to be able to use DNS, but I have different ports going to different hosts on the internal LAN, so that's out.

HELP!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group