› Forums › Network Management › Networking › static NAT not working
- This topic is empty.
-
AuthorPosts
-
October 12, 2010 at 12:43 pm #42683
mirza
MemberHi,
I had setup zeroshell to nat 1:1 and here is my configuration:
eth0: 213.184.165.1/28 (WAN)
eth1: 172.26.1.1 (LAN with DHCP & DNS)
I have some IP’s which i need to nat static from wan to lan
(213.184.165.10 —->>> 172.26.1.10). i’ve read the 1:1 NAT in ZeroShell but it’s not working.Although the dhcp and dns is working fine and giving lease to clients and clients have internet. but static natting is not working.
i need the static nat to work properly from wan to lan.
October 13, 2010 at 11:17 am #51178ppalias
MemberHello! Post here the configuration changes you have done so far that are not working. Also include a
iptables -t nat -L -v
October 13, 2010 at 12:47 pm #51179mirza
MemberHi ppalias, i’ve added the code iptables -t nat -L -v. but still it’s not natting.
here is my configuration:-
#for 1:1 natting
iptables -t nat -I PREROUTING 1 -d 87.101.232.36 -i ETH00 -j DNAT –to-destination 172.26.1.61
iptables -t nat -I PREROUTING 1 -d 87.101.232.37 -i ETH00 -j DNAT –to-destination 172.26.1.38# for dhcp one to many
iptables -t nat -I PREROUTING 1 -d 87.101.232.34 -i ETH00 -j DNAT –to-destination 172.26.1.1
#for 1:1 natting
iptables -t nat -I POSTROUTING 1 -s 172.26.1.61 -o ETH00 -j SNAT –to-source 87.101.232.36
iptables -t nat -I POSTROUTING 1 -s 172.26.1.38 -o ETH00 -j SNAT –to-source 87.101.232.37# for dhcp one to many
iptables -t nat -I POSTROUTING -s 172.26.1.0/24 -o ETH00 -j SNAT –to-source 87.101.232.34iptables -t nat -L -v
my firewall settings:–
Chain: INPUT Policy Chain
Enabled
INPUT Rules
Seq Input Output Description Log Active
1 ETH01 * ACCEPT all opt — in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 no
2 ETH02 * ACCEPT all opt — in ETH02 out * 0.0.0.0/0 -> 0.0.0.0/0 no
3 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED noChain: FORWARD Policy Chain
Enabled
FORWARD Rules
Seq Input Output Description Log Active
1 ETH01 * ACCEPT all opt — in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 no
2 ETH02 * ACCEPT all opt — in ETH02 out * 0.0.0.0/0 -> 0.0.0.0/0 no
3 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED nomy WAN settings:-
ETH00 10Mb/s Half Duplex
Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) UP87.101.232.34 255.255.255.240
87.101.232.36 255.255.255.240
87.101.232.37 255.255.255.240my LAN settings:–
ETH01 100Mb/s Full Duplex
Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) UP172.26.1.1 255.255.255.0
can you please help me where i am wrong.
October 13, 2010 at 1:00 pm #51180mirza
MemberSorry the forgot to post the output of iptables -t nat -L -v
here it is:–
root@gateway root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 224 packets, 15722 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all — ETH00 any anywhere 87.101.232.34 to:172.26.1.1
0 0 DNAT all — ETH00 any anywhere 87.101.232.37 to:172.26.1.38
0 0 DNAT all — ETH00 any anywhere 87.101.232.36 to:172.26.1.61Chain POSTROUTING (policy ACCEPT 289 packets, 21092 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all — any ETH00 172.26.1.0/24 anywhere to:87.101.232.34
0 0 SNAT all — any ETH00 172.26.1.38 anywhere to:87.101.232.37
0 0 SNAT all — any ETH00 172.26.1.61 anywhere to:87.101.232.36
289 21092 SNATVS all — any any anywhere anywhereChain OUTPUT (policy ACCEPT 289 packets, 21092 bytes)
pkts bytes target prot opt in out source destinationChain SNATVS (1 references)
pkts bytes target prot opt in out source destinationOctober 13, 2010 at 1:09 pm #51181ppalias
MemberA first mistake I found is that you SNAT and DNAT different things in “one to many” rule. If in doubt use MASQUERADE, which is the default in these cases.
The rest seems ok, I suppose you have consulted the guide.October 13, 2010 at 2:16 pm #51182mirza
MemberHi ppalias, thanks for reply. let’s keep all my settings except nat and change my nat settings to
#for 1:1 natting
iptables -t nat -I PREROUTING 1 -d 87.101.232.36 -i ETH00 -j DNAT –to-destination 172.26.1.61
iptables -t nat -I PREROUTING 1 -d 87.101.232.37 -i ETH00 -j DNAT –to-destination 172.26.1.38#for 1:1 natting
iptables -t nat -I POSTROUTING 1 -s 172.26.1.61 -o ETH00 -j SNAT –to-source 87.101.232.36
iptables -t nat -I POSTROUTING 1 -s 172.26.1.38 -o ETH00 -j SNAT –to-source 87.101.232.37even though it’s not natting one to one even though i am able to ping outside but from outside i am not able to ssh, http to the real servers from outside.
October 13, 2010 at 7:57 pm #51183ppalias
MemberThere is only one way to find out. Try to do something on these two servers; ssh, http, ping. Now normally if all is correct with the
iptables -t nat -L -v
the counters should raise. In the previous instance we can see that all counters are 0, except
289 21092 SNATVS...
October 15, 2010 at 2:29 am #51184Anonymous
MemberDELETED
October 16, 2010 at 9:10 am #51185mirza
MemberHi ppalias, here is the output, i am sorry to say the counter is 0, i tried nat with my cisco router it’s working fine but with zeroshell it not. maybe is it with the version of zeroshell 13 beta? or maybe some settings in the firewall which i am missing.
root@gateway root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 1358 packets, 161K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all — ETH00 any anywhere 87.101.232.37 to:172.26.1.38
0 0 DNAT all — ETH00 any anywhere 87.101.232.36 to:172.26.1.61
77 17118 Proxy tcp — any any anywhere anywhere tcp dpt:httpChain POSTROUTING (policy ACCEPT 699 packets, 51903 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all — any ETH00 172.26.1.38 anywhere to:87.101.232.37
0 0 SNAT all — any ETH00 172.26.1.61 anywhere to:87.101.232.36
699 51903 SNATVS all — any any anywhere anywhereChain OUTPUT (policy ACCEPT 610 packets, 42365 bytes)
pkts bytes target prot opt in out source destinationChain Proxy (1 references)
pkts bytes target prot opt in out source destination
77 17118 REDIRECT tcp — ETH01 any anywhere anywhere redir ports 8080Chain SNATVS (1 references)
pkts bytes target prot opt in out source destinationOctober 18, 2010 at 2:08 pm #51186ppalias
MemberRule 87.101.232.34 to:172.26.1.1 is not needed.
Post here the output ofifconfig -a
October 18, 2010 at 2:20 pm #51187mirza
Memberhere is the output of ifconfig -a
root@gateway root> ifconfig -a
DEFAULTBR Link encap:Ethernet HWaddr CA:AA:DF:A1:7F:F3
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)ETH00 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:40866 errors:0 dropped:0 overruns:0 frame:0
TX packets:41369 errors:22 dropped:0 overruns:0 carrier:44
collisions:19 txqueuelen:1000
RX bytes:25399791 (24.2 Mb) TX bytes:5736186 (5.4 Mb)
Interrupt:21 Base address:0xdc00ETH00:00 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
inet addr:87.101.232.34 Bcast:87.101.232.47 Mask:255.255.255.240
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:21 Base address:0xdc00ETH00:01 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
inet addr:87.101.232.36 Bcast:87.101.232.47 Mask:255.255.255.240
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:21 Base address:0xdc00ETH00:02 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
inet addr:87.101.232.37 Bcast:87.101.232.47 Mask:255.255.255.240
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:21 Base address:0xdc00ETH01 Link encap:Ethernet HWaddr 00:21:27:C6:B8:61
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:30038 errors:0 dropped:0 overruns:0 frame:0
TX packets:33629 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4530791 (4.3 Mb) TX bytes:19559554 (18.6 Mb)
Interrupt:20 Base address:0xde00ETH01:00 Link encap:Ethernet HWaddr 00:21:27:C6:B8:61
inet addr:172.26.1.1 Bcast:172.26.1.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:20 Base address:0xde00ETH02 Link encap:Ethernet HWaddr 00:19:DB:53:22:7B
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8015 errors:0 dropped:0 overruns:0 frame:0
TX packets:1962 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:725040 (708.0 Kb) TX bytes:667636 (651.9 Kb)
Interrupt:23 Base address:0xda00ETH02:00 Link encap:Ethernet HWaddr 00:19:DB:53:22:7B
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:23 Base address:0xda00VPN99 Link encap:Ethernet HWaddr 00:FF:01:96:CE:01
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)VPN99:00 Link encap:Ethernet HWaddr 00:FF:01:96:CE:01
inet addr:192.168.250.254 Bcast:192.168.250.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1dummy0 Link encap:Ethernet HWaddr 16:7D:9B:D0:7C:07
inet addr:192.168.141.142 Bcast:192.168.141.255 Mask:255.255.255.0
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)dummy1 Link encap:Ethernet HWaddr 76:1D:87:67:46:21
inet addr:192.168.142.142 Bcast:192.168.142.255 Mask:255.255.255.255
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5581 errors:0 dropped:0 overruns:0 frame:0
TX packets:5581 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:787948 (769.4 Kb) TX bytes:787948 (769.4 Kb)October 18, 2010 at 2:56 pm #51188ppalias
MemberI can’t see anything wrong. Will try to test it in my lab system and see what could be wrong.
October 23, 2010 at 8:21 pm #51189jessicabarbara
MemberI regret to say that the counter is 0, I tried with my nat cisco router works fine, but not zeroshell. Perhaps with the beta version of zeroshell 13? or maybe some settings in the firewall that I miss.
October 27, 2010 at 12:49 pm #51190mirza
MemberDear ppalias, any luck finding problem.
October 27, 2010 at 1:45 pm #51191ppalias
MemberNope, I’m a little bit on the run due to a lot of work and chores, never had the chance to test it so far.
-
AuthorPosts
- You must be logged in to reply to this topic.