static NAT not working

[mirza]

Hi,

I had setup zeroshell to nat 1:1 and here is my configuration:

eth0: 213.184.165.1/28 (WAN)

eth1: 172.26.1.1 (LAN with DHCP & DNS)

I have some IP’s which i need to nat static from wan to lan
(213.184.165.10 —->>> 172.26.1.10). i’ve read the 1:1 NAT in ZeroShell but it’s not working.

Although the dhcp and dns is working fine and giving lease to clients and clients have internet. but static natting is not working.

i need the static nat to work properly from wan to lan.

[ppalias]

Hello! Post here the configuration changes you have done so far that are not working. Also include a

iptables -t nat -L -v

[mirza]

Hi ppalias, i’ve added the code iptables -t nat -L -v. but still it’s not natting.

here is my configuration:-

#for 1:1 natting

iptables -t nat -I PREROUTING 1 -d 87.101.232.36 -i ETH00 -j DNAT –to-destination 172.26.1.61
iptables -t nat -I PREROUTING 1 -d 87.101.232.37 -i ETH00 -j DNAT –to-destination 172.26.1.38

# for dhcp one to many

iptables -t nat -I PREROUTING 1 -d 87.101.232.34 -i ETH00 -j DNAT –to-destination 172.26.1.1

#for 1:1 natting

iptables -t nat -I POSTROUTING 1 -s 172.26.1.61 -o ETH00 -j SNAT –to-source 87.101.232.36
iptables -t nat -I POSTROUTING 1 -s 172.26.1.38 -o ETH00 -j SNAT –to-source 87.101.232.37

# for dhcp one to many
iptables -t nat -I POSTROUTING -s 172.26.1.0/24 -o ETH00 -j SNAT –to-source 87.101.232.34

iptables -t nat -L -v

my firewall settings:–

Chain: INPUT Policy Chain
Enabled
INPUT Rules
Seq Input Output Description Log Active
1 ETH01 * ACCEPT all opt — in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 no
2 ETH02 * ACCEPT all opt — in ETH02 out * 0.0.0.0/0 -> 0.0.0.0/0 no
3 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED no

Chain: FORWARD Policy Chain
Enabled
FORWARD Rules
Seq Input Output Description Log Active
1 ETH01 * ACCEPT all opt — in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 no
2 ETH02 * ACCEPT all opt — in ETH02 out * 0.0.0.0/0 -> 0.0.0.0/0 no
3 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED no

my WAN settings:-

ETH00 10Mb/s Half Duplex
Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) UP

87.101.232.34 255.255.255.240
87.101.232.36 255.255.255.240
87.101.232.37 255.255.255.240

my LAN settings:–

ETH01 100Mb/s Full Duplex
Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) UP

172.26.1.1 255.255.255.0

can you please help me where i am wrong.

[mirza]

Sorry the forgot to post the output of iptables -t nat -L -v

here it is:–

root@gateway root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 224 packets, 15722 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all — ETH00 any anywhere 87.101.232.34 to:172.26.1.1
0 0 DNAT all — ETH00 any anywhere 87.101.232.37 to:172.26.1.38
0 0 DNAT all — ETH00 any anywhere 87.101.232.36 to:172.26.1.61

Chain POSTROUTING (policy ACCEPT 289 packets, 21092 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all — any ETH00 172.26.1.0/24 anywhere to:87.101.232.34
0 0 SNAT all — any ETH00 172.26.1.38 anywhere to:87.101.232.37
0 0 SNAT all — any ETH00 172.26.1.61 anywhere to:87.101.232.36
289 21092 SNATVS all — any any anywhere anywhere

Chain OUTPUT (policy ACCEPT 289 packets, 21092 bytes)
pkts bytes target prot opt in out source destination

Chain SNATVS (1 references)
pkts bytes target prot opt in out source destination

[ppalias]

A first mistake I found is that you SNAT and DNAT different things in “one to many” rule. If in doubt use MASQUERADE, which is the default in these cases.
The rest seems ok, I suppose you have consulted the guide.

[mirza]

Hi ppalias, thanks for reply. let’s keep all my settings except nat and change my nat settings to

#for 1:1 natting

iptables -t nat -I PREROUTING 1 -d 87.101.232.36 -i ETH00 -j DNAT –to-destination 172.26.1.61
iptables -t nat -I PREROUTING 1 -d 87.101.232.37 -i ETH00 -j DNAT –to-destination 172.26.1.38

#for 1:1 natting

iptables -t nat -I POSTROUTING 1 -s 172.26.1.61 -o ETH00 -j SNAT –to-source 87.101.232.36
iptables -t nat -I POSTROUTING 1 -s 172.26.1.38 -o ETH00 -j SNAT –to-source 87.101.232.37

even though it’s not natting one to one even though i am able to ping outside but from outside i am not able to ssh, http to the real servers from outside.

[ppalias]

There is only one way to find out. Try to do something on these two servers; ssh, http, ping. Now normally if all is correct with the

iptables -t nat -L -v

the counters should raise. In the previous instance we can see that all counters are 0, except

289 21092 SNATVS...

[Anonymous]

DELETED

[mirza]

Hi ppalias, here is the output, i am sorry to say the counter is 0, i tried nat with my cisco router it’s working fine but with zeroshell it not. maybe is it with the version of zeroshell 13 beta? or maybe some settings in the firewall which i am missing.

root@gateway root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 1358 packets, 161K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all — ETH00 any anywhere 87.101.232.37 to:172.26.1.38
0 0 DNAT all — ETH00 any anywhere 87.101.232.36 to:172.26.1.61
77 17118 Proxy tcp — any any anywhere anywhere tcp dpt:http

Chain POSTROUTING (policy ACCEPT 699 packets, 51903 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all — any ETH00 172.26.1.38 anywhere to:87.101.232.37
0 0 SNAT all — any ETH00 172.26.1.61 anywhere to:87.101.232.36
699 51903 SNATVS all — any any anywhere anywhere

Chain OUTPUT (policy ACCEPT 610 packets, 42365 bytes)
pkts bytes target prot opt in out source destination

Chain Proxy (1 references)
pkts bytes target prot opt in out source destination
77 17118 REDIRECT tcp — ETH01 any anywhere anywhere redir ports 8080

Chain SNATVS (1 references)
pkts bytes target prot opt in out source destination

[ppalias]

Rule 87.101.232.34 to:172.26.1.1 is not needed.
Post here the output of

ifconfig -a

[mirza]

here is the output of ifconfig -a

root@gateway root> ifconfig -a
DEFAULTBR Link encap:Ethernet HWaddr CA:AA:DF:A1:7F:F3
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

ETH00 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:40866 errors:0 dropped:0 overruns:0 frame:0
TX packets:41369 errors:22 dropped:0 overruns:0 carrier:44
collisions:19 txqueuelen:1000
RX bytes:25399791 (24.2 Mb) TX bytes:5736186 (5.4 Mb)
Interrupt:21 Base address:0xdc00

ETH00:00 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
inet addr:87.101.232.34 Bcast:87.101.232.47 Mask:255.255.255.240
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:21 Base address:0xdc00

ETH00:01 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
inet addr:87.101.232.36 Bcast:87.101.232.47 Mask:255.255.255.240
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:21 Base address:0xdc00

ETH00:02 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
inet addr:87.101.232.37 Bcast:87.101.232.47 Mask:255.255.255.240
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:21 Base address:0xdc00

ETH01 Link encap:Ethernet HWaddr 00:21:27:C6:B8:61
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:30038 errors:0 dropped:0 overruns:0 frame:0
TX packets:33629 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4530791 (4.3 Mb) TX bytes:19559554 (18.6 Mb)
Interrupt:20 Base address:0xde00

ETH01:00 Link encap:Ethernet HWaddr 00:21:27:C6:B8:61
inet addr:172.26.1.1 Bcast:172.26.1.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:20 Base address:0xde00

ETH02 Link encap:Ethernet HWaddr 00:19:DB:53:22:7B
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8015 errors:0 dropped:0 overruns:0 frame:0
TX packets:1962 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:725040 (708.0 Kb) TX bytes:667636 (651.9 Kb)
Interrupt:23 Base address:0xda00

ETH02:00 Link encap:Ethernet HWaddr 00:19:DB:53:22:7B
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:23 Base address:0xda00

VPN99 Link encap:Ethernet HWaddr 00:FF:01:96:CE:01
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

VPN99:00 Link encap:Ethernet HWaddr 00:FF:01:96:CE:01
inet addr:192.168.250.254 Bcast:192.168.250.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

dummy0 Link encap:Ethernet HWaddr 16:7D:9B:D0:7C:07
inet addr:192.168.141.142 Bcast:192.168.141.255 Mask:255.255.255.0
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

dummy1 Link encap:Ethernet HWaddr 76:1D:87:67:46:21
inet addr:192.168.142.142 Bcast:192.168.142.255 Mask:255.255.255.255
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5581 errors:0 dropped:0 overruns:0 frame:0
TX packets:5581 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:787948 (769.4 Kb) TX bytes:787948 (769.4 Kb)

[ppalias]

I can’t see anything wrong. Will try to test it in my lab system and see what could be wrong.

[jessicabarbara]

I regret to say that the counter is 0, I tried with my nat cisco router works fine, but not zeroshell. Perhaps with the beta version of zeroshell 13? or maybe some settings in the firewall that I miss.

[mirza]

Dear ppalias, any luck finding problem.

[ppalias]

Nope, I’m a little bit on the run due to a lot of work and chores, never had the chance to test it so far.

[Author]

Posts