One to one NAT on Linux ?

jibbajabba · July 2011

Been crawling the net quite a bit but it is all chinese to me tbh.

Could someone maybe help a Linux n00b

I need a way to have a server which acts as router and does simple 1-to-1 NAT without firewalling.

For example the Linux server got IP 172.0.0.1/24 on the LAN side and got multiple public IPs configured which should then be nat'ed to IPs on the LAN side, forwarding every port for now.

So for example

Linux / Router

Public
85.85.85.1
85.85.85.2
85.85.85.3

Private
172.0.0.1

NAT rules configured
85.85.85.1 > 172.0.0.10
85.85.85.2 > 172.0.0.20
85.85.85.3 > 172.0.0.30

Client #1
172.0.0.10 using 172.0.0.1 as gateway
Client #2
172.0.0.20 using 172.0.0.1 as gateway
Client #3
172.0.0.30 using 172.0.0.1 as gateway

Does this make sense ?

If firewalling is a sideffect then so be it, but I never played with iptables (apart from chkconfig iptables off / rpm -e iptables

) so would appreciate an example

MentholMoose · July 2011

1-to-1 / static NAT seems to be explained here (the Static NAT section):
Quick HOWTO : Ch14 : Linux Firewalls Using iptables - Linux Home Networking

I think your example scenario will be something like this:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -d 85.85.85.1 -i eth0 -j DNAT --to-destination 172.0.0.10
iptables -t nat -A POSTROUTING -s 172.0.0.10 -o eth0 -j SNAT --to-source 85.85.85.1
iptables -t nat -A PREROUTING -d 85.85.85.2 -i eth0 -j DNAT --to-destination 172.0.0.20
iptables -t nat -A POSTROUTING -s 172.0.0.20 -o eth0 -j SNAT --to-source 85.85.85.2
iptables -t nat -A PREROUTING -d 85.85.85.3 -i eth0 -j DNAT --to-destination 172.0.0.30
iptables -t nat -A POSTROUTING -s 172.0.0.30 -o eth0 -j SNAT --to-source 85.85.85.3
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

jibbajabba · July 2011

Awesome, thanks .. will try that later one

marishajohn2011 · July 2011

Thanks MentholMoose i had this same issue now i will try your given commands.....
lets see how it works....

Everyone · July 2011

If you prefer a GUI, pfSense is really good. It's based on freeBSD.

Network Address Translation (NAT)

Port forwards including ranges and the use of multiple public IPs

1:1 NAT for individual IPs or entire subnets.

Outbound NAT
Default settings NAT all outbound traffic to the WAN IP. In multiple WAN scenarios, the default settings NAT outbound traffic to the IP of the WAN interface being used.

Advanced Outbound NAT allows this default behavior to be disabled, and enables the creation of very flexible NAT (or no NAT) rules.

NAT Reflection - in some configurations, NAT reflection is possible so services can be accessed by public IP from internal networks.

ClearOS, which is based on CentOS (which is based on Red Hat), may have these features too, but it is a lot more than just a firewall/router.

jibbajabba · July 2011

Everyone wrote: »

If you prefer a GUI, pfSense is really good. It's based on freeBSD.

[/LIST]
ClearOS, which is based on CentOS (which is based on Red Hat), may have these features too, but it is a lot more than just a firewall/router.

Needs to be able to run in a virtual machine, but I will have a look - thanks

Everyone · July 2011

jibbajabba wrote: »

Needs to be able to run in a virtual machine, but I will have a look - thanks

It can run in a VM.

In fact you can download VMWare Appliance for it...

PfSense VMware Appliance - PFSenseDocs

jibbajabba · July 2011

MentholMoose wrote: »

1-to-1 / static NAT seems to be explained here (the Static NAT section):
Quick HOWTO : Ch14 : Linux Firewalls Using iptables - Linux Home Networking

I think your example scenario will be something like this:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -d 85.85.85.1 -i eth0 -j DNAT --to-destination 172.0.0.10
iptables -t nat -A POSTROUTING -s 172.0.0.10 -o eth0 -j SNAT --to-source 85.85.85.1
iptables -t nat -A PREROUTING -d 85.85.85.2 -i eth0 -j DNAT --to-destination 172.0.0.20
iptables -t nat -A POSTROUTING -s 172.0.0.20 -o eth0 -j SNAT --to-source 85.85.85.2
iptables -t nat -A PREROUTING -d 85.85.85.3 -i eth0 -j DNAT --to-destination 172.0.0.30
iptables -t nat -A POSTROUTING -s 172.0.0.30 -o eth0 -j SNAT --to-source 85.85.85.3
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

I tried this now and it seems that the above commands don't work with subinterfaces (i.e. eth0:1). I used eth0 now instead and the client can indeed ping external IPs, including a DNS server (i.e. 8.8.8.

but it still either can't resolve the hostnames or routing is properly working yet ....

NAT SEEMS to work because I can SSH to the public / NATed IP and it get's to the proper client ..

jibbajabba · July 2011

Gave up on using CentOS or pfsense... Threw my patience out of the window

I did find a very good solution though - ClearOS - powerful and free

ClearOS | Overview | Software

What I liked was the fact that you really do everything in a very nice UI without playing around, installs in no time and setup too - pretty much a one click solution ..

Got NAT / Routing working in two clicks and enabled PPTP in one ...

Still needs some more testing but it certainly works brilliantly ..

Everyone · July 2011

jibbajabba wrote: »

Gave up on using CentOS or pfsense... Threw my patience out of the window

I did find a very good solution though - ClearOS - powerful and free

ClearOS | Overview | Software

What I liked was the fact that you really do everything in a very nice UI without playing around, installs in no time and setup too - pretty much a one click solution ..

Got NAT / Routing working in two clicks and enabled PPTP in one ...

Still needs some more testing but it certainly works brilliantly ..

Pretty sure I mentioned ClearOS in post #5.

Everyone wrote:

ClearOS, which is based on CentOS (which is based on Red Hat), may have these features too, but it is a lot more than just a firewall/router.

Oh I did! It is pretty fun, and they did make a nice UI for it. Lots of features!

jibbajabba · July 2011

Everyone wrote: »

Pretty sure I mentioned ClearOS in post #5.

Oh I did! It is pretty fun, and they did make a nice UI for it. Lots of features!

Lies - you cheated and bribed a mod to sneak that post in there ... somehow

So you did work with it ? I wonder, I created a 1-1 NAT rule which worked immediately, but it also opened all ports it seems (even though there wasn't anything on the firewall page) - basically I could RDP to it straight away .. Is this an expected behaviour ?

I only had 5 minutes to play though so I will concentrate on it next week (so having working routing / nat and vpn working in 5 minutes makes it a great product).

A shame I missed that post of yours somehow and concentrated on pfsense - would have saved me a lot of time if I tried ClearOS first:p

jibbajabba · July 2011

Playing more at the moment .. man I love it .. Cheers "Everyone" again ... exactly what I was looking for .. can't believe there are still one-click solutions out there which actually work out of the box

Everyone · July 2011

jibbajabba wrote: »

Lies - you cheated and bribed a mod to sneak that post in there ... somehow

So you did work with it ? I wonder, I created a 1-1 NAT rule which worked immediately, but it also opened all ports it seems (even though there wasn't anything on the firewall page) - basically I could RDP to it straight away .. Is this an expected behaviour ?

I only had 5 minutes to play though so I will concentrate on it next week (so having working routing / nat and vpn working in 5 minutes makes it a great product).

A shame I missed that post of yours somehow and concentrated on pfsense - would have saved me a lot of time if I tried ClearOS first:p

I have played around with it, that's about it. I didn't like the mail server functionality on it, it was far too basic and boring for me. It would have been better if they used Zimbra for that portion, but Zimbra really needs to be on its own server. ClearOS is meant to be a small business server that can handle multiple roles at once (NAT, VPN, Web Server, Domain Controller, basic e-mail, anti-spam, etc).

I might set it up on a VM at home and play around with it again, I think it's a great free solution for small networks. I only work on very large enterprise networks, which it really isn't suited for, so it doesn't interest me as much.

jibbajabba · July 2011

The only options I need really is NAT, MAYBE firewalling and VPN. At the moment I am using a decommissioned Sonicwall but it is old and horrible (Pro 330). Just don't want to spend the money for an NSA. the actual project I needed it for is an ESXi server with an Exchange VM, a web server and stuff like DCs etc. The main reason for NAT is simply the portability of the VMs so wherever the host is moving, I only ever need to change DNS records of the domains and the NAT config but I don't have to touch the AD infrastructure etc.. Also very nice to have is the proxy built-in ....

I could have done all that with a single 2008 server but stupid RRAS doesn't do 1-to-1 NAT. Plus the iPhone IPSec VPN client doesn't play ball with the Sonic so bottom line - that distro does what o want. Haven't tested anything like antivirus etc. etc. But will do so next week.

One to one NAT on Linux ?

Comments