NAT Masquerade reflection/bounce

HakanL · Forum Newbie Joined: 10 Apr 2008 Posts: 15

Hi,

I'm new to Vyatta but really like it so far. I'm trying to set up a scenario where I want to access a private server which is mapped thru destination NAT to my public ip from the private subnet.

Private subnet: 192.168.1.0/24

Public ip: 20.1.1.1
Destination port: 80
Server private ip: 192.168.1.100

Workstation: 192.168.1.200

I can access the Internet fine from both the workstation and the server, and I can access the server on its private ip. I can also access the server from the interne.
However I'd like to access the server on the workstation thru the public ip as well. That way I don't need a separate internal DNS server or a similar hack. I've done this with several firewalls in the past, including Linksys and IpCop. I also know I can't do this on a Cisco PIX which I think is a big limitation.

My question is, how do I configure this in vyatta?
I found this (http://www.zeroshell.net/eng/forum/viewtopic.php?p=671&sid=2a0ae8daee70abb55ba84acb6cbefaf1) forum post for another firewall (ZeroShell) where someone explains how this is done in iptables. I hope that helps describe what I'm trying to accomplish.

Thanks,
/Hakan

john.southworth · Super User Joined: 26 Feb 2008 Posts: 302

I have managed to do this very convolutely, since this is just for my local network and I have a dynamic wan IP I had to go around the world to make it work. Luckly you have what i assume is a static wan IP so it should be easier. Here goes the procedure. Like in the IPtables example you linked to you need two nat rules.

First the DNAT rule

john.southworth · Super User Joined: 26 Feb 2008 Posts: 302

I have verified that the above will work against the wan interface.

Also note that eth1 is my LAN side NIC and it should remain the interface we are watching on.

HakanL · Forum Newbie Joined: 10 Apr 2008 Posts: 15

Excellent, thank you very much! I'll give this a try and see how it goes.

/Hakan

shad · Forum Newbie Joined: 21 Jan 2009 Posts: 3

Hi,

Sorry to reply to such an old thread but I seem to be stuck with this.

Following the examples almost exactly, other than my subnet is 192.168.0.0/24 and the local LAN is eth0, the closest I can come to getting this to work is getting a timeout instead of a connection refused.
I am using VC5 beta, have a static IP through PPPoE and have tried with the firewall on eth0 disabled with no luck.

Any suggestions?

Thanks,

Dave

john.southworth · Super User Joined: 26 Feb 2008 Posts: 302

Those rules were kind of a nasty hack. I think that you might be better running an internal DNS server and resolving your external domain name to the internal address of the server you are forwarding ports to, or something similar.

If you want to persue the nat reflection route, pleas post your config and I'll see if I can help you with that.

murmel · Active Member Joined: 21 Jan 2009 Posts: 24

shad · Forum Newbie Joined: 21 Jan 2009 Posts: 3

Here is my working config before adding any refection rules. Please let me know if I have something wrong even before I add the rules.

Thanks,

Dave

firewall {
broadcast-ping disable
name ALLOW_ESTABLISHED {
rule 10 {
action accept
}
}
}
interfaces {
ethernet eth0 {
address 192.168.0.2/24
description "LAN - Onboard"
firewall {
in {
name ALLOW_ESTABLISHED
}
local {
name ALLOW_ESTABLISHED
}
}
hw-id 00:19:66:40:da:5c
}
ethernet eth1 {
duplex auto
hw-id 00:19:5b:fc:8e:e3
pppoe 1 {
default-route auto
mtu 1440
password ****************
user-id ******
}
}
ethernet eth2 {
duplex auto
hw-id 00:19:5b:fc:8e:e6
pppoe 2 {
default-route auto
mtu 1440
password ****************
user-id *****
}
}
ethernet eth3 {
duplex auto
hw-id 00:19:5b:fc:8f:c0
pppoe 3 {
default-route auto
mtu 1440
password ****************
user-id *****
}
}
loopback lo {
}
}
load-balancing {
wan {
interface-health pppoe1 {
failure-count 5
nexthop 209.183.xxx.10
ping 199.166.6.4
}
interface-health pppoe2 {
failure-count 4
nexthop 209.183.xxx.10
ping 199.166.6.4
}
interface-health pppoe3 {
failure-count 3
nexthop 209.183.xxx.10
ping 199.166.6.4
}
rule 10 {
inbound-interface eth0
interface pppoe1 {
weight 1
}
interface pppoe2 {
weight 1
}
interface pppoe3 {
weight 1
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 209.183.xxx.10 {
}
}
}
}
service {
nat {
rule 10 {
description "Backup MX SMTP out to internet"
outbound-interface pppoe1
outside-address {
address 216.75.xxx.103
}
protocol tcp
source {
address 192.168.0.12
port 25
}
type source
}
rule 11 {
description "Backup MX SMTP inbound to neptune"
destination {
address 216.75.xxx.103
port smtp
}
inbound-interface pppoe1
inside-address {
address 192.168.0.12
}
protocol tcp
type destination
}
rule 12 {
description "Secure Remote Access"
destination {
port 2222
}
inbound-interface pppoe+
inside-address {
address 192.168.0.1
}
protocol tcp
type destination
}
rule 13 {
description "DNS"
destination {
port domain
}
inbound-interface pppoe+
inside-address {
address 192.168.0.1
}
protocol udp
type destination
}
rule 14 {
description "email to Mars"
destination {
address 209.183.xxx.45
port 25
}
inbound-interface pppoe2
inside-address {
address 192.168.0.11
port 2525
}
protocol tcp
type destination
}
rule 15 {
description "email to Mars"
destination {
address 216.75.xxx.131
port 25
}
inbound-interface pppoe3
inside-address {
address 192.168.0.11
port 2525
}
protocol tcp
type destination
}
rule 16 {
description "FTP"
destination {
port 21
}
inbound-interface pppoe+
inside-address {
address 192.168.0.12
}
protocol tcp
type destination
}
rule 17 {
description "Web Site"
destination {
port 80
}
inbound-interface pppoe+
inside-address {
address 192.168.0.12
port 8080
}
protocol tcp
type destination
}
rule 18 {
description "Remote Assistance"
destination {
port 6900
}
inbound-interface pppoe+
inside-address {
address 192.168.0.13
}
protocol tcp
type destination
}
rule 19 {
description RSBU
destination {
port 2774,31024-32048
}
inbound-interface pppoe+
inside-address {
address 192.168.0.252
}
protocol tcp
type destination
}
rule 20 {
description "OCS Inventory"
destination {
port 8888
}
inbound-interface pppoe+
inside-address {
address 192.168.0.12
}
protocol tcp
type destination
}
rule 21 {
description "IMAP and SSL"
destination {
port 143,443
}
inbound-interface pppoe+
inside-address {
address 192.168.0.11
}
protocol tcp
type destination
}
rule 22 {
description ESET
destination {
port 22221,22222,22846
}
inbound-interface pppoe+
inside-address {
address 192.168.0.12
}
protocol tcp
type destination
}
rule 23 {
description "Client Intranet"
destination {
port 9999
}
inbound-interface pppoe+
inside-address {
address 192.168.0.12
}
protocol tcp
type destination
}
rule 24 {
description "Standards Updater"
destination {
port 873
}
inbound-interface pppoe+
inside-address {
address 192.168.0.9
}
protocol tcp
type destination
}
}
ssh {
allow-root false
}
}
system {
domain-name aplus.local
gateway-address 209.183.xxx.10
host-name router
login {
user root {
authentication {
encrypted-password ****************
}
}
user vyatta {
authentication {
encrypted-password ****************
}
}
}
name-server 199.166.6.4
ntp-server 69.59.150.135
package {
auto-sync 1
repository community {
components main
distribution stable
url http://packages.vyatta.com/vyatta
}
}
time-zone "New York"

hslabbert · Active Member Joined: 18 Mar 2009 Posts: 33

Hi John,

I was just looking at the second rule you have there for the masquerade portion. Would it not be possible to make that rule a bit more generic?

Instead of:

john.southworth · Super User Joined: 26 Feb 2008 Posts: 302

That should work fine.

I haven't tested it, but i wonder I don't see why it shouldn't do anything (I'll have to play with it in a lab and see what happens)

hslabbert · Active Member Joined: 18 Mar 2009 Posts: 33

Cool; thanks.

geejay · Forum Newbie Joined: 23 Aug 2009 Posts: 3

I tried the above configuration with load-balancing and it didn*t work.

The router locked up completely.

Is there anything to observe when doing NAT reflection with load balancing ?

Thanks

Geejay