nat reflection

Home Page Forums Network Management ZeroShell nat reflection

  • This topic is empty.
Viewing 9 posts - 31 through 39 (of 39 total)
  • Author
    Posts
  • #45427
    gordonf
    Member

    @matth wrote:

    Has anyone been able to make this work with dynamic WAN addresses?

    I was just thinking about this one…

    ZS 3.0.0 still requires this kind of post-boot scripting if you want NAT reflection (hair-pinning) to work and still correctly log external and internal IP addresses:

    iptables -t nat -A PREROUTING -d pub.ip.ad.dr -p tcp --dport 80 -j DNAT --to internal.ip.ad.dr
    iptables -t nat -A POSTROUTING -s internal.ip.subnet.0/24 -p tcp --dport 80 -d internal.ip.ad.dr -j MASQUERADE

    …but since this is a script, I wondered if it were possible to retrieve the external IPv4 address and store it as an environment variable. I know ‘ifconfig’ retrieves interface info but it’s a lot of info at once, and I’m no regex guru.

    But, in your Startup / Cron NAT and Virtual Servers script, if you’re clever with ifconfig and regex, you can extract your IP addresses and store them as environment variables. Then you can modify the above script thusly:

    ifconfig > /tmp/ifconfig-out.txt
    (insert magic IP extractor here that saves IPs to $ETHxxIPv4)
    iptables -t nat -A PREROUTING -d $ETHxxIPv4 -p tcp --dport 80 -j DNAT --to internal.ip.ad.dr
    iptables -t nat -A POSTROUTING -s internal.ip.subnet.0/24 -p tcp --dport 80 -d internal.ip.ad.dr -j MASQUERADE

    “ETHxxIPv4” would contain the IP for each interface where “xx” is the interface number. The information might already be available in some file somewhere.

    #45428
    eight_ball
    Member

    Still a bit confused on this. If I have a static IP to the outside, say 208.75.9.204, and a web app running on an internal machine at 192.168.0.145 on port 8092. mywebsite.com resolves to the 208 addr. I want machines on the LAN to be able to hit 192.168.0.145:8092 by going to the mywebsite.com from the inside. I was trying to configure PAT through Router -> Virtual Server with:

    Interface: ANY
    IP: 208.75.904
    Port: 8092
    Remote Machine: 192.168.0.145
    Port: 8092

    But, it didn’t work. Did I completely botch the configuration? Am I even on the right track? Quite new to this…

    Thank you

    #45429
    redfive
    Participant

    If your server is in the same lan of your devices (not so good, for such things would be better use a DMZ….) in addition to the rule in the ‘virtual server’, you have to add also a rule for the POSTROUTING, as described in the post above by @gordonf, so, eg in ‘ Setup’, ‘Scripts/Cron’, ‘ NAT and Virtual Servers’

    iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -p tcp --dport 8092 -d 192.168.0.145 -j MASQUERADE

    I used the -I instead of -A in the rule, with -I the rule is inserted as 1st (you are sure that will be executed, even if you have other rules …)
    This is needed because, if you try to reach the server via public ip address, but from within the same network, the server, sees that the connection is coming from an host which belongs to its own network, so, the server tries to respond directly (after an ARP req.).
    Enable the script, then, via ssh

    iptables -t nat -nvL POSTROUTING

    You should see the rule at the top of the chain…..
    You can also, rather than use the ssh, create a new job (‘Setup’, ‘Scripts/Cron’, ‘add job’ button), calling it eg ‘check postrouting’, insert the same command as above, and use the ‘test’ button (after the test, save …)
    Regards

    #45430
    reaperz
    Participant

    I still have not got it working.

    I am using scrtip under NAT/Virtual server:

    iptables -t nat -I POSTROUTING -s ***MY_INTERNAL_NET*** -p tcp –dport 80 -d ***SERVER_INTERNAL_IP*** -j MASQUERADE

    And under Router – Virtual Server I have:

    ANY/***MY_EXTERNAL_IP*** TCP 80 ***SERVER_INTERNAL_IP***

    Really, why is it this hard to get working?

    This should be just one checkbox in configuration…

    #45431
    redfive
    Participant

    Try by adding -o [output iface], if your internal interface is ETH00,

    iptables -t nat -I POSTROUTING -s ***MY_INTERNAL_NET*** -o ETH00 -p tcp --dport 80 -d ***SERVER_INTERNAL_IP*** -j MASQUERADE

    Regards

    #45432
    reaperz
    Participant

    Unfortunately still nothing. Added following line:

    iptables -t nat -I POSTROUTING -s ***MY_INTERNAL_NET*** -o BRIDGE01 -p tcp –dport 80 -d ***SERVER_INTERNAL_IP*** -j MASQUERADE

    Also added in Virtual server page:

    BRIDGE01 / ***MY_EXTERNAL_IP*** TCP 80 ***SERVER_INTERNAL_IP*** :80

    #45433
    gordonf
    Member

    I wouldn’t use both the virtual servers page and the post-boot script. The examples I use are just in the script. That might be part of the confusion as to why it isn’t working as expected.

    I started a Wiki a few months ago and have this article that explains NAT haipinning:

    http://zswiki.pan-am.ca/wiki/NAT_Hairpin

    By the way, both of you (redfive and reaperz) have Admin accounts on this Wiki. Check your private messages for instructions and passwords, and change your passwords right away. You can do anything except make more admins.

    #45434
    pgbuz
    Participant

    @matth wrote:

    Has anyone been able to make this work with dynamic WAN addresses?

    HELP!

    hope can help
    https://wiki.afm.co/display/PUBL/How+to+enable+loopback+on+a+NAT+with+Zeroshell

    I have a similar problem to solve
    https://www.zeroshell.org/forum/viewtopic.php?t=5746&highlight=

    #45435
    pgbuz
    Participant

    @pgbuz wrote:

    @matth wrote:

    Has anyone been able to make this work with dynamic WAN addresses?

    HELP!

    hope can help
    https://wiki.afm.co/display/PUBL/How+to+enable+loopback+on+a+NAT+with+Zeroshell

    I have a similar problem to solve
    https://www.zeroshell.org/forum/viewtopic.php?t=5746&highlight=

    SOLVED!
    https://www.zeroshell.org/forum/viewtopic.php?t=5746&highlight=

Viewing 9 posts - 31 through 39 (of 39 total)
  • You must be logged in to reply to this topic.