Home Page › Forums › Network Management › Networking › static NAT not working
This topic contains 13 replies, has 0 voices, and was last updated by mirza 8 years, 3 months ago.
-
AuthorPosts
-
October 12, 2010 at 12:43 pm #42683
Hi,
I had setup zeroshell to nat 1:1 and here is my configuration:
eth0: 213.184.165.1/28 (WAN)
eth1: 172.26.1.1 (LAN with DHCP & DNS)
I have some IP’s which i need to nat static from wan to lan
(213.184.165.10 —->>> 172.26.1.10). i’ve read the 1:1 NAT in ZeroShell but it’s not working.Although the dhcp and dns is working fine and giving lease to clients and clients have internet. but static natting is not working.
i need the static nat to work properly from wan to lan.
October 13, 2010 at 11:17 am #51178Hello! Post here the configuration changes you have done so far that are not working. Also include a
iptables -t nat -L -v
October 13, 2010 at 12:47 pm #51179Hi ppalias, i’ve added the code iptables -t nat -L -v. but still it’s not natting.
here is my configuration:-
#for 1:1 natting
iptables -t nat -I PREROUTING 1 -d 87.101.232.36 -i ETH00 -j DNAT –to-destination 172.26.1.61
iptables -t nat -I PREROUTING 1 -d 87.101.232.37 -i ETH00 -j DNAT –to-destination 172.26.1.38# for dhcp one to many
iptables -t nat -I PREROUTING 1 -d 87.101.232.34 -i ETH00 -j DNAT –to-destination 172.26.1.1
#for 1:1 natting
iptables -t nat -I POSTROUTING 1 -s 172.26.1.61 -o ETH00 -j SNAT –to-source 87.101.232.36
iptables -t nat -I POSTROUTING 1 -s 172.26.1.38 -o ETH00 -j SNAT –to-source 87.101.232.37# for dhcp one to many
iptables -t nat -I POSTROUTING -s 172.26.1.0/24 -o ETH00 -j SNAT –to-source 87.101.232.34iptables -t nat -L -v
my firewall settings:–
Chain: INPUT Policy Chain
Enabled
INPUT Rules
Seq Input Output Description Log Active
1 ETH01 * ACCEPT all opt — in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 no
2 ETH02 * ACCEPT all opt — in ETH02 out * 0.0.0.0/0 -> 0.0.0.0/0 no
3 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED noChain: FORWARD Policy Chain
Enabled
FORWARD Rules
Seq Input Output Description Log Active
1 ETH01 * ACCEPT all opt — in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 no
2 ETH02 * ACCEPT all opt — in ETH02 out * 0.0.0.0/0 -> 0.0.0.0/0 no
3 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED nomy WAN settings:-
ETH00 10Mb/s Half Duplex
Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) UP87.101.232.34 255.255.255.240
87.101.232.36 255.255.255.240
87.101.232.37 255.255.255.240my LAN settings:–
ETH01 100Mb/s Full Duplex
Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) UP172.26.1.1 255.255.255.0
can you please help me where i am wrong.
October 13, 2010 at 1:00 pm #51180Sorry the forgot to post the output of iptables -t nat -L -v
here it is:–
root@gateway root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 224 packets, 15722 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all — ETH00 any anywhere 87.101.232.34 to:172.26.1.1
0 0 DNAT all — ETH00 any anywhere 87.101.232.37 to:172.26.1.38
0 0 DNAT all — ETH00 any anywhere 87.101.232.36 to:172.26.1.61Chain POSTROUTING (policy ACCEPT 289 packets, 21092 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all — any ETH00 172.26.1.0/24 anywhere to:87.101.232.34
0 0 SNAT all — any ETH00 172.26.1.38 anywhere to:87.101.232.37
0 0 SNAT all — any ETH00 172.26.1.61 anywhere to:87.101.232.36
289 21092 SNATVS all — any any anywhere anywhereChain OUTPUT (policy ACCEPT 289 packets, 21092 bytes)
pkts bytes target prot opt in out source destinationChain SNATVS (1 references)
pkts bytes target prot opt in out source destinationOctober 13, 2010 at 1:09 pm #51181A first mistake I found is that you SNAT and DNAT different things in “one to many” rule. If in doubt use MASQUERADE, which is the default in these cases.
The rest seems ok, I suppose you have consulted the guide.October 13, 2010 at 2:16 pm #51182Hi ppalias, thanks for reply. let’s keep all my settings except nat and change my nat settings to
#for 1:1 natting
iptables -t nat -I PREROUTING 1 -d 87.101.232.36 -i ETH00 -j DNAT –to-destination 172.26.1.61
iptables -t nat -I PREROUTING 1 -d 87.101.232.37 -i ETH00 -j DNAT –to-destination 172.26.1.38#for 1:1 natting
iptables -t nat -I POSTROUTING 1 -s 172.26.1.61 -o ETH00 -j SNAT –to-source 87.101.232.36
iptables -t nat -I POSTROUTING 1 -s 172.26.1.38 -o ETH00 -j SNAT –to-source 87.101.232.37even though it’s not natting one to one even though i am able to ping outside but from outside i am not able to ssh, http to the real servers from outside.
October 13, 2010 at 7:57 pm #51183There is only one way to find out. Try to do something on these two servers; ssh, http, ping. Now normally if all is correct with the
iptables -t nat -L -v
the counters should raise. In the previous instance we can see that all counters are 0, except
289 21092 SNATVS...
October 15, 2010 at 2:29 am #51184DELETED
October 16, 2010 at 9:10 am #51185Hi ppalias, here is the output, i am sorry to say the counter is 0, i tried nat with my cisco router it’s working fine but with zeroshell it not. maybe is it with the version of zeroshell 13 beta? or maybe some settings in the firewall which i am missing.
root@gateway root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 1358 packets, 161K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all — ETH00 any anywhere 87.101.232.37 to:172.26.1.38
0 0 DNAT all — ETH00 any anywhere 87.101.232.36 to:172.26.1.61
77 17118 Proxy tcp — any any anywhere anywhere tcp dpt:httpChain POSTROUTING (policy ACCEPT 699 packets, 51903 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all — any ETH00 172.26.1.38 anywhere to:87.101.232.37
0 0 SNAT all — any ETH00 172.26.1.61 anywhere to:87.101.232.36
699 51903 SNATVS all — any any anywhere anywhereChain OUTPUT (policy ACCEPT 610 packets, 42365 bytes)
pkts bytes target prot opt in out source destinationChain Proxy (1 references)
pkts bytes target prot opt in out source destination
77 17118 REDIRECT tcp — ETH01 any anywhere anywhere redir ports 8080Chain SNATVS (1 references)
pkts bytes target prot opt in out source destinationOctober 18, 2010 at 2:08 pm #51186Rule 87.101.232.34 to:172.26.1.1 is not needed.
Post here the output ofifconfig -a
October 18, 2010 at 2:20 pm #51187here is the output of ifconfig -a
root@gateway root> ifconfig -a
DEFAULTBR Link encap:Ethernet HWaddr CA:AA:DF:A1:7F:F3
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)ETH00 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:40866 errors:0 dropped:0 overruns:0 frame:0
TX packets:41369 errors:22 dropped:0 overruns:0 carrier:44
collisions:19 txqueuelen:1000
RX bytes:25399791 (24.2 Mb) TX bytes:5736186 (5.4 Mb)
Interrupt:21 Base address:0xdc00ETH00:00 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
inet addr:87.101.232.34 Bcast:87.101.232.47 Mask:255.255.255.240
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:21 Base address:0xdc00ETH00:01 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
inet addr:87.101.232.36 Bcast:87.101.232.47 Mask:255.255.255.240
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:21 Base address:0xdc00ETH00:02 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
inet addr:87.101.232.37 Bcast:87.101.232.47 Mask:255.255.255.240
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:21 Base address:0xdc00ETH01 Link encap:Ethernet HWaddr 00:21:27:C6:B8:61
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:30038 errors:0 dropped:0 overruns:0 frame:0
TX packets:33629 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4530791 (4.3 Mb) TX bytes:19559554 (18.6 Mb)
Interrupt:20 Base address:0xde00ETH01:00 Link encap:Ethernet HWaddr 00:21:27:C6:B8:61
inet addr:172.26.1.1 Bcast:172.26.1.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
Interrupt:20 Base address:0xde00ETH02 Link encap:Ethernet HWaddr 00:19:DB:53:22:7B
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8015 errors:0 dropped:0 overruns:0 frame:0
TX packets:1962 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:725040 (708.0 Kb) TX bytes:667636 (651.9 Kb)
Interrupt:23 Base address:0xda00ETH02:00 Link encap:Ethernet HWaddr 00:19:DB:53:22:7B
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:23 Base address:0xda00VPN99 Link encap:Ethernet HWaddr 00:FF:01:96:CE:01
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)VPN99:00 Link encap:Ethernet HWaddr 00:FF:01:96:CE:01
inet addr:192.168.250.254 Bcast:192.168.250.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1dummy0 Link encap:Ethernet HWaddr 16:7D:9B:D0:7C:07
inet addr:192.168.141.142 Bcast:192.168.141.255 Mask:255.255.255.0
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)dummy1 Link encap:Ethernet HWaddr 76:1D:87:67:46:21
inet addr:192.168.142.142 Bcast:192.168.142.255 Mask:255.255.255.255
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5581 errors:0 dropped:0 overruns:0 frame:0
TX packets:5581 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:787948 (769.4 Kb) TX bytes:787948 (769.4 Kb)October 18, 2010 at 2:56 pm #51188I can’t see anything wrong. Will try to test it in my lab system and see what could be wrong.
October 23, 2010 at 8:21 pm #51189I regret to say that the counter is 0, I tried with my nat cisco router works fine, but not zeroshell. Perhaps with the beta version of zeroshell 13? or maybe some settings in the firewall that I miss.
October 27, 2010 at 12:49 pm #51190Dear ppalias, any luck finding problem.
October 27, 2010 at 1:45 pm #51191Nope, I’m a little bit on the run due to a lot of work and chores, never had the chance to test it so far.
-
AuthorPosts
You must be logged in to reply to this topic.