static NAT not working

Home Page Forums Network Management Networking static NAT not working

This topic contains 13 replies, has 0 voices, and was last updated by  mirza 8 years, 5 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • October 12, 2010 at 12:43 pm #42683

    mirza
    Member

    Hi,

    I had setup zeroshell to nat 1:1 and here is my configuration:

    eth0: 213.184.165.1/28 (WAN)

    eth1: 172.26.1.1 (LAN with DHCP & DNS)

    I have some IP’s which i need to nat static from wan to lan
    (213.184.165.10 —->>> 172.26.1.10). i’ve read the 1:1 NAT in ZeroShell but it’s not working.

    Although the dhcp and dns is working fine and giving lease to clients and clients have internet. but static natting is not working.

    i need the static nat to work properly from wan to lan.

    October 13, 2010 at 11:17 am #51178

    ppalias
    Member

    Hello! Post here the configuration changes you have done so far that are not working. Also include a 

    iptables -t nat -L -v
    October 13, 2010 at 12:47 pm #51179

    mirza
    Member

    Hi ppalias, i’ve added the code iptables -t nat -L -v. but still it’s not natting.

    here is my configuration:-

    #for 1:1 natting

    iptables -t nat -I PREROUTING 1 -d 87.101.232.36 -i ETH00 -j DNAT –to-destination 172.26.1.61
    iptables -t nat -I PREROUTING 1 -d 87.101.232.37 -i ETH00 -j DNAT –to-destination 172.26.1.38

    # for dhcp one to many

    iptables -t nat -I PREROUTING 1 -d 87.101.232.34 -i ETH00 -j DNAT –to-destination 172.26.1.1

    #for 1:1 natting

    iptables -t nat -I POSTROUTING 1 -s 172.26.1.61 -o ETH00 -j SNAT –to-source 87.101.232.36
    iptables -t nat -I POSTROUTING 1 -s 172.26.1.38 -o ETH00 -j SNAT –to-source 87.101.232.37

    # for dhcp one to many
    iptables -t nat -I POSTROUTING -s 172.26.1.0/24 -o ETH00 -j SNAT –to-source 87.101.232.34

    iptables -t nat -L -v

    my firewall settings:–

    Chain: INPUT Policy Chain
    Enabled
    INPUT Rules
    Seq Input Output Description Log Active
    1 ETH01 * ACCEPT all opt — in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 no
    2 ETH02 * ACCEPT all opt — in ETH02 out * 0.0.0.0/0 -> 0.0.0.0/0 no
    3 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED no

    Chain: FORWARD Policy Chain
    Enabled
    FORWARD Rules
    Seq Input Output Description Log Active
    1 ETH01 * ACCEPT all opt — in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 no
    2 ETH02 * ACCEPT all opt — in ETH02 out * 0.0.0.0/0 -> 0.0.0.0/0 no
    3 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED no

    my WAN settings:-

    ETH00 10Mb/s Half Duplex
    Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) UP

    87.101.232.34 255.255.255.240
    87.101.232.36 255.255.255.240
    87.101.232.37 255.255.255.240

    my LAN settings:–

    ETH01 100Mb/s Full Duplex
    Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) UP

    172.26.1.1 255.255.255.0

    can you please help me where i am wrong.

    October 13, 2010 at 1:00 pm #51180

    mirza
    Member

    Sorry the forgot to post the output of iptables -t nat -L -v

    here it is:–

    root@gateway root> iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 224 packets, 15722 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT all — ETH00 any anywhere 87.101.232.34 to:172.26.1.1
    0 0 DNAT all — ETH00 any anywhere 87.101.232.37 to:172.26.1.38
    0 0 DNAT all — ETH00 any anywhere 87.101.232.36 to:172.26.1.61

    Chain POSTROUTING (policy ACCEPT 289 packets, 21092 bytes)
    pkts bytes target prot opt in out source destination
    0 0 SNAT all — any ETH00 172.26.1.0/24 anywhere to:87.101.232.34
    0 0 SNAT all — any ETH00 172.26.1.38 anywhere to:87.101.232.37
    0 0 SNAT all — any ETH00 172.26.1.61 anywhere to:87.101.232.36
    289 21092 SNATVS all — any any anywhere anywhere

    Chain OUTPUT (policy ACCEPT 289 packets, 21092 bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    October 13, 2010 at 1:09 pm #51181

    ppalias
    Member

    A first mistake I found is that you SNAT and DNAT different things in “one to many” rule. If in doubt use MASQUERADE, which is the default in these cases.
    The rest seems ok, I suppose you have consulted the guide.

    October 13, 2010 at 2:16 pm #51182

    mirza
    Member

    Hi ppalias, thanks for reply. let’s keep all my settings except nat and change my nat settings to

    #for 1:1 natting

    iptables -t nat -I PREROUTING 1 -d 87.101.232.36 -i ETH00 -j DNAT –to-destination 172.26.1.61
    iptables -t nat -I PREROUTING 1 -d 87.101.232.37 -i ETH00 -j DNAT –to-destination 172.26.1.38

    #for 1:1 natting

    iptables -t nat -I POSTROUTING 1 -s 172.26.1.61 -o ETH00 -j SNAT –to-source 87.101.232.36
    iptables -t nat -I POSTROUTING 1 -s 172.26.1.38 -o ETH00 -j SNAT –to-source 87.101.232.37

    even though it’s not natting one to one even though i am able to ping outside but from outside i am not able to ssh, http to the real servers from outside.

    October 13, 2010 at 7:57 pm #51183

    ppalias
    Member

    There is only one way to find out. Try to do something on these two servers; ssh, http, ping. Now normally if all is correct with the 

    iptables -t nat -L -v

    the counters should raise. In the previous instance we can see that all counters are 0, except 

    289 21092 SNATVS...
    October 15, 2010 at 2:29 am #51184

    Anonymous
    Member

    DELETED

    October 16, 2010 at 9:10 am #51185

    mirza
    Member

    Hi ppalias, here is the output, i am sorry to say the counter is 0, i tried nat with my cisco router it’s working fine but with zeroshell it not. maybe is it with the version of zeroshell 13 beta? or maybe some settings in the firewall which i am missing.

    root@gateway root> iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 1358 packets, 161K bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT all — ETH00 any anywhere 87.101.232.37 to:172.26.1.38
    0 0 DNAT all — ETH00 any anywhere 87.101.232.36 to:172.26.1.61
    77 17118 Proxy tcp — any any anywhere anywhere tcp dpt:http

    Chain POSTROUTING (policy ACCEPT 699 packets, 51903 bytes)
    pkts bytes target prot opt in out source destination
    0 0 SNAT all — any ETH00 172.26.1.38 anywhere to:87.101.232.37
    0 0 SNAT all — any ETH00 172.26.1.61 anywhere to:87.101.232.36
    699 51903 SNATVS all — any any anywhere anywhere

    Chain OUTPUT (policy ACCEPT 610 packets, 42365 bytes)
    pkts bytes target prot opt in out source destination

    Chain Proxy (1 references)
    pkts bytes target prot opt in out source destination
    77 17118 REDIRECT tcp — ETH01 any anywhere anywhere redir ports 8080

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    October 18, 2010 at 2:08 pm #51186

    ppalias
    Member

    Rule 87.101.232.34 to:172.26.1.1 is not needed.
    Post here the output of 

    ifconfig -a
    October 18, 2010 at 2:20 pm #51187

    mirza
    Member

    here is the output of ifconfig -a

    root@gateway root> ifconfig -a
    DEFAULTBR Link encap:Ethernet HWaddr CA:AA:DF:A1:7F:F3
    BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    ETH00 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:40866 errors:0 dropped:0 overruns:0 frame:0
    TX packets:41369 errors:22 dropped:0 overruns:0 carrier:44
    collisions:19 txqueuelen:1000
    RX bytes:25399791 (24.2 Mb) TX bytes:5736186 (5.4 Mb)
    Interrupt:21 Base address:0xdc00

    ETH00:00 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
    inet addr:87.101.232.34 Bcast:87.101.232.47 Mask:255.255.255.240
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    Interrupt:21 Base address:0xdc00

    ETH00:01 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
    inet addr:87.101.232.36 Bcast:87.101.232.47 Mask:255.255.255.240
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    Interrupt:21 Base address:0xdc00

    ETH00:02 Link encap:Ethernet HWaddr 00:1F:1F:00:E9:A2
    inet addr:87.101.232.37 Bcast:87.101.232.47 Mask:255.255.255.240
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    Interrupt:21 Base address:0xdc00

    ETH01 Link encap:Ethernet HWaddr 00:21:27:C6:B8:61
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:30038 errors:0 dropped:0 overruns:0 frame:0
    TX packets:33629 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:4530791 (4.3 Mb) TX bytes:19559554 (18.6 Mb)
    Interrupt:20 Base address:0xde00

    ETH01:00 Link encap:Ethernet HWaddr 00:21:27:C6:B8:61
    inet addr:172.26.1.1 Bcast:172.26.1.255 Mask:255.255.255.0
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    Interrupt:20 Base address:0xde00

    ETH02 Link encap:Ethernet HWaddr 00:19:DB:53:22:7B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:8015 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1962 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:725040 (708.0 Kb) TX bytes:667636 (651.9 Kb)
    Interrupt:23 Base address:0xda00

    ETH02:00 Link encap:Ethernet HWaddr 00:19:DB:53:22:7B
    inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    Interrupt:23 Base address:0xda00

    VPN99 Link encap:Ethernet HWaddr 00:FF:01:96:CE:01
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    VPN99:00 Link encap:Ethernet HWaddr 00:FF:01:96:CE:01
    inet addr:192.168.250.254 Bcast:192.168.250.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    dummy0 Link encap:Ethernet HWaddr 16:7D:9B:D0:7C:07
    inet addr:192.168.141.142 Bcast:192.168.141.255 Mask:255.255.255.0
    BROADCAST NOARP MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    dummy1 Link encap:Ethernet HWaddr 76:1D:87:67:46:21
    inet addr:192.168.142.142 Bcast:192.168.142.255 Mask:255.255.255.255
    UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:5581 errors:0 dropped:0 overruns:0 frame:0
    TX packets:5581 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:787948 (769.4 Kb) TX bytes:787948 (769.4 Kb)

    October 18, 2010 at 2:56 pm #51188

    ppalias
    Member

    I can’t see anything wrong. Will try to test it in my lab system and see what could be wrong.

    October 23, 2010 at 8:21 pm #51189

    jessicabarbara
    Member

    I regret to say that the counter is 0, I tried with my nat cisco router works fine, but not zeroshell. Perhaps with the beta version of zeroshell 13? or maybe some settings in the firewall that I miss.

    October 27, 2010 at 12:49 pm #51190

    mirza
    Member

    Dear ppalias, any luck finding problem.

    October 27, 2010 at 1:45 pm #51191

    ppalias
    Member

    Nope, I’m a little bit on the run due to a lot of work and chores, never had the chance to test it so far.

  • Author
    Posts
Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.