Gentoo Firewalling and DNAT

[splooge]

I've asked this question before in another thread, but I think I used some terms that may have shy'd people away from answering the question, or I didn't get the answer I was looking for, so I will try to put it in different terms.

Basically, I really need to know if this is just *feasible.*

I have a full T1 line to the internet. It is currently unfirewalled. We run multiple web servers, mail servers, and terminal servers. We've got a block of 32 IP addresses (29 +1 for the gateway, +1 for the network, and +1 for the broadcast address)

Basically, I would like to plug the T1 line in straight from the ethernet port on the router directly to the ethernet port in my Gentoo box, and have gentoo manage every single 'public' IP. Say, my eth0 card would be assigned 123.456.789.2 through .30 (all 29 addresses).

The machines that once had public IP addresses will now have private addresses and will be put behind the firewall on (let's say) eth1.

I guess my question is this: can iptables handle DNATing (Is this what I want?) multiple inbound public IP addresses to multiple internal private addresses? For example:

123.456.789.2 --> Gentoo --> DNAT All ports to 10.1.1.2
123.456.789.3 --> Gentoo --> DNAT All ports to 10.1.1.3
123.456.789.4 --> Gentoo --> DNAT All ports to 10.1.1.4

And if so could someone give me an example of the correct iptables syntax that I would need to use? (or a close version, I can probably figure it out if I just see a couple lines for this)

(I'll crank down the ports later, and add source-based (?) firewalling which only allows packets in from certain hosts, but that's for another time) We believe one of our ex employees (the old sysadmin) who went to work for the competition still has access to our pricing database, etc., and is doing who knows what with it.

[m.mascherpa]

yes.

iptables can handle this kind of situation.
a "raw" command would be:

iptables -t nat -A PREROUTING -p tcp -d <public address> -j DNAT --to <private address>

please note that this is a VERY SIMPLE behaviour and you might want
to setup in a more secure way your network

take a look at iptables documentation, it should clarify
everything about the command i just wrote.

as well i suggest you to have a look at some security and router configuration
doc.

have fun!
_________________
mush keeps the dream alive

[ronmon]

Your current setup is like walking around a leather bar with your pants around your ankles. Someone is likely to see it as an invitation and take you up on your offer.

Really though, what you have described is SNAT, or Source NAT. I do a little of it on my home network for ntp, ssh, etc., but I cheat and use shorewall to configure my iptables. A quick google search turned up this tidbit on the subject. I'm sure there's plenty more. Google is your friend.

[splooge]

Yeah, I understand what the network looks like. And yes, after I make esure it works with all the ports open I will start only keeping selective ports open. Anyways, so, I have to use a combination of snat and dnat to acheive this? Is this what I'm hearing? Source nat to get out, Destination nat to get in?

# this lets me in?
iptables -t nat -A PREROUTING -d 123.456.789.2 -j DNAT --to 10.1.1.2
#this lets me out?
iptables -t nat -A POSTROUTING -s 10.1.1.2 -j SNAT --to 123.456.789.2
#then rinse and repeat for every public ip I want mapped internally?
iptables -t nat -A PREROUTING -d 123.456.789.3 -j DNAT --to 10.1.1.3
iptables -t nat -A POSTROUTING -s 10.1.1.3 -j SNAT --to 123.456.789.3

Is that correct?

[splooge]

Ok I am having issues with this trying it on my home firewall:

Doing a portscan from my work machine to my firewall I get this (as expected):

(The 1534 ports scanned but not shown below are in state: filtered)
Port State Service
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open ssh
25/tcp open smtp
53/tcp closed domain
80/tcp open http
443/tcp open https
7002/tcp closed afs3-prserver

But then I add these lines to iptables for the SNAT and DNAT to point to my internal windows box:

iptables -t nat -A PREROUTING -d 67.120.26.98 -j DNAT --to 10.1.1.200
iptables -t nat -A POSTROUTING -s 10.1.1.200 -j SNAT --to 67.120.26.98

With those lines, I can browse the web from the internal machine (10.1.1.200) but when I portscan my public IP address from it doesn't seem to be DNAT(?)ing to the internal box:

(The 1534 ports scanned but not shown below are in state: filtered)
Port State Service
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp closed ssh
25/tcp closed smtp
53/tcp closed domain
80/tcp closed http
443/tcp closed https
7002/tcp closed afs3-prserver

What I was expecting to show up were the open ports on 10.1.1.200:

(The 1595 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1033/tcp open netinfo
5000/tcp open UPnP

What have I done wrong? =/ iptables -t net -L shows:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- anywhere 67.120.26.98 to:10.1.1.200

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- mud anywhere to:67.120.26.98

I'm losing hair =(

[tryn]

[splooge]

Thanks, I've read the fricking manual, and according to it, it I should have DNAT working.

Would someone like to tell me why this line:

[jukka]

what does

[btg308]

[securiteaze]

This was shamelessly ripped from my firewall. (slightly mangled to protect the innocent/guilty )
This alone is by no means secure But this should give you the idea.

${IPTables} -t nat -A PREROUTING -i ${ExtIF} -p www -s 0/0 -d ${ExtIP1} --dport 80 -j DNAT --to ${IntWWW1}:80 &&
${IPTables} -A FORWARD -m state --state NEW -i ${ExtIF} -s 0/0 -d ${IntWWW1} -j ACCEPT
_________________
Blah..

[splooge]

Thanks guys for the help, however it's still not working.

I am using nmap from a different isp to do the testing from so I am definitely on a separate network. (pacificnet.net to be precise).

nmap should give me a portscan of the internal box, right? Or does it do something special that would only stop at my firewall?

[btg308]

Strange. However, if you're really serious about getting a good firewall up and running, I'd recommend you start in the other end - getting a tried firewall script that you can learn from and hack as necessary. I started off with http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html and I seem to have worked out fine. :-)

I've gotten used to building chains of tables, almost visualising the packets flowing through the system like water droplets after a spring rain... Well, you get the idea. :-D It's difficult to just take a few iptables rules out of their context and see what they do. It's a bit of a learning curve, but Oskar's tutorial above and Rusty's stuff from iptables.org (like http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html) should go a long way. I started laying it out on paper first until it 'clicked'.

You could try adding a port range to your code, though. It's supposed to be optional but I have never tried doing it without a port (I start in the other direction, instead of forwarding all ports and then block a few, I block all ports and then forward the ones I need)

[splooge]

Amazing.

Well, I must reply to at least show what the cause of the problem was, no matter how embarrassing.

nmap apparently doesn't work through DNAT. At the time, nmap was the only utility I had at the time to do what I 'thought' should be right.

Even though nmap returns the ports on the firewall itself (instead of the internal host, which was the cause of my confusion) other services -- such as ftp -- will still be forwarded internally. I falsely assumed that nmap would portscan the internal computer. It doesn't.

Everything I wanted to work is working. nmap was just the wrong tool to test it with. I put up an FTP server on my windows box internally and it works fine.

Sorry to everyone.

[delta407]

Indeed; nmap gets confused with kernel-level IP translation. Always ssh to a remote box when trying to scan oneself.

Other than that (and on a completely unrelated note), I recently found that despite a big fat ALLOW rule in the FORWARD table, I had to add a specific ALLOW rule for inbound port forwarding. It was silly.
_________________
I don't believe in witty sigs.