Re: setting up nat

On Sat, 2006-05-20 at 06:12, Stuart Sears wrote:

Thanks for that... but I hope you are joking! You mean there is no
gui/wizard for setting up nat?!?
Cheers
Antoine

no, not really.
Unless you install third-party software to control it, the default
graphical firewall config tools on FC don't do NAT. Welcome to our world. :)
Command-line utilities also allow you to make incremental changes to
firewall settings. Graphical tools (In my experience) tend to be
all-or-nothing

a few additional points and a brief walkthrough:

std_disclaimer:
This is fairly simplistic and may not cover any or all of your security
requirements. Particularly as they do not include any access rules at
all, just NAT stuff.
You should realise that netfilter rules applied using the 'iptables'
command take immediate effect.
Applying badly written rules over a network login can severely
compromise your connectivity (and stress levels)
For this reason I can't see why you would need to restart the entire
connection after creating NAT rules.

on your router you would need to do a few simple things:
1) put NAT rules in place
2) possibly put other restrictions on the traffic you wish to allow
through your box (particularly from the outside world)
3) permit packet forwarding through your box
4) save the rules
5) make sure the 'iptables' service runs at boot time
( although, technically it is not a traditional 'service', all it does
is load rules into memory )

I am going to ignore any standard firewall rules you have on the system
(you can set these up through the standard graphical interface. DO not
do this after the NAT setup, you will break it.)

to control NAT you'll need to run a few shell commands.
A shell script is not necessary. Although it simplifies taking rules
from one system to another.
Setting up iptables rules in rc.local is a *bad* idea (IMHO) - this
means that on boot your interfaces are up and unprotected *before* the
firewall rules are in place.

as root:
iptables -nvL
will show you the rules that are currently in place for normal traffic.
iptables -t nat -nvL
will shoe you any nat rules you already have in place
to nat all outgoing traffic:
assume your internal interface is eth0 and external is ppp0

a) clear any existing rules (if needed):
iptables -t nat -F POSTROUTING

b) add a rule natting traffic from your boxes to the outside world. this
is all one line (I've just separated the arguments)
iptables -t nat
- -I POSTROUTING
- -s your_internal_network
- -d ! your_internal_network
- -i eth0
- -o ppp0
- -j MASQUERADE

c) save your rules and make sure they will apply on next boot:
service iptables save
chkconfig iptables on

d) allow packets to route through your system:
edit /etc/sysctl.conf so that it has a line like this:
net.ipv4.ip_forward = 1

e) apply that change immediately
sysctl -p

voila! you are routing packets through your box.

these rules should then be permanently in place *unless* you run
system-config-securitylevel to set up others... (bad design, I know.)


This is yet another reason I like the k12ltsp distro more
than an unmodified fedora. In addition to the ltsp package
to boot thin clients it includes an init scritpt in
/etc/rc.d.init.d/nat where the guts like this:

#!/bin/sh
# Version: 0.0.3
#
# chkconfig: 2345 90 10
# description: Starts and stops Network Address Translation for
K12Linux/LTS
PUBLIC_ETHERNET="eth1"
# Source function library.
. /etc/init.d/functions
start() {
echo -n "Starting up Network Address Translation: "
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out eth1 (-o eth1) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o $PUBLIC_ETHERNET -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo
return 0
}
stop() {
echo -n "Stopping Network Address Translation: "
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -D POSTROUTING -o $PUBLIC_ETHERNET -j MASQUERADE
echo
return 0
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
restart
;;
*)
echo "*** Usage: nat {start|stop|restart}"
exit 1
esac
exit $?



K12ltsp makes some assumptions about the inside/outside interfaces
to simplify scripted configuration, but it's easier to modify
a working script than to figure it all out from a HOWTO.

--
Les Mikesell
lesmikesell@xxxxxxxxx


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: PPTP Routing Cisco 1841
    ... ip inspect name firewall tcp ... interface FastEthernet0/0 ... ip nat inside ... encapsulation aal5mux ppp dialer ...
    (comp.dcom.sys.cisco)
  • Re: IP Addressing
    ... firewall and router). ... On the firewall create a static NAT entry as I wrote ... !we 're doing NAT to publish my Exchange server on the Internet ... external or any physical / logical interface. ...
    (comp.dcom.sys.cisco)
  • Re: IP Addressing
    ... I don't know which firewall you have, but if it's able to do NAT on IP ... firewall and router). ... external or any physical / logical interface. ...
    (comp.dcom.sys.cisco)
  • Re: Problem with network printing on RH 8.0
    ... Jason Dixon wrote: ... >>Does the iptables duplicate the function of the NAT in my hardware ... I assume that this stops RH's firewall. ... > NAT support, but it doesn't sound like you need it. ...
    (RedHat)
  • Re: NAT with IP Filters
    ... connections which I mean, from a private interface). ... Static NAT connection on purpose. ... you have disabled the firewall if you aren't filtering specific ports. ...
    (microsoft.public.windows.server.networking)