LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-07-2010, 05:54 PM   #1
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Rep: Reputation: 15
NAT 1-1 for Three Public IPs on Ubuntu


Hi,

I am trying to figure out the best way to set up 1-1 NAT for three public ips to three private ips through a ubuntu gateway machine.

I am running ubuntu server 9.10 and the set up is:

Internet/ISP modem -> NIC 1 Ubuntu Gateway Machine NIC 2 -> Three PCs with Private IPs

I had a few questions on how to do this correctly and securely.

1) What packages do I need to install (aside from the basic ubuntu server installation and possibly DHCP3-Server)

2) How do I assign all three public IPs to the NIC connected to the ISP modem? All addresses will be static, will I need the DHCP3-Server package?

3) Once I have the three public IPs assigned how do I map each specific public IP to the private IP address associated with it and provide the correct loopback? I want to make sure each response from the internal machines are sent out as their specific public IP.

4) Aside from allowing all connections, how should IP tables be configured to allow web services to one internal machine, mail to another internal machine and DNS to the other internal machine?

I appreciate any pointers or direction on where to look. Thanks.
 
Old 03-07-2010, 07:53 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by debianfan View Post
1) What packages do I need to install (aside from the basic ubuntu server installation and possibly DHCP3-Server)
I believe you should already have everything you need.

Quote:
2) How do I assign all three public IPs to the NIC connected to the ISP modem? All addresses will be static, will I need the DHCP3-Server package?
You can use this method. If everything is static, no need for any DHCP.

Quote:
3) Once I have the three public IPs assigned how do I map each specific public IP to the private IP address associated with it and provide the correct loopback? I want to make sure each response from the internal machines are sent out as their specific public IP.
You do this by enabling IP forwarding and configuring SNAT with iptables.

This sort of thing is handled in the POSTROUTING chain of the nat table.

How much experience do you have with iptables?

Quote:
4) Aside from allowing all connections, how should IP tables be configured to allow web services to one internal machine, mail to another internal machine and DNS to the other internal machine?
You do this by enabling IP forwarding and configuring port forwarding with iptables.

This sort of thing is handled in the PREROUTING chain of the nat table.

How much experience do you have with iptables?

Last edited by win32sux; 03-07-2010 at 07:54 PM.
 
Old 03-07-2010, 08:11 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
I've written for you some example rules for the scenario you've described:
Code:
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.1.101 --dport 80 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.1.102 --dport 25 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -p UDP -i eth0 -o eth1 -d 192.168.1.103 --dport 53 \
-m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.101 \
-j SNAT --to-source 75.126.162.205

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.102 \
-j SNAT --to-source 75.126.162.206

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.103 \
-j SNAT --to-source 75.126.162.207

iptables -t nat -A PREROUTING -p TCP -i eth0 -d 75.126.162.205 --dport 80 \
-j DNAT --to-destination 192.168.1.101

iptables -t nat -A PREROUTING -p TCP -i eth0 -d 75.126.162.206 --dport 25 \
-j DNAT --to-destination 192.168.1.102

iptables -t nat -A PREROUTING -p UDP -i eth0 -d 75.126.162.207 --dport 53 \
-j DNAT --to-destination 192.168.1.103
These assume your Internet-facing NIC is eth0 and your LAN-facing one is eth1, of course.

I'd be happy to try and answer any questions you may have.

Last edited by win32sux; 03-09-2010 at 08:56 PM. Reason: Removed bogus outbound interface match from PREROUTING rules.
 
Old 03-08-2010, 09:41 AM   #4
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
This is an excellent description, thank you! To answer your earlier question I have pretty limited experience with IP tables, but I will try this code in the command line and report back to you.

I had a few more questions to make sure I don't miss anything. How is IP forwarding enabled, I found a method using the code below however I was getting an error message when trying it using sudo, and the description did not explain how to set this permanently so the policy will remain upon reboot:

echo 1 > /proc/sys/net/ipv4/ip_forward

And once I have completed these actions, could you point me to the location of the configuration files so I can view them to double check my work.

Thanks again for your help, I have only been seeing positive things from this forum and appreciate the quick reply.
 
Old 03-08-2010, 11:49 AM   #5
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
One more question. Should the eth1 interface be assigned a gateway address (something like 192.168.1.100 in this case) and then each of the internal pcs are assigned their static private ip addresses with a gateway address of 192.168.1.100, or do each of the private IP addresses used for the internal network need to be assigned as virtual interfaces to the eth1 NIC?

Thanks again.

Last edited by debianfan; 03-08-2010 at 12:40 PM.
 
Old 03-08-2010, 03:48 PM   #6
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
Quote:
Originally Posted by debianfan View Post
How is IP forwarding enabled, I found a method using the code below however I was getting an error message when trying it using sudo, and the description did not explain how to set this permanently so the policy will remain upon reboot:

echo 1 > /proc/sys/net/ipv4/ip_forward
Add "net.ipv4.ip_forward = 1" in to sysctl.conf which is probably located under /etc.
 
Old 03-08-2010, 03:50 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by debianfan View Post
This is an excellent description, thank you! To answer your earlier question I have pretty limited experience with IP tables, but I will try this code in the command line and report back to you.

I had a few more questions to make sure I don't miss anything. How is IP forwarding enabled, I found a method using the code below however I was getting an error message when trying it using sudo, and the description did not explain how to set this permanently so the policy will remain upon reboot:

echo 1 > /proc/sys/net/ipv4/ip_forward

And once I have completed these actions, could you point me to the location of the configuration files so I can view them to double check my work.

Thanks again for your help, I have only been seeing positive things from this forum and appreciate the quick reply.
You can enable it like that, but if you're using sudo to execute that command it'll fail due to the redirection happening as the non-root user. What I'd do is either switch to root, or better yet just wrap it up in a shell command:
Code:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
Making it be enabled at startup time is just a matter of adding the corresponding line to your /etc/sysctl.conf file:
Code:
net.ipv4.ip_forward=1
Quote:
Originally Posted by debianfan View Post
One more question. Should the eth1 interface be assigned a gateway address (something like 192.168.1.100 in this case) and then each of the internal pcs are assigned their static private ip addresses with a gateway address of 192.168.1.100, or do each of the private IP addresses used for the internal network need to be assigned as virtual interfaces to the eth1 NIC?

Thanks again.
Only the WAN/Internet address on the NAT box needs a gateway set. As for the boxes on the LAN side (connected to the LAN interface of the NAT box via a switch/hub), they need to have their gateway address set as the IP of the LAN interface on the NAT box. No virtual NICs or IP aliases necessary.

As for making the iptables settings survive reboot, dump the configuration into a file like this:
Code:
iptables-save > /etc/firewall.txt
Remember that if you're using sudo you'll want to wrap it:
Code:
sudo sh -c "iptables-save > /etc/firewall.txt"
Then specify in your /etc/network/interfaces file that you want it to be restored before the interface is activated. As an example, the current /etc/network/interfaces file on my laptop looks like this:
Code:
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/firewall.txt
I don't have any true interfaces configured there simply because I let the GNOME Wi-Fi thing handle that stuff. In your case, you'd have several stanzas (as shown in the example I linked), so stick the pre-up under the WAN interface stanza.

Last edited by win32sux; 03-08-2010 at 04:36 PM.
 
Old 03-08-2010, 08:03 PM   #8
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
Hi,

So far so good, I have configured ip forwarding and set up the network aliases on the WAN side. However a quick question, in the /etc/network/interfaces file only the eth0 interface is appearing. Do I just need to add eth1 information or is there a better way to activate that NIC card. As my default settings during installation made the eth0 the primary network interface I thought eth1 might just be hidden, but I felt I should ask the experts to make sure I go down the right path.

Thanks again.
 
Old 03-08-2010, 09:38 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Yeah, add a stanza for eth1 just like you did for eth0 (minus the gateway).

Feel free to post what you've got so far.
 
Old 03-08-2010, 10:53 PM   #10
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
So far I have enabled IP forwarding and have checked it as shown below:

#Used this command
Code:
sysctl net.ipv4.ip_forward
#Got this output
Code:
net.ipv4.ip_forward = 1
My configuration of the /etc/network/interfaces file looks like the example below:

Code:
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
              address xx.xx.xx.34
              netmask 255.255.255.248
              network xx.xx.xx.32
              broadcast xx.xx.xx.39
              gateway xx.xx.xx.33
              # dns-* options are implemented by the resolvconf package, if installed
              dns-nameservers xx.xx.xx.12 xx.xx.xx.13
              dns-search xxxx.com

auto eth0:0
iface eth0:0 inet static
              address xx.xx.xx.35
              netmask 255.255.255.248
              broadcast xx.xx.xx.39

auto eth0:1
iface eth0:1 inet static
               address xx.xx.xx.36
               netmask 255.255.255.248
               broadcast xx.xx.xx.39

auto eth0:2
iface eth0:2 inet static
               address xx.xx.xx.37
               netmask 255.255.255.248
               broadcast xx.xx.xx.39
I am planning to implement your iptables code tomorrow morning to ensure my concentration, and will post an update then as well.

Let me know if anything looks off.

I also had a question I had been pondering. Would it be a smart move to also use the firewall as a DNS server as well, or would it be safer to have a dedicated DNS server behind the firewall. I understand the DNS server would be exposed if it were the firewall as well, but was just curious about the pros and cons.

Also, I may have a few questions about my bind configuration when it comes to it, but understand if I should post that in the appropriate subject grouping when it comes to it.

Thanks again, more to come soon.

Last edited by debianfan; 03-16-2010 at 11:08 AM.
 
Old 03-08-2010, 11:01 PM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
I haven't read your post in its entirety yet, but I just wanted to say in the meantime that for security reasons I highly recommend you disable forwarding until you've got your iptables rules properly set and verified.
 
Old 03-08-2010, 11:15 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
It looks good to me. I'd never seen DNS settings in there before (I always use /etc/resolv.conf for that), but I'm assuming you verified that it's sane to set those there, in which case it's all good. Basically, you just need to add your stanza for eth1 as well as the pre-up line for eth0 and you should be set. Use the /sbin/ifconfig command to make sure the IPs are being set as desired. As for your DNS question, running a DNS server on a dedicated machine would make the most security sense IMO.

Last edited by win32sux; 03-08-2010 at 11:17 PM.
 
Old 03-09-2010, 09:25 AM   #13
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
Thanks for the heads up on the IP forwarding, I disabled it shortly after I saw your post. I may do a clean install again as I want to make sure nothing was tampered with, and I can be a little paranoid.

Those dns nameserver entries were set and placed there during setup, they are also in the resolv.conf file. I believe it is ok as that was the default configuration when I was entering my specific network information during the installation, so basically the first time I came to the network configuration file they were there. I will do a little research to make sure it is ok, but I have been having no problems reaching the internet or the machine remotely so I think it is ok.

That is what I thought on the DNS nameserver question.

One more question if I make a rule to access the internal machines through ssh as well should that protocol be UDP or TCP or both?

Thanks again, I will report back soon with my detailed layout for you to take a look at.
 
Old 03-09-2010, 05:06 PM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
SSH would be TCP only. If you want SSH access to each of the three machines from the WAN side, you'll need to forward three different ports. For example, you could forward port 2201 on the WAN to 192.168.1.101:22, port 2202 to 192.168.1.102:22, and port 2203 to 192.168.1.103:22. Make sure you don't try to forward the port which the NAT box itself is using for its SSH daemon (assuming you are indeed running an SSH daemon on it and it's listening on the WAN side).

Last edited by win32sux; 03-09-2010 at 05:10 PM.
 
Old 03-09-2010, 08:22 PM   #15
debianfan
Member
 
Registered: Mar 2010
Posts: 54

Original Poster
Rep: Reputation: 15
Ok, so here is what I have got.

My /etc/network/interfaces file looks like this:

Code:
# The loopback network interface
auto lo
iface lo inet loopback
pre-up iptables restore < /etc/firewall.txt

# The primary network interface
auto eth0
iface eth0 inet static
address xx.xx.xx.34
netmask 255.255.255.248
network xx.xx.xx.32
broadcast xx.xx.xx.39
gateway xx.xx.xx.33
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers xx.xx.xx.12 xx.xx.xx.13
dns-search xxxx.com

auto eth0:0
iface eth0:0 inet static
address xx.xx.xx.35
netmask 255.255.255.248
broadcast xx.xx.xx.39

auto eth0:1
iface eth0:1 inet static
address xx.xx.xx.36
netmask 255.255.255.248
broadcast xx.xx.xx.39

auto eth0:2
iface eth0:2 inet static
address xx.xx.xx.37
netmask 255.255.255.248
broadcast xx.xx.xx.39

# The secondary network interface
auto eth1
iface eth1 inet static
address 192.168.50.44
netmask 255.255.255.248
network 192.168.50.42
broadcast 192.168.50.49
Using the iptables -L command this is my configuration which I have dumped into that firewall.txt file:

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.50.45       tcp dpt:www state NEW 
ACCEPT     tcp  --  anywhere             192.168.50.45       tcp dpt:https state NEW 
ACCEPT     tcp  --  anywhere             192.168.50.46       tcp dpt:www state NEW 
ACCEPT     tcp  --  anywhere             192.168.50.46       tcp dpt:https state NEW 
ACCEPT     tcp  --  anywhere             192.168.50.46       tcp dpt:smtp state NEW 
ACCEPT     tcp  --  anywhere             192.168.50.46       tcp dpt:imap2 state NEW 
ACCEPT     tcp  --  anywhere             192.168.50.46       tcp dpt:ssmtp state NEW 
ACCEPT     tcp  --  anywhere             192.168.50.46       tcp dpt:585 state NEW 
ACCEPT     tcp  --  anywhere             192.168.50.46       tcp dpt:imaps state NEW 
ACCEPT     udp  --  anywhere             192.168.50.47       udp dpt:domain state NEW 
ACCEPT     udp  --  anywhere             192.168.50.48       udp dpt:domain state NEW 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Also, this is the code I used for my postrouting up until the prerouting code when I received an error:

Code:
$ sudo iptables -P FORWARD DROP
$ sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.45 --dport 80 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.45 --dport 443 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 80 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 443 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 25 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 143 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 465 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 585 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 993 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p UDP -i eth0 -o eth1 -d 192.168.50.47 --dport 53 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p UDP -i eth0 -o eth1 -d 192.168.50.48 --dport 53 \-m state --state NEW -j ACCEPT
$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.50.45 \-j SNAT --to-source xx.xx.xx.35
$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.50.46 \-j SNAT --to-source xx.xx.xx.36
$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.50.47 \-j SNAT --to-source xx.xx.xx.37
$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.50.48 \-j SNAT --to-source xx.xx.xx.38
However, when I got to the prerouting section and entered the command below, I received an error message about the use of -o:

Code:
sudo iptables -t nat -A PREROUTING -p TCP -i eth0 -o eth1 -d xx.xx.xx.35 --dport 80 \-j DNAT --to-destination 192.168.50.45
iptables v1.4.4: Can't use -o with PREROUTING

Try `iptables -h' or 'iptables --help' for more information.
Do you have an idea on how to remedy that? Also, once I get the prerouting rules in correctly could you tell me how I should save my iptables to firewall.txt so all of the rules, postrouting and prerouting are saved in one file.

Thanks again.

Last edited by debianfan; 03-16-2010 at 11:11 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing with public IPs crontab Linux - Networking 3 02-10-2009 06:11 AM
Can I use Public IPs on LAN dula Linux - Networking 1 06-07-2007 06:46 AM
NAT + public IPS (+ firestarter) Stefan Pantiru Linux - Networking 2 05-17-2005 05:43 AM
Public IPs behind router Buzer Linux - Networking 2 09-20-2003 01:36 PM
Sharing two public IPs. Unseen Linux - Networking 8 03-20-2003 01:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration