FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-23-2009, 01:10 PM
Peter Peltonen
 
Default SNAT question

Hi,

I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.

I have the following setup:

eth0: connects to internet with static public IP 1.2.3.1 (obscured
here for privacy)
eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy)
eth2: connects to LAN with static private IP 192.168.0.1

Traffic to hosts in the DMZ/Internet through eth0/1 work fine.

I tried masqueradig the LAN with following:

ptables -A FORWARD -i eth2 -j ACCEPT
iptables -A FORWARD -o eth2 -j ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT
--to-source 1.2.3.1

After this I can ssh to a server in the Internet from the LAN using
the server's IP address but not its name. The w command on the server
tells me that my address has not been masqueraded (its 192.168.0.2,
the LAN client's private IP).

What am I doing wrong?

Best,
Peter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-23-2009, 01:15 PM
Giovanni Tirloni
 
Default SNAT question

On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen
<peter.peltonen@gmail.com> wrote:
> Hi,
>
> I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
>
> I have the following setup:
>
> eth0: connects to internet with static public IP 1.2.3.1 (obscured
> here for privacy)
> eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy)
> eth2: connects to LAN with static private IP 192.168.0.1
>
> Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
>
> I tried masqueradig the LAN with following:
>
> ptables -A FORWARD -i eth2 -j ACCEPT
> iptables -A FORWARD -o eth2 -j ACCEPT
> iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT
> --to-source 1.2.3.1
>
> After this I can ssh to a server in the Internet from the LAN using
> the server's IP address but not its name. The w command on the server
> tells me that my address has not been masqueraded (its 192.168.0.2,
> the LAN client's private IP).

If you can ssh to a server on the Internet then your connectivity is
working. You might want to check if DNS is allowed and working from
the LAN hosts to the Internet.

The fact that 'w' shows your internal IP address is because you're
connecting from the LAN to the gateway, which doesn't trigger the SNAT
because it's not forwarding any packets... only accepting your
connection.

--
Giovanni.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-23-2009, 01:31 PM
Peter Peltonen
 
Default SNAT question

Hi,

On Mon, Nov 23, 2009 at 4:15 PM, Giovanni Tirloni <tirloni@gmail.com> wrote:
> On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen
> <peter.peltonen@gmail.com> wrote:
>> Hi,
>>
>> I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
>>
>> I have the following setup:
>>
>> eth0: connects to internet with static public IP 1.2.3.1 (obscured
>> here for privacy)
>> eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy)
>> eth2: connects to LAN with static private IP 192.168.0.1
>>
>> Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
>>
>> I tried masqueradig the LAN with following:
>>
>> ptables -A FORWARD -i eth2 -j ACCEPT
>> iptables -A FORWARD -o eth2 -j ACCEPT
>> iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT
>> --to-source 1.2.3.1
>>
>> After this I can ssh to a server in the Internet from the LAN using
>> the server's IP address but not its name. The w command on the server
>> tells me that my address has not been masqueraded (its 192.168.0.2,
>> the LAN client's private IP).
>
> If you can ssh to a server on the Internet then your connectivity is
> working. *You might want to check if DNS is allowed and working from
> the LAN hosts to the Internet.
>
> The fact that 'w' shows your internal IP address is because you're
> connecting from the LAN to the gateway, which doesn't trigger the SNAT
> because it's not forwarding any packets... only accepting your
> connection.

Hmm,I am SSHing not to the gateway but to a server in the Internet, so
shouldn't it masquerade the address and w show the gateway's IP and
not the client's -- isn't this the whole point of the SNAT?

No other service than SSH seems to work. If I do "telnet mydnsip 53"
there is no response, it just hangs. I also have correct DNS in
/etc/resolv.conf.

Best,
Peter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-25-2009, 09:58 PM
Peter Peltonen
 
Default SNAT question

On Mon, Nov 23, 2009 at 4:31 PM, Peter Peltonen
<peter.peltonen@gmail.com> wrote:
> Hi,
>
> On Mon, Nov 23, 2009 at 4:15 PM, Giovanni Tirloni <tirloni@gmail.com> wrote:
>> On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen
>> <peter.peltonen@gmail.com> wrote:
>>> Hi,
>>>
>>> I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
>>>
>>> I have the following setup:
>>>
>>> eth0: connects to internet with static public IP 1.2.3.1 (obscured
>>> here for privacy)
>>> eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy)
>>> eth2: connects to LAN with static private IP 192.168.0.1
>>>
>>> Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
>>>
>>> I tried masqueradig the LAN with following:
>>>
>>> ptables -A FORWARD -i eth2 -j ACCEPT
>>> iptables -A FORWARD -o eth2 -j ACCEPT
>>> iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT
>>> --to-source 1.2.3.1
>>>
>>> After this I can ssh to a server in the Internet from the LAN using
>>> the server's IP address but not its name. The w command on the server
>>> tells me that my address has not been masqueraded (its 192.168.0.2,
>>> the LAN client's private IP).
>>
>> If you can ssh to a server on the Internet then your connectivity is
>> working. *You might want to check if DNS is allowed and working from
>> the LAN hosts to the Internet.
>>
>> The fact that 'w' shows your internal IP address is because you're
>> connecting from the LAN to the gateway, which doesn't trigger the SNAT
>> because it's not forwarding any packets... only accepting your
>> connection.
>
> Hmm,I am SSHing not to the gateway but to a server in the Internet, so
> shouldn't it masquerade the address and w show the gateway's IP and
> not the client's -- isn't this the whole point of the SNAT?
>
> No other service than SSH seems to work. If I do "telnet mydnsip 53"
> there is no response, it just hangs. I also have correct DNS in
> /etc/resolv.conf.

Nobody has any other ideas what I might be doing wrong here?

Best,
Peter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-25-2009, 10:17 PM
Tait Clarridge
 
Default SNAT question

On Thu, 2009-11-26 at 00:58 +0200, Peter Peltonen wrote:
> On Mon, Nov 23, 2009 at 4:31 PM, Peter Peltonen
> <peter.peltonen@gmail.com> wrote:
> > Hi,
> >
> > On Mon, Nov 23, 2009 at 4:15 PM, Giovanni Tirloni <tirloni@gmail.com> wrote:
> >> On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen
> >> <peter.peltonen@gmail.com> wrote:
> >>> Hi,
> >>>
> >>> I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
> >>>
> >>> I have the following setup:
> >>>
> >>> eth0: connects to internet with static public IP 1.2.3.1 (obscured
> >>> here for privacy)
> >>> eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy)
> >>> eth2: connects to LAN with static private IP 192.168.0.1
> >>>
> >>> Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
> >>>
> >>> I tried masqueradig the LAN with following:
> >>>
> >>> ptables -A FORWARD -i eth2 -j ACCEPT
> >>> iptables -A FORWARD -o eth2 -j ACCEPT
> >>> iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT
> >>> --to-source 1.2.3.1
> >>>
> >>> After this I can ssh to a server in the Internet from the LAN using
> >>> the server's IP address but not its name. The w command on the server
> >>> tells me that my address has not been masqueraded (its 192.168.0.2,
> >>> the LAN client's private IP).
> >>
> >> If you can ssh to a server on the Internet then your connectivity is
> >> working. You might want to check if DNS is allowed and working from
> >> the LAN hosts to the Internet.
> >>
> >> The fact that 'w' shows your internal IP address is because you're
> >> connecting from the LAN to the gateway, which doesn't trigger the SNAT
> >> because it's not forwarding any packets... only accepting your
> >> connection.
> >
> > Hmm,I am SSHing not to the gateway but to a server in the Internet, so
> > shouldn't it masquerade the address and w show the gateway's IP and
> > not the client's -- isn't this the whole point of the SNAT?
> >
> > No other service than SSH seems to work. If I do "telnet mydnsip 53"
> > there is no response, it just hangs. I also have correct DNS in
> > /etc/resolv.conf.
>
> Nobody has any other ideas what I might be doing wrong here?
>
> Best,
> Peter

I had to get the VPN address range masqueraded on the LAN as the gateway
address.. so for example:

VPN Server LAN IP: 192.168.1.20 (not the real thing, but doesn't matter)
VPN IP Range: 10.99.0.0

So when I connect through OpenVPN, my tunnel adaptor is given an ip like
10.99.0.5 (basically like a LAN, or your eth2).

What I did in IPTABLES is the following (eth0 is the LAN connection for
the VPN server)

iptables -t nat -A POSTROUTING -s 10.99.0.0/255.255.255.0 -o eth0 -j
MASQUERADE

After that it worked. All connections to anything on the LAN appear as
if I am coming from 192.168.1.20. Just make sure that forwarding is
enabled (I believe it is required for masquerade):

cat /proc/sys/net/ipv4/ip_forward

If it equals 0, change it to 1.

You may want to remove all the other entries you tried to get
LAN->Internet going to ensure there is nothing conflicting.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-28-2009, 01:41 PM
Peter Peltonen
 
Default SNAT question

Hi,

On Thu, Nov 26, 2009 at 1:17 AM, Tait Clarridge <tait@clarridge.ca> wrote:
>> >> <peter.peltonen@gmail.com> wrote:
>> >>> Hi,
>> >>>
>> >>> I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
>> >>>
>> >>> I have the following setup:
>> >>>
>> >>> eth0: connects to internet with static public IP 1.2.3.1 (obscured
>> >>> here for privacy)
>> >>> eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy)
>> >>> eth2: connects to LAN with static private IP 192.168.0.1
>> >>>
>> >>> Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
>
> I had to get the VPN address range masqueraded on the LAN as the gateway
> address.. so for example:
>
> VPN Server LAN IP: 192.168.1.20 (not the real thing, but doesn't matter)
> VPN IP Range: * 10.99.0.0
>
> So when I connect through OpenVPN, my tunnel adaptor is given an ip like
> 10.99.0.5 (basically like a LAN, or your eth2).
>
> What I did in IPTABLES is the following (eth0 is the LAN connection for
> the VPN server)
>
> iptables -t nat -A POSTROUTING -s 10.99.0.0/255.255.255.0 -o eth0 -j
> MASQUERADE
>
> After that it worked. All connections to anything on the LAN appear as
> if I am coming from 192.168.1.20. Just make sure that forwarding is
> enabled (I believe it is required for masquerade):
>
> cat /proc/sys/net/ipv4/ip_forward
>
> If it equals 0, change it to 1.
>
> You may want to remove all the other entries you tried to get
> LAN->Internet going to ensure there is nothing conflicting.

It appears my problems were somehow DNS related: I can't access my
ISPs DNS from LAN when masquerading is on (I can't understand why).
Using a nameserver in the DMZ solved my issues and everything seems to
work now ok.

Thanks for your help,
Peter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 08:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org