NAT 1-1 for Three Public IPs on Ubuntu
Hi,
I am trying to figure out the best way to set up 1-1 NAT for three public ips to three private ips through a ubuntu gateway machine. I am running ubuntu server 9.10 and the set up is: Internet/ISP modem -> NIC 1 Ubuntu Gateway Machine NIC 2 -> Three PCs with Private IPs I had a few questions on how to do this correctly and securely. 1) What packages do I need to install (aside from the basic ubuntu server installation and possibly DHCP3-Server) 2) How do I assign all three public IPs to the NIC connected to the ISP modem? All addresses will be static, will I need the DHCP3-Server package? 3) Once I have the three public IPs assigned how do I map each specific public IP to the private IP address associated with it and provide the correct loopback? I want to make sure each response from the internal machines are sent out as their specific public IP. 4) Aside from allowing all connections, how should IP tables be configured to allow web services to one internal machine, mail to another internal machine and DNS to the other internal machine? I appreciate any pointers or direction on where to look. Thanks. |
Quote:
Quote:
Quote:
This sort of thing is handled in the POSTROUTING chain of the nat table. How much experience do you have with iptables? Quote:
This sort of thing is handled in the PREROUTING chain of the nat table. How much experience do you have with iptables? |
I've written for you some example rules for the scenario you've described:
Code:
iptables -P FORWARD DROP I'd be happy to try and answer any questions you may have. |
This is an excellent description, thank you! To answer your earlier question I have pretty limited experience with IP tables, but I will try this code in the command line and report back to you.
I had a few more questions to make sure I don't miss anything. How is IP forwarding enabled, I found a method using the code below however I was getting an error message when trying it using sudo, and the description did not explain how to set this permanently so the policy will remain upon reboot: echo 1 > /proc/sys/net/ipv4/ip_forward And once I have completed these actions, could you point me to the location of the configuration files so I can view them to double check my work. Thanks again for your help, I have only been seeing positive things from this forum and appreciate the quick reply. |
One more question. Should the eth1 interface be assigned a gateway address (something like 192.168.1.100 in this case) and then each of the internal pcs are assigned their static private ip addresses with a gateway address of 192.168.1.100, or do each of the private IP addresses used for the internal network need to be assigned as virtual interfaces to the eth1 NIC?
Thanks again. |
Quote:
|
Quote:
Code:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" Code:
net.ipv4.ip_forward=1 Quote:
As for making the iptables settings survive reboot, dump the configuration into a file like this: Code:
iptables-save > /etc/firewall.txt Code:
sudo sh -c "iptables-save > /etc/firewall.txt" Code:
auto lo |
Hi,
So far so good, I have configured ip forwarding and set up the network aliases on the WAN side. However a quick question, in the /etc/network/interfaces file only the eth0 interface is appearing. Do I just need to add eth1 information or is there a better way to activate that NIC card. As my default settings during installation made the eth0 the primary network interface I thought eth1 might just be hidden, but I felt I should ask the experts to make sure I go down the right path. Thanks again. |
Yeah, add a stanza for eth1 just like you did for eth0 (minus the gateway).
Feel free to post what you've got so far. |
So far I have enabled IP forwarding and have checked it as shown below:
#Used this command Code:
sysctl net.ipv4.ip_forward Code:
net.ipv4.ip_forward = 1 Code:
# The loopback network interface Let me know if anything looks off. I also had a question I had been pondering. Would it be a smart move to also use the firewall as a DNS server as well, or would it be safer to have a dedicated DNS server behind the firewall. I understand the DNS server would be exposed if it were the firewall as well, but was just curious about the pros and cons. Also, I may have a few questions about my bind configuration when it comes to it, but understand if I should post that in the appropriate subject grouping when it comes to it. Thanks again, more to come soon. |
I haven't read your post in its entirety yet, but I just wanted to say in the meantime that for security reasons I highly recommend you disable forwarding until you've got your iptables rules properly set and verified.
|
It looks good to me. I'd never seen DNS settings in there before (I always use /etc/resolv.conf for that), but I'm assuming you verified that it's sane to set those there, in which case it's all good. Basically, you just need to add your stanza for eth1 as well as the pre-up line for eth0 and you should be set. Use the /sbin/ifconfig command to make sure the IPs are being set as desired. As for your DNS question, running a DNS server on a dedicated machine would make the most security sense IMO.
|
Thanks for the heads up on the IP forwarding, I disabled it shortly after I saw your post. I may do a clean install again as I want to make sure nothing was tampered with, and I can be a little paranoid.
Those dns nameserver entries were set and placed there during setup, they are also in the resolv.conf file. I believe it is ok as that was the default configuration when I was entering my specific network information during the installation, so basically the first time I came to the network configuration file they were there. I will do a little research to make sure it is ok, but I have been having no problems reaching the internet or the machine remotely so I think it is ok. That is what I thought on the DNS nameserver question. One more question if I make a rule to access the internal machines through ssh as well should that protocol be UDP or TCP or both? Thanks again, I will report back soon with my detailed layout for you to take a look at. |
SSH would be TCP only. If you want SSH access to each of the three machines from the WAN side, you'll need to forward three different ports. For example, you could forward port 2201 on the WAN to 192.168.1.101:22, port 2202 to 192.168.1.102:22, and port 2203 to 192.168.1.103:22. Make sure you don't try to forward the port which the NAT box itself is using for its SSH daemon (assuming you are indeed running an SSH daemon on it and it's listening on the WAN side).
|
Ok, so here is what I have got.
My /etc/network/interfaces file looks like this: Code:
# The loopback network interface Code:
Chain INPUT (policy ACCEPT) Code:
$ sudo iptables -P FORWARD DROP Code:
sudo iptables -t nat -A PREROUTING -p TCP -i eth0 -o eth1 -d xx.xx.xx.35 --dport 80 \-j DNAT --to-destination 192.168.50.45 Thanks again. |
All times are GMT -5. The time now is 01:53 PM. |