I am looking for several days now to configure vuurmuur to do one-to-one NAT.
Explanation on one-to-one NAT:
Network node one sends a IP packet with destination address 10.0.0.1 to the default gateway. Suppose vuurmuur is running on this gateway and that packet will be one-to-one translated there. That means the gateway will do a destination translation in its PREROUTING chain. That way 10.0.0.1 can be mapped to an other IP, lets say: 192.168.0.2.
To do this the following rule must be used:
"iptables -t nat -A PREROUTING -d 10.0.0.1 -i eth0 -j DNAT --to-distination 192.168.0.2"
The problem is that it is not possible for me to achieve this goal in vuurmuur. So I made a work-around in the form of a bash file with iptables. Now my configuration works, but every time I do apply in vuurmuur_conf it overwrites the applied rules in my bash file. So I really would love to see a way to do one-to-one NAT in vuurmuur.
Could it be possible to run a script right after vuurmuur has done its job? Or can I help implement this new feature in vuurmuur? I already have a checkout, but although I know C, I still have laking experience.
Regards,
M.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Vuurmuur: "V" has two interfaces and no default gateway:
eth0 in network "N1" = 172.16.0.1
eth1 in network "N2" = 192.168.0.1
All other is default...
--{MY SITUATION}--
The situation is very complicated. It involves connecting arbitrary subnets (LAN networks) to 1 other network over VPN. So I only explain what I try to accomplish.
When "C" pings to: "10.0.0.1" the request is send to the default gateway "G", where it likely gets dropped. When we create a route on "G" to route "10.0.0.0/24" traffic to "V" it is dropped at "V". So if we create a rule like this:
Than traffic on "N1" for destination: 10.0.0.1 gets translated to 192.168.0.2. When the packet is translated it is routed to 192.168.0.2. When "S" sends a reply to 172.16.0.2 ("C"), it go's to the default gateway, and there it is routed back to "C".
This principle (known as one-to-one- or static- NAT) works for us. But we can't create the rule in vuurmuur.
--{ PORTFW & DNAT }--
If we assume the "from" address is the registered IP address: "10.0.0.1" and the "to" address is the server address: 192.168.0.2. Than vuurmuur will create the following rules when using "Portfw" or "Dnat":
# Portfw service any from 10.0.0.1 to 192.168.0.2 options log,loglimit="20"
/sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 172.16.0.2/255.255.255.255 -d 192.168.0.2/255.255.255.255 -m limit --limit 20/sec --limit-burst 40 -m state --state NEW -j LOG --log-prefix "vrmr: PORTFW " --log-level info
/sbin/iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.2/255.255.255.255 -d 172.16.0.1/255.255.255.255 -m state --state NEW -j DNAT --to-destination 192.168.0.2
/sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 172.16.0.2/255.255.255.255 -d 192.168.0.2/255.255.255.255 -m state --state NEW -j NEWACCEPT
# Dnat service any from 10.0.0.1 to 192.168.0.2 options log,loglimit="20"
/sbin/iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.2/255.255.255.255 -d 172.16.0.1/255.255.255.255 -m limit --limit 20/sec --limit-burst 40 -m state --state NEW -j LOG --log-prefix "vrmr: DNAT " --log-level info
/sbin/iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.2/255.255.255.255 -d 172.16.0.1/255.255.255.255 -m state --state NEW -j DNAT --to-destination 192.168.0.2
As you can see, vuurmuur assumed that packets for the action "Portfw" and "Dnat" always have the firewall as destination. But in my case I want to use a fictional address as destination, namely: 10.0.0.1.
To solve this issue I can manually enter the iptables rules I miss. That way works, but is not optimal because things get shattered. So what I really would like to see is something like:
# Stnat service any from 10.0.0.1 to 192.168.0.2 options log,loglimit="20"
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 10.0.0.1/255.255.255.255 -m limit --limit 20/sec --limit-burst 40 -m state --state NEW -j LOG --log-prefix "vrmr: STNAT " --log-level info
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 10.0.0.1/255.255.255.255 -m state --state NEW -j DNAT --to-destination 192.168.0.2
I call it "Stnat" because it stands for Static NAT and I don't use "one-to-one" as name because "from" can also be a range.
Regards,
M. Evers
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think I found a way to create this rule in Vuurmuur. There are two steps:
First, create a virtual interface with the ipaddress 10.0.0.1 and eth0 as device (press F5 to see the 'virtual' toggle). I assume here you called it 'virtual'.
Second, create the rule like this:
Dnat service any from any to 192.168.0.2 options in_int="virtual"
This creates:
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 10.0.0.1/255.255.255.255 -m state --state NEW -j DNAT --to-destination 192.168.0.2
The option 'in_int' makes sure that the right interface is used, despite the heavy 'any' usage.
Let me know if this works for you!
Cheers,
Victor
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
We use some heavy NAT'ing and with vuurmuur_conf we have an excellent console to quickly view, modify or track connections. Because many rules are added dynamically we also love the vuurmuur_script interface.
It is certainly a project worth trying.
Regards,
M. Evers
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi everybody,
I am looking for several days now to configure vuurmuur to do one-to-one NAT.
Explanation on one-to-one NAT:
Network node one sends a IP packet with destination address 10.0.0.1 to the default gateway. Suppose vuurmuur is running on this gateway and that packet will be one-to-one translated there. That means the gateway will do a destination translation in its PREROUTING chain. That way 10.0.0.1 can be mapped to an other IP, lets say: 192.168.0.2.
To do this the following rule must be used:
"iptables -t nat -A PREROUTING -d 10.0.0.1 -i eth0 -j DNAT --to-distination 192.168.0.2"
The problem is that it is not possible for me to achieve this goal in vuurmuur. So I made a work-around in the form of a bash file with iptables. Now my configuration works, but every time I do apply in vuurmuur_conf it overwrites the applied rules in my bash file. So I really would love to see a way to do one-to-one NAT in vuurmuur.
Could it be possible to run a script right after vuurmuur has done its job? Or can I help implement this new feature in vuurmuur? I already have a checkout, but although I know C, I still have laking experience.
Regards,
M.
I think what you want can be done using the DNAT and/or Portfw actions. Why do these not work for you?
--{WHAT is WHAT}--
Network's:
"N1" = 172.16.0.0 / 255.255.255.0
"N2" = 192.168.0.0 / 255.255.255.0
Network nodes (aka PC's):
Gateway: "G" in network "N1" = 172.16.0.254
Client: "C" in network "N1" = 172.16.0.2 default gateway = "G"
Server: "S" in network "N2" = 192.168.0.2 default gateway = "V"
Vuurmuur: "V" has two interfaces and no default gateway:
eth0 in network "N1" = 172.16.0.1
eth1 in network "N2" = 192.168.0.1
All other is default...
--{MY SITUATION}--
The situation is very complicated. It involves connecting arbitrary subnets (LAN networks) to 1 other network over VPN. So I only explain what I try to accomplish.
When "C" pings to: "10.0.0.1" the request is send to the default gateway "G", where it likely gets dropped. When we create a route on "G" to route "10.0.0.0/24" traffic to "V" it is dropped at "V". So if we create a rule like this:
iptables -t nat -A PREROUTING -d 10.0.0.1 -i eth0 -j DNAT --to-destination 192.168.0.2
Than traffic on "N1" for destination: 10.0.0.1 gets translated to 192.168.0.2. When the packet is translated it is routed to 192.168.0.2. When "S" sends a reply to 172.16.0.2 ("C"), it go's to the default gateway, and there it is routed back to "C".
This principle (known as one-to-one- or static- NAT) works for us. But we can't create the rule in vuurmuur.
--{ PORTFW & DNAT }--
If we assume the "from" address is the registered IP address: "10.0.0.1" and the "to" address is the server address: 192.168.0.2. Than vuurmuur will create the following rules when using "Portfw" or "Dnat":
# Portfw service any from 10.0.0.1 to 192.168.0.2 options log,loglimit="20"
/sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 172.16.0.2/255.255.255.255 -d 192.168.0.2/255.255.255.255 -m limit --limit 20/sec --limit-burst 40 -m state --state NEW -j LOG --log-prefix "vrmr: PORTFW " --log-level info
/sbin/iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.2/255.255.255.255 -d 172.16.0.1/255.255.255.255 -m state --state NEW -j DNAT --to-destination 192.168.0.2
/sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 172.16.0.2/255.255.255.255 -d 192.168.0.2/255.255.255.255 -m state --state NEW -j NEWACCEPT
# Dnat service any from 10.0.0.1 to 192.168.0.2 options log,loglimit="20"
/sbin/iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.2/255.255.255.255 -d 172.16.0.1/255.255.255.255 -m limit --limit 20/sec --limit-burst 40 -m state --state NEW -j LOG --log-prefix "vrmr: DNAT " --log-level info
/sbin/iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.2/255.255.255.255 -d 172.16.0.1/255.255.255.255 -m state --state NEW -j DNAT --to-destination 192.168.0.2
As you can see, vuurmuur assumed that packets for the action "Portfw" and "Dnat" always have the firewall as destination. But in my case I want to use a fictional address as destination, namely: 10.0.0.1.
To solve this issue I can manually enter the iptables rules I miss. That way works, but is not optimal because things get shattered. So what I really would like to see is something like:
# Stnat service any from 10.0.0.1 to 192.168.0.2 options log,loglimit="20"
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 10.0.0.1/255.255.255.255 -m limit --limit 20/sec --limit-burst 40 -m state --state NEW -j LOG --log-prefix "vrmr: STNAT " --log-level info
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 10.0.0.1/255.255.255.255 -m state --state NEW -j DNAT --to-destination 192.168.0.2
I call it "Stnat" because it stands for Static NAT and I don't use "one-to-one" as name because "from" can also be a range.
Regards,
M. Evers
I think I found a way to create this rule in Vuurmuur. There are two steps:
First, create a virtual interface with the ipaddress 10.0.0.1 and eth0 as device (press F5 to see the 'virtual' toggle). I assume here you called it 'virtual'.
Second, create the rule like this:
Dnat service any from any to 192.168.0.2 options in_int="virtual"
This creates:
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 10.0.0.1/255.255.255.255 -m state --state NEW -j DNAT --to-destination 192.168.0.2
The option 'in_int' makes sure that the right interface is used, despite the heavy 'any' usage.
Let me know if this works for you!
Cheers,
Victor
YES! It works like a charm. Thank You!
We use some heavy NAT'ing and with vuurmuur_conf we have an excellent console to quickly view, modify or track connections. Because many rules are added dynamically we also love the vuurmuur_script interface.
It is certainly a project worth trying.
Regards,
M. Evers