setting up nat

Sat May 20 16:44:29 UTC 2006

On Sat, 2006-05-20 at 06:12, Stuart Sears wrote:

> > Thanks for that... but I hope you are joking! You mean there is no
> > gui/wizard for setting up nat?!?
> > Cheers
> > Antoine
> 
> no, not really.
> Unless you install third-party software to control it, the default
> graphical firewall config tools on FC don't do NAT. Welcome to our world. :)
> Command-line utilities also allow you to make incremental changes to
> firewall settings. Graphical tools (In my experience) tend to be
> all-or-nothing
> 
> a few additional points and a brief walkthrough:
> 
> std_disclaimer:
> This is fairly simplistic and may not cover any or all of your security
> requirements. Particularly as they do not include any access rules at
> all, just NAT stuff.
> You should realise that netfilter rules applied using the 'iptables'
> command take immediate effect.
> Applying badly written rules over a network login can severely
> compromise your connectivity (and stress levels)
> For this reason I can't see why you would need to restart the entire
> connection after creating NAT rules.
> 
> on your router you would need to do a few simple things:
> 1) put NAT rules in place
> 2) possibly put other restrictions on the traffic you wish to allow
> through your box (particularly from the outside world)
> 3) permit packet forwarding through your box
> 4) save the rules
> 5) make sure the 'iptables' service runs at boot time
> ( although, technically it is not a traditional 'service', all it does
> is load rules into memory )
> 
> I am going to ignore any standard firewall rules you have on the system
> (you can set these up through the standard graphical interface. DO not
> do this after the NAT setup, you will break it.)
> 
> to control NAT you'll need to run a few shell commands.
> A shell script is not necessary. Although it simplifies taking rules
> from one system to another.
> Setting up iptables rules in rc.local is a *bad* idea (IMHO) - this
> means that on boot your interfaces are up and unprotected *before* the
> firewall rules are in place.
> 
> as root:
> iptables -nvL
> will show you the rules that are currently in place for normal traffic.
> iptables -t nat -nvL
> will shoe you any nat rules you already have in place
> to nat all outgoing traffic:
> assume your internal interface is eth0 and external is ppp0
> 
> a) clear any existing rules (if needed):
> iptables -t nat -F POSTROUTING
> 
> b) add a rule natting traffic from your boxes to the outside world. this
> is all one line (I've just separated the arguments)
> iptables -t nat
> - -I POSTROUTING
> - -s your_internal_network
> - -d ! your_internal_network
> - -i eth0
> - -o ppp0
> - -j MASQUERADE
> 
> c) save your rules and make sure they will apply on next boot:
> service iptables save
> chkconfig iptables on
> 
> d) allow packets to route through your system:
> edit /etc/sysctl.conf so that it has a line like this:
> net.ipv4.ip_forward = 1
> 
> e) apply that change immediately
> sysctl -p
> 
> voila! you are routing packets through your box.
> 
> these rules should then be permanently in place *unless* you run
> system-config-securitylevel to set up others... (bad design, I know.)
> 

This is yet another reason I like the k12ltsp distro more
than an unmodified fedora.  In addition to the ltsp package
to boot thin clients it includes an init scritpt in
/etc/rc.d.init.d/nat where the guts like this:

#!/bin/sh
# Version:      0.0.3
#
# chkconfig: 2345 90 10
# description: Starts and stops Network Address Translation for
K12Linux/LTS
PUBLIC_ETHERNET="eth1"
# Source function library.
. /etc/init.d/functions
start() {
echo -n "Starting up Network Address Translation: "
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out eth1 (-o eth1) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o $PUBLIC_ETHERNET -j MASQUERADE
# Turn on IP forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward
 echo
 return 0
 }
stop() {
 echo -n "Stopping Network Address Translation: "
 echo 0 > /proc/sys/net/ipv4/ip_forward
 iptables -t nat -D POSTROUTING -o $PUBLIC_ETHERNET -j MASQUERADE
 echo
 return 0
}
restart() {
  stop
  start
}
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart|reload)
        restart
        ;;
  *)
        echo "*** Usage: nat {start|stop|restart}"
        exit 1
esac
exit $?

K12ltsp makes some assumptions about the inside/outside interfaces
to simplify scripted configuration, but it's easier to modify
a working script than to figure it all out from a HOWTO.

-- 
  Les Mikesell
   lesmikesell at gmail.com