Feature #3035

NAT 1:1

Added by Filippo Carletti over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Resolution: NEEDINFO:No

Description

NAT 1:1 enables an internal ip to be NAT'd to an external ip alias.
We need a server-manager panel to link the internal ip to an existing alias.
The workflow would be:
1. create alias
2. link internal ip to alias

Probably, the panel should ask for a descritpion for the NAT.

Incoming NAT will remain configured with port forwards as usual.

Associated revisions

Revision 932f33ce
Added by Edoardo Spadoni over 6 years ago

nat 1:1. initial implementation. Refs #3035

Revision dc74c729
Added by Edoardo Spadoni over 6 years ago

nat 1:1. get hostname by firewall api, update nat base template. Refs #3035

Revision 5d325dfd
Added by Davide Principi over 6 years ago

Added autocomplete widget to FwObjectNat field. Refs #3035

Revision e5eaa88e
Added by Edoardo Spadoni over 6 years ago

nat 1:1. added help and language, improved host choosing and new template fragment for rtrules. Refs #3035

Revision 039911bf
Added by Edoardo Spadoni over 6 years ago

nat 1:1. improved gui. Refs #3035

Revision e49c21d4
Added by Giacomo Sanchietti over 6 years ago

Merge pull request #5 from edospadoni/b3035

nat 1:1. improved gui. Refs #3035

Revision d6e889ad
Added by Giacomo Sanchietti over 6 years ago

Merge branch 'b3035'. Refs #3035

History

#1 Updated by Filippo Carletti over 6 years ago

We need a template for /etc/shorewall/nat containing:

<alias_ip> red_if <internal_ip>

#2 Updated by Filippo Carletti over 6 years ago

In multi-wan setups we also need a rule to direct traffic through the correct wan.
Template is /etc/shorewall/rtrules:
<internal_ip> - <provider> 1900

#3 Updated by Davide Principi over 6 years ago

  • Category set to nethserver-firewall-base
  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

Probably, the panel should ask for a descritpion for the NAT.

Description could be the same of the firewall object

With a small nethserver-base adjustment we could add a nat prop to networks db records, where to store the public IP.

#4 Updated by Davide Principi over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Edoardo Spadoni
  • % Done changed from 20 to 30

#5 Updated by Edoardo Spadoni over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Edoardo Spadoni)
  • % Done changed from 30 to 60
Test Case 1
  • Create new alias ip for a red interface
  • Create new alias ip for a green interface
  • Go in NAT 1:1 page and check if there are only red alias ip
Test Case 2
  • Delete a red alias ip
  • Go in NAT 1:1 page and check if the alias is not showed.
Test Case 3
  • Go in NAT 1:1 page and create a new NAT configuration by choosing a host from combobox.
  • Check file /etc/shorewall/nat and should be like this:
    ###############################################################################
    #EXTERNAL            INTERFACE            INTERNAL            ALL                LOCAL
    #
    # 20nat
    #
    alias-ip             red_interface        internal_ip
    
Test Case 4
  • Remove NAT 1:1 configuration by selecting empty element on combobox
  • Check if NAT configuration disappeared from /etc/shorewall/nat

Test Case 5
If you have confgured a multi WAN, check the file /etc/shorewall/rtrules and, if you have configured a NAT 1:1, the file should be like this:

####################################################################################
#SOURCE                    DEST                    PROVIDER            PRIORITY            MASK
#
# 20providers
#
# MultiWANMode: balance mode enabled
#
# 30nat
#
internal_ip                -                       provider            1900

#6 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-2.3.1-1.6.gd6e889a.ns6.noarch.rpm

#7 Updated by Filippo Carletti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90
[root@ns66rc1 ~]# db hosts show exchg
exchg=host
    Description=Mail
    IpAddress=192.168.56.79

shorewall/nat:
1.2.3.1     eth0         192.168.56.79
iptables nat chains:
Chain eth0_in (1 references)
target     prot opt source               destination         
DNAT       all  --  0.0.0.0/0            1.2.3.1             to:192.168.56.79 
Chain eth0_out (1 references)
target     prot opt source               destination         
SNAT       all  --  192.168.56.79        0.0.0.0/0           to:1.2.3.1 

ip rules:
192.168.56.79        -            adsl1        1900
1900:    from 192.168.56.79 lookup adsl1

I also changed role to a red interface and all NATs disappeared.

#8 Updated by Giacomo Sanchietti over 6 years ago

Released in nethserver-base:
  • nethserver-firewall-base-2.4.0-1.ns6.noarch.rpm

#9 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

Also available in: Atom PDF