Enhancement #3192

Modify NAT 1:1 behavior (only source NAT)

Added by Davide Marini about 6 years ago. Updated about 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Resolution: NEEDINFO:No

Description

The actual implementation of NAT1:1 perform a full NAT1:1 (in/out), but for the 99% of needs only a source nat shoud be the best option, because NethServer act as a firewall, not just a router, so all the servers should be behind the firewall and all the VPNs should be done with NethServer avoiding the needs of a DNAT for the incoming packets.

  • natting of the incoming traffic usually is not needed, port forwarding is enough for the majority of the applications
  • one of the most common case is to nat a mail server to force it sending email with an alias ip: a source nat is enough to do this
    for receiving the email a port forward is enough and if somebody want to scan the incoming emails with nethserver it's still possibile to configure the email section (that would not be possibile with full NAT 1:1 )

Associated revisions

Revision 9f669117
Added by Giacomo Sanchietti about 6 years ago

Implement NAT 1:1 with source NAT. Refs #3192

Revision 0713cf96
Added by Giacomo Sanchietti about 6 years ago

Language: add missing labels, change title. Refs #3192

Revision c1d1c0ea
Added by Giacomo Sanchietti about 6 years ago

Translations: add missing resources. Refs #3192

History

#1 Updated by Davide Marini about 6 years ago

I suggest to modify the NAT 1:1 behaviour so that it work with shorewall's masq module (and not nat) :

[root@nethserver ~]# cat /etc/e-smith/templates-custom/etc/shorewall/masq/15snat 
#
# 20nat
#
{
    # import db
    use esmith::NetworksDB;
    use NethServer::Firewall;

    # open db
    my $ndb = esmith::NetworksDB->open_ro();
    my $hdb = esmith::HostsDB->open_ro();
    my $fw = new NethServer::Firewall();

    # get aliases of red interfaces
    foreach my $j ($ndb->red) {
        my $red_inter = $j->key;
        foreach my $k ($ndb->aliases) {
            if($k->key =~ /^$red_inter:[\d]/) {
                push @red_aliases, $k;
            }
        }
    }

    # get info from db
    foreach my $i (@red_aliases) {
        # get alias interface name
        my $alias_interface = $i->key;

        # get interface name
        my @interface_parts = split /:/, $alias_interface;
        my $interface = $interface_parts[0];

        # get alias interface ip
        my $alias_interface_ip = $i->prop('ipaddr');    

        # get ip from firewall obj
        my $fw_obj = $i->prop('FwObjectNat');

        # if nat exist add it
        if($fw_obj ne "") {
            # get hostname
            $internal_ip = $fw->getAddress($fw_obj);

            # print config
            $OUT .= "$interface\t$internal_ip\t$alias_interface_ip\n";
        }
    }
}

#2 Updated by Giacomo Sanchietti about 6 years ago

  • Target version set to ~FUTURE

#3 Updated by Giacomo Sanchietti about 6 years ago

  • Category set to nethserver-firewall-base
  • Status changed from NEW to TRIAGED
  • Target version changed from ~FUTURE to v6.6
  • % Done changed from 0 to 20

Also create an empty fragment for: /etc/e-smith/templates/etc/shorewall/nat/20nat.

#4 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#5 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#6 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70

Package in nethserve-testing:

Test case
  • Install the old RPM
  • Configure a NAT 1:1
  • Install the new RPM
  • Check /etc/shorewall/nat contains only command
  • Check /etc/shorwall/masq contains the NAT configuration. The line should be something like this:
    eth1    192.168.1.22    9.8.7.6
    

#7 Updated by dz0 0te about 6 years ago

what is the package to be tested? I guess nethserver-firewall-base-2.6.3-1.4.gae44624.ns6.noarch.rpm but just to be sure...

#8 Updated by Filippo Carletti about 6 years ago

dz0 0te wrote:

what is the package to be tested? I guess nethserver-firewall-base-2.6.3-1.4.gae44624.ns6.noarch.rpm but just to be sure...

Yes.
nethserver-firewall-base-2.6.3-1.4.gae44624.ns6.noarch

#9 Updated by dz0 0te about 6 years ago

  • Assignee set to dz0 0te

#10 Updated by dz0 0te about 6 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (dz0 0te)
  • % Done changed from 70 to 90

System and Package Version installed
VM KVM - Clean install of Nethserver 6.6 fully updated
Package Installed: nethserver-firewall-base-2.6.3-1.ns6.noarch
Other Package installed: Basic firewall

Test Original Problem
Enhancement
Before the update configured a NAT 1:1

Install Updated Package

yum --enablerepo=nethserver-testing update nethserver-firewall-base-2.6.3-1.4.gae44624.ns6

Test Results after update
cat /etc/shorewall/nat

###############################################################################
#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
# Content removed. See: http://dev.nethserver.org/issues/3192

cat /etc/shorewall/masq

######################################################################################################
#INTERFACE:DEST         SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/   SWITCH
#                                                                                       GROUP
#
# 20nat
#
eth1    192.168.100.10   1.2.3.4

Note
...

#11 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-firewall-base-2.6.4-1.ns6.noarch.rpm

Also available in: Atom PDF