Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 29 December 2024, 08:21:18 am

Login with username, password and session length

Visit the Official Endian Bug tracker  HERE
14262 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  NAT Loopback solution - but need help making permanent
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: NAT Loopback solution - but need help making permanent  (Read 38365 times)
emediasa
Jr. Member
*
Offline Offline

Posts: 3


« on: Friday 25 December 2009, 04:40:34 am »

Hi,

Many people have asked how to access a website or service from within the firewall by way of a public IP outside of the firewall, known as NAT Loopback. I solved this with a SNAT rule added manually to the iptables configuration, as described here: http://efwsupport.com/index.php?topic=1196.0.

Does anyone know if this sort or SNAT POSTROUTING rule can be created via the EFW 3.2 admin interface? If not, can someone please help me understand how to make this rule "permanent"? I believe the iptables hand inserted rule will be removed on reboot or any other firewall change.

Thanks,
James
Logged
sstillwell
Jr. Member
*
Offline Offline

Posts: 5


« Reply #1 on: Saturday 26 December 2009, 06:09:19 am »

Why don't you just create a standard SNAT rule through the UI with Source of your LAN subnet, Destination of GREEN/ORANGE, Service ANY, NAT to Auto?  Works fine here in 2.3, without having to go through any gyrations at the command line.

Scott
Logged
emediasa
Jr. Member
*
Offline Offline

Posts: 3


« Reply #2 on: Thursday 31 December 2009, 01:48:03 pm »

The destination is on the RED interface - the public IP address of the service. I can't seem to get the GUI to accept such a rule. Anyone else?
Logged
snorkelbuckle
Jr. Member
*
Offline Offline

Posts: 2


« Reply #3 on: Wednesday 06 January 2010, 06:24:51 am »

Your solution worked great for me as well!

BTW, I have a DMZ (Orange) with the same problem and wondering if this same rule would work as well by subsituting the DMZ network and DMZ Ip of the firewall in the appropriate places in the rule, or would there be some conflict with the two rules or is there a different chain it needs to be added to?

Logged
snorkelbuckle
Jr. Member
*
Offline Offline

Posts: 2


« Reply #4 on: Wednesday 06 January 2010, 06:29:45 am »

Why don't you just create a standard SNAT rule through the UI with Source of your LAN subnet, Destination of GREEN/ORANGE, Service ANY, NAT to Auto?  Works fine here in 2.3, without having to go through any gyrations at the command line.

Scott

Doesn't seem to work through the UI.

Can you show step by step how to do this through the UI and confirm it works?  I'm also concerned that others on the forum say it "works for me" and assume that those with the problem are doing something wrong.  There is a real bug here (more than a few are experiencing the same problem) unless somebody can show how it can be done via the UI.

I'm no noob when it comes to firewalls, I work with a few in my time: pix, netscreen, efw 2.2 (works great by the way).  So I'm not sure why this is such a problem in efw 2.3


Logged
danodemano
Full Member
***
Offline Offline

Gender: Male
Posts: 47


WWW
« Reply #5 on: Friday 08 January 2010, 05:59:31 am »

Why don't you just create a standard SNAT rule through the UI with Source of your LAN subnet, Destination of GREEN/ORANGE, Service ANY, NAT to Auto?  Works fine here in 2.3, without having to go through any gyrations at the command line.

Scott

Doesn't seem to work through the UI.

Can you show step by step how to do this through the UI and confirm it works?  I'm also concerned that others on the forum say it "works for me" and ume that those with the problem are doing something wrong.  There is a real bug here (more than a few are experiencing the same problem) unless somebody can show how it can be done via the UI.

I'm no noob when it comes to firewalls, I work with a few in my time: pix, netscreen, efw 2.2 (works great by the way).  So I'm not sure why this is such a problem in efw 2.3




I have gotten this to work just fine using the GUI to configure it.  Here is my config:



I don't know that the second was needed but it works just fine now and I don't have any trouble with it.  Hope that helps!
Logged
Vinbob
Full Member
***
Offline Offline

Posts: 20


« Reply #6 on: Wednesday 13 January 2010, 02:09:20 pm »

Danodemano,

First and foremost - thanks for the solution below. I was going crazy trying to make this work with creating various rules and the solution ended up being the Source NAT rule you kindly provided below. I don't believe you need the second outgoing rule as I don't have a similar rule in my configuration and I can access just fine.

What I would like to ask, is what is the Source NAT rule doing exactly? Are you just saying allow any device on the 192.168.9.0 internal network talk to anything on the Green network? Is the 192.168.9.0 the GREEN network itself?

Appreciate any extended info on this as I would like to know how this works given the effort and amount of hair pulled!!!  Undecided

Cheers,
Vin.
Logged
danodemano
Full Member
***
Offline Offline

Gender: Male
Posts: 47


WWW
« Reply #7 on: Wednesday 13 January 2010, 11:33:46 pm »

Danodemano,

First and foremost - thanks for the solution below. I was going crazy trying to make this work with creating various rules and the solution ended up being the Source NAT rule you kindly provided below. I don't believe you need the second outgoing rule as I don't have a similar rule in my configuration and I can access just fine.

What I would like to ask, is what is the Source NAT rule doing exactly? Are you just saying allow any device on the 192.168.9.0 internal network talk to anything on the Green network? Is the 192.168.9.0 the GREEN network itself?

Appreciate any extended info on this as I would like to know how this works given the effort and amount of hair pulled!!!  Undecided

Cheers,
Vin.

To be totally honest, I don't have a crystal clear understanding myself.  I was told a number of times to use the SNAT rules to make it work but nobody ever provided a sample.  This was what I came up with after hours of testing.  But yes, I believe that is basically what I am doing.  Telling Endian to allow anything from the internal network (GREEN 192.168.9.0/24) to talk out through the firewall and NAT then back through to the internal network (GREEN 192.168.9.0/24).

Someone can probably explain that better than I can, I'm not a firewall expert by any means.
Logged
ehermouet
Full Member
***
Offline Offline

Posts: 21


« Reply #8 on: Thursday 29 July 2010, 07:27:51 pm »

Hi all,

i have the same problem with the last version of endian 2.4

it's not the same interface and now i don't know how to do.

tks advance for help
Logged
ehermouet
Full Member
***
Offline Offline

Posts: 21


« Reply #9 on: Thursday 29 July 2010, 07:59:35 pm »

wowo 2h

tks to another post

iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.1.104 -p tcp --dport XX -j SNAT --to-source XX...

where:
 - 192.168.1.0/24 is my private NAT network
 - 192.168.1.104 is the "destination" address of the original DNAT server rule (eg: the Real Server internal IP)
 - --dport XX = the service you want to loopback
 - XX... is the public IP you are using to access the service (ie: where replies should come from)
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.125 seconds with 14 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com