Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 29 December 2024, 01:03:32 am

Login with username, password and session length

Get the new Updates directly from Endian  HERE
14262 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Loopback Nat
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Loopback Nat  (Read 20138 times)
muehle
Jr. Member
*
Offline Offline

Posts: 3


« on: Wednesday 18 January 2012, 12:10:11 pm »

Hi, I've two mail server behind the Endian2.5 firewall in the orange zone. Each mail server should be able to reach the other over the public ip.
Furthermore also the user in the green zone should be able to reach the mail server over their public ip's.
I've tried every sort of dnat and snat rules but no one worked.
Then I've tied to setup the following rule manually, but without success
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.1.104 -p tcp --dport XX -j SNAT --to-source XX...
efwsupport.com/index.php?topic=1196.0

Hope that somebody has a solution for this problem.

Thanks a lot



Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #1 on: Wednesday 18 January 2012, 12:52:38 pm »

If both have some domain name (eg  mail1.domain.com and mail2.domain.com), use edit hosts to masq their IPs to the internal ones.
Logged
muehle
Jr. Member
*
Offline Offline

Posts: 3


« Reply #2 on: Wednesday 18 January 2012, 08:59:59 pm »

The problem is that there are many domains on the server and I don't want to enter for every hosted domain manually his masq ip.
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #3 on: Thursday 19 January 2012, 05:05:00 am »

If you want to force ip rules, don't do it manually, you need to change the iptables templates to add those custom iptables rules:

Check the /etc/firewall/dnat/rules.tmpl and /etc/firewall/snat/rules.tmpl file, they're templates for DNAT and SNAT.
The processed files from the templates are saved to /etc/firewall/dnat/iptablesdnat and  /etc/firewall/snat/iptablessnat
Don't do changes on the processed files, they're always rewritten.

Once you change the template, use the command setsnat.py -d or setdnat.py -d to reload the rules and see the debug logs.
Also check that the processed files match what you need.
Logged
muehle
Jr. Member
*
Offline Offline

Posts: 3


« Reply #4 on: Thursday 19 January 2012, 06:08:50 am »

After creating the snat rule the /etc/firewall/snat/iptablessnat look like this

iptables -t nat -F SOURCENAT
iptables -t nat -A SOURCENAT -s 192.168.60.0/24 -d 192.168.60.10 -o eth1  -j SNAT --to-source redif1
iptables -t nat -A SOURCENAT -s 0/0 -d 0/0 -o eth1  -j SNAT --to-source redif0

the rule doesn't work.
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #5 on: Thursday 19 January 2012, 11:55:34 am »

Don't put your real IP's here, it isn't needed.
That's an iptables related problem, and I'm not very fond of them.

I just only point you to the iptables template files.
There you can add any custom iptable rule, without worrying about restarts.
But I cannot help you about the correct iptables rules to make this work.

 Sorry
Logged
kikilinux
Full Member
***
Offline Offline

Posts: 47


« Reply #6 on: Monday 20 January 2014, 09:06:32 pm »

Hi
It's very interesting post.
will the changes be effective on startup when we change the .tmpl files ?
will  these rules be added permanently ?
for example i want to add a dnat rule to outgoing traffic while the endian firewall does not support it, how can we perform this ?

tnx a lot
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #7 on: Tuesday 28 January 2014, 02:52:56 am »

On these templates. This is not really supported, but many config files are recreated from termplates so you need to tweak templates to get permanent changes.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.111 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com