NAT Loopback solution - but need help making permanent

[Guest]

[emediasa]

Hi,

Many people have asked how to access a website or service from within the firewall by way of a public IP outside of the firewall, known as NAT Loopback. I solved this with a SNAT rule added manually to the iptables configuration, as described here: http://efwsupport.com/index.php?topic=1196.0.

Does anyone know if this sort or SNAT POSTROUTING rule can be created via the EFW 3.2 admin interface? If not, can someone please help me understand how to make this rule "permanent"? I believe the iptables hand inserted rule will be removed on reboot or any other firewall change.

Thanks,
James

[sstillwell]

Why don't you just create a standard SNAT rule through the UI with Source of your LAN subnet, Destination of GREEN/ORANGE, Service ANY, NAT to Auto?  Works fine here in 2.3, without having to go through any gyrations at the command line.

Scott

[emediasa]

The destination is on the RED interface - the public IP address of the service. I can't seem to get the GUI to accept such a rule. Anyone else?

[snorkelbuckle]

Your solution worked great for me as well!

BTW, I have a DMZ (Orange) with the same problem and wondering if this same rule would work as well by subsituting the DMZ network and DMZ Ip of the firewall in the appropriate places in the rule, or would there be some conflict with the two rules or is there a different chain it needs to be added to?

[snorkelbuckle]

Why don't you just create a standard SNAT rule through the UI with Source of your LAN subnet, Destination of GREEN/ORANGE, Service ANY, NAT to Auto?  Works fine here in 2.3, without having to go through any gyrations at the command line.

Scott

Doesn't seem to work through the UI.

Can you show step by step how to do this through the UI and confirm it works?  I'm also concerned that others on the forum say it "works for me" and assume that those with the problem are doing something wrong.  There is a real bug here (more than a few are experiencing the same problem) unless somebody can show how it can be done via the UI.

I'm no noob when it comes to firewalls, I work with a few in my time: pix, netscreen, efw 2.2 (works great by the way).  So I'm not sure why this is such a problem in efw 2.3

[danodemano]

Why don't you just create a standard SNAT rule through the UI with Source of your LAN subnet, Destination of GREEN/ORANGE, Service ANY, NAT to Auto?  Works fine here in 2.3, without having to go through any gyrations at the command line.

Scott

Doesn't seem to work through the UI.

Can you show step by step how to do this through the UI and confirm it works?  I'm also concerned that others on the forum say it "works for me" and ume that those with the problem are doing something wrong.  There is a real bug here (more than a few are experiencing the same problem) unless somebody can show how it can be done via the UI.

I'm no noob when it comes to firewalls, I work with a few in my time: pix, netscreen, efw 2.2 (works great by the way).  So I'm not sure why this is such a problem in efw 2.3

I have gotten this to work just fine using the GUI to configure it.  Here is my config:



I don't know that the second was needed but it works just fine now and I don't have any trouble with it.  Hope that helps!

[Vinbob]

Danodemano,

First and foremost - thanks for the solution below. I was going crazy trying to make this work with creating various rules and the solution ended up being the Source NAT rule you kindly provided below. I don't believe you need the second outgoing rule as I don't have a similar rule in my configuration and I can access just fine.

What I would like to ask, is what is the Source NAT rule doing exactly? Are you just saying allow any device on the 192.168.9.0 internal network talk to anything on the Green network? Is the 192.168.9.0 the GREEN network itself?

Appreciate any extended info on this as I would like to know how this works given the effort and amount of hair pulled!!! 

Cheers,
Vin.

[danodemano]

Danodemano,

First and foremost - thanks for the solution below. I was going crazy trying to make this work with creating various rules and the solution ended up being the Source NAT rule you kindly provided below. I don't believe you need the second outgoing rule as I don't have a similar rule in my configuration and I can access just fine.

What I would like to ask, is what is the Source NAT rule doing exactly? Are you just saying allow any device on the 192.168.9.0 internal network talk to anything on the Green network? Is the 192.168.9.0 the GREEN network itself?

Appreciate any extended info on this as I would like to know how this works given the effort and amount of hair pulled!!! 

Cheers,
Vin.

To be totally honest, I don't have a crystal clear understanding myself.  I was told a number of times to use the SNAT rules to make it work but nobody ever provided a sample.  This was what I came up with after hours of testing.  But yes, I believe that is basically what I am doing.  Telling Endian to allow anything from the internal network (GREEN 192.168.9.0/24) to talk out through the firewall and NAT then back through to the internal network (GREEN 192.168.9.0/24).

Someone can probably explain that better than I can, I'm not a firewall expert by any means.

[ehermouet]

Hi all,

i have the same problem with the last version of endian 2.4

it's not the same interface and now i don't know how to do.

tks advance for help

[ehermouet]

wowo 2h

tks to another post

iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.1.104 -p tcp --dport XX -j SNAT --to-source XX...

where:
 - 192.168.1.0/24 is my private NAT network
 - 192.168.1.104 is the "destination" address of the original DNAT server rule (eg: the Real Server internal IP)
 - --dport XX = the service you want to loopback
 - XX... is the public IP you are using to access the service (ie: where replies should come from)