EFW Support

Support => General Support => Topic started by: muehle on Wednesday 18 January 2012, 12:10:11 pm



Title: Loopback Nat
Post by: muehle on Wednesday 18 January 2012, 12:10:11 pm
Hi, I've two mail server behind the Endian2.5 firewall in the orange zone. Each mail server should be able to reach the other over the public ip.
Furthermore also the user in the green zone should be able to reach the mail server over their public ip's.
I've tried every sort of dnat and snat rules but no one worked.
Then I've tied to setup the following rule manually, but without success
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.1.104 -p tcp --dport XX -j SNAT --to-source XX...
efwsupport.com/index.php?topic=1196.0

Hope that somebody has a solution for this problem.

Thanks a lot





Title: Re: Loopback Nat
Post by: mrkroket on Wednesday 18 January 2012, 12:52:38 pm
If both have some domain name (eg  mail1.domain.com and mail2.domain.com), use edit hosts to masq their IPs to the internal ones.


Title: Re: Loopback Nat
Post by: muehle on Wednesday 18 January 2012, 08:59:59 pm
The problem is that there are many domains on the server and I don't want to enter for every hosted domain manually his masq ip.


Title: Re: Loopback Nat
Post by: mrkroket on Thursday 19 January 2012, 05:05:00 am
If you want to force ip rules, don't do it manually, you need to change the iptables templates to add those custom iptables rules:

Check the /etc/firewall/dnat/rules.tmpl and /etc/firewall/snat/rules.tmpl file, they're templates for DNAT and SNAT.
The processed files from the templates are saved to /etc/firewall/dnat/iptablesdnat and  /etc/firewall/snat/iptablessnat
Don't do changes on the processed files, they're always rewritten.

Once you change the template, use the command setsnat.py -d or setdnat.py -d to reload the rules and see the debug logs.
Also check that the processed files match what you need.


Title: Re: Loopback Nat
Post by: muehle on Thursday 19 January 2012, 06:08:50 am
After creating the snat rule the /etc/firewall/snat/iptablessnat look like this

iptables -t nat -F SOURCENAT
iptables -t nat -A SOURCENAT -s 192.168.60.0/24 -d 192.168.60.10 -o eth1  -j SNAT --to-source redif1
iptables -t nat -A SOURCENAT -s 0/0 -d 0/0 -o eth1  -j SNAT --to-source redif0

the rule doesn't work.


Title: Re: Loopback Nat
Post by: mrkroket on Thursday 19 January 2012, 11:55:34 am
Don't put your real IP's here, it isn't needed.
That's an iptables related problem, and I'm not very fond of them.

I just only point you to the iptables template files.
There you can add any custom iptable rule, without worrying about restarts.
But I cannot help you about the correct iptables rules to make this work.

 Sorry


Title: Re: Loopback Nat
Post by: kikilinux on Monday 20 January 2014, 09:06:32 pm
Hi
It's very interesting post.
will the changes be effective on startup when we change the .tmpl files ?
will  these rules be added permanently ?
for example i want to add a dnat rule to outgoing traffic while the endian firewall does not support it, how can we perform this ?

tnx a lot


Title: Re: Loopback Nat
Post by: mrkroket on Tuesday 28 January 2014, 02:52:56 am
On these templates. This is not really supported, but many config files are recreated from termplates so you need to tweak templates to get permanent changes.