How to make routing no NAT

First, let’s make the things clear!

The goal is to be seen from Internet (Mail Server and Web Server) if one of the two ISPs is down?

Do you have an external Name Server or you will use NethServer for this?

This is the correct situation?
If yes, please check the configuration for all the NICs (and please fill the correct config below):

NS eth0
IP:
GW:

NS eth1
IP:
GW:

NS eth2
IP:
GW:

NS eth3
IP:
GW:

Mail Server NIC1
IP:
GW:

Mail Server NIC2
IP:
GW:

WEB Server NIC1
IP:
GW:

WEB Server NIC2
IP:
GW:

Drawing4.png6106×3988 701 KB

I think already clarified the doubt of @zotinas it’s solved?

No, the problem it’s not solved.

1. Yes this is the goal, but the mail server and web server must acces internet with yours ip addresses (219.156.107.2 and 219.156.107.3).
2. Yes, my Name Server is external.

3)eth1:
IP: 86.150.181.252
GW: 86.150.181.249

eth3:
IP: 109.196.42.186
GW: 109.196.42.185

eth2:
IP: 219.156.107.1
GW its not set. On other linux and on zentyal gw server (actaul GW) this it’s not necesarely
(I said earlier that isp1 routing IP CLASS 219.156.107.0/25 on IP directly connected 86.150.181.252 on it’s own routers)

eth3:
IP 192.168.0.1 netmask 255.255.0.0
GW: not necesarley.
for this class using NAT on ip 86.150.181.252 and when isp1 it’s down this class are NAT on 109.196.42.186.

MAIL SERVER NIC1
IP: 219.156.107.2 netmask 255.255.255.128
GW: 219.156.107.1

MAIL SERVER NIC2
IP: 109.196.42.187
GW: 109.196.42.185

HOSTING SERVER NIC1
IP: 219.156.107.3 netmask 255.255.255.128
GW: 219.156.107.1

HOSTING SERVER NIC2
IP: 109.196.42.188
GW: 109.196.42.185

for any provider i use different routing table.

That mean:

• the mail server is pointing to 219.156.107.2
• the web server is pointing to 219.156.107.3

The email server respond to 219.156.107.2 (SMTP, POP3, IMAP, Webmail).
The web server respond to 219.156.107.3 (HTTP).

Till here, everything it’s OK, yes?

The only issue is when you access the Internet from email server and from web server: will be appear the ISP’s IP, not the IP of the email and /or web server.

Am I right?

Yes.
My servers must respond from Internet with its own IPs. (219.156.107.2 and 219.156.107.3) end when acces internet from them all this IP must be.
This class must totally bypass nethserver firewall and NAT.

iptables -L -vn -tnat
Chain PREROUTING (policy ACCEPT 114 packets, 25382 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 53 packets, 3627 bytes)
pkts bytes target prot opt in out source destination
24 1811 eth1_masq all – * eth1 0.0.0.0/0 0.0.0.0/0
2 160 eth3_masq all – * eth3 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 41 packets, 3126 bytes)
pkts bytes target prot opt in out source destination

Chain eth1_masq (1 references)
pkts bytes target prot opt in out source destination
24 1811 MASQUERADE all – * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none

Chain eth3_masq (1 references)
pkts bytes target prot opt in out source destination
2 160 MASQUERADE all – * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
at command iptables -L -vn -t nat
bellow is output of this command

Chain PREROUTING (policy ACCEPT 116 packets, 25663 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 54 packets, 3743 bytes)
pkts bytes target prot opt in out source destination
24 1811 eth1_masq all – * eth1 0.0.0.0/0 0.0.0.0/0
2 160 eth3_masq all – * eth3 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 41 packets, 3126 bytes)
pkts bytes target prot opt in out source destination

Chain eth1_masq (1 references)
pkts bytes target prot opt in out source destination
24 1811 MASQUERADE all – * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none

Chain eth3_masq (1 references)
pkts bytes target prot opt in out source destination
2 160 MASQUERADE all – * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
as you see in this example NAT is made for all interfaces

Did you already look the DOC…
http://docs.nethserver.org/en/latest/firewall.html

Particulary the NAT1:1 section…

I think it’s the way to go… If I well understand

I never tried to do this, but I think the solution is:

• You must create two aliases for eth1: one for mail server (eth1:0 > 219.156.107.2) and one for web server (eth1:1 > 219.156.107.2)

• You need to create some traffic rules in Gateway section:

• Gateway -> Port Forwarding: Port forward to mail server (you already did if I understand well).

• Gateway -> Port Forwarding: Port forward to web server (you already did if I understand well).

• Gateway -> sNAT 1:1: NAT 1:1 for email server (eth1:0) and NAT 1:1 for web server (eth1:1).

What do you think @jgjimenezs, @Jim, @dnutan ?

This is only solution for my problem?
I’m disappointed.
To add firewall rules out GUI anyone knows how to do, and that remain after restart

I don’t see anything about trusted LAN ( Green ), DMZ ( Orange )…

To put the mailserver and the web server in the DMZ, To use all the predefined internal used…

Why are you disapointed?
Try to do firewall objects and rules… It’s so easy.

I presume that Dan knows all of this as it results from all his answers.

If not, I will be disappointed.

as seen from output of iptables command eth2 does not appear in the list with MASQUERADE this happens when in DMZ (ORANGE) if I put in the RED ZONE eth2 on output of iptables i have.
iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 6 packets, 456 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1 packets, 84 bytes)
pkts bytes target prot opt in out source destination
8 555 eth1_masq all – * eth1 0.0.0.0/0 0.0.0.0/0
0 0 eth2_masq all – * eth2 0.0.0.0/0 0.0.0.0/0
2 160 eth3_masq all – * eth3 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 6 packets, 508 bytes)
pkts bytes target prot opt in out source destination

Chain eth1_masq (1 references)
pkts bytes target prot opt in out source destination
8 555 MASQUERADE all – * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none

Chain eth2_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all – * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none

Chain eth3_masq (1 references)
pkts bytes target prot opt in out source destination
2 160 MASQUERADE all – * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol non

GREEN MORE
45 3289 smurfs all – * * 219.156.107.0/25 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED policy match dir in pol none
75 20657 tcpflags tcp – * * 219.156.107.0/25 0.0.0.0/0 policy match dir in pol none
114 23690 r1_frwd all – * * 219.156.107.0/25 0.0.0.0/0 policy match dir in pol none
29 4203 smurfs all – * * 219.156.107.0/25 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED policy match dir in pol none
0 0 tcpflags tcp – * * 219.156.107.0/25 0.0.0.0/0 policy match dir in pol none
29 4203 r12fw all – * * 219.156.107.0/25 0.0.0.0/0 policy match dir in pol none
16 2575 fw2r1 all – * * 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 ivpn2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 loc2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 lvpn2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
78 33377 net2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 ovpn2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none

ORANGE MODE
24 1550 smurfs all – * * 219.156.107.0/25 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED policy match dir in pol none
86 26729 tcpflags tcp – * * 219.156.107.0/25 0.0.0.0/0 policy match dir in pol none
101 27823 r1_frwd all – * * 219.156.107.0/25 0.0.0.0/0 policy match dir in pol none
6 695 smurfs all – * * 219.156.107.0/25 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED policy match dir in pol none
0 0 tcpflags tcp – * * 219.156.107.0/25 0.0.0.0/0 policy match dir in pol none
6 695 r12fw all – * * 219.156.107.0/25 0.0.0.0/0 policy match dir in pol none
0 0 fw2r1 all – * * 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 ivpn2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 loc2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 lvpn2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
74 42411 net2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 orang2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 ovpn2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none

RED MODE

20 1336 smurfs all – * * 219.156.107.0/25 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED policy match dir in pol none
51 18995 tcpflags tcp – * * 219.156.107.0/25 0.0.0.0/0 policy match dir in pol none
65 20019 r1_frwd all – * * 219.156.107.0/25 0.0.0.0/0 policy match dir in pol none
2 232 smurfs all – * * 219.156.107.0/25 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED policy match dir in pol none
0 0 tcpflags tcp – * * 219.156.107.0/25 0.0.0.0/0 policy match dir in pol none
2 232 r12fw all – * * 219.156.107.0/25 0.0.0.0/0 policy match dir in pol none
0 0 fw2r1 all – * * 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 ivpn2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 loc2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 lvpn2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
42 29457 net2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none
0 0 ovpn2r1 all – * eth2 0.0.0.0/0 219.156.107.0/25 policy match dir out pol none

If you know how to add for example this rules please teach me

iptables -t nat -I PREROUTING -d 1.1.1.1 -p udp --dport 137 -i eth2 -j DNAT --to 219.156.107.3:10137

Who is 1.1.1.1?

@zotinas You have performed a test setting NetMap?

TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE PORT(S) PORT(S)

/etc/shorewall/netmap

http://shorewall.net/netmap.html

Regards.

Yes this is an example a test.
I ask if I can put this type of rule from management interface?

Right now I can not do testing, but keep it you, and tell us if you work as you want

neither have I had the opportunity to create this scenario, you can try. @zotinas

@zotinas you want this?

Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT all – * * 10.0.0.0/24 0.0.0.0/0 to:198.179.110.179
0 0 SNAT all – * * 11.0.0.0/24 0.0.0.0/0 to:198.179.110.180
0 0 SNAT tcp – * * 192.168.60.0/24 1.1.1.1 tcp dpt:22000 /* from lan */ to:192.168.60.180

Chain eth1_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT all – * * 1.1.1.1 0.0.0.0/0 to:219.156.107.1

Chain eth2_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT all – * * 1.1.1.1 0.0.0.0/0 to:219.156.107.3

Chain loc_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp – * * 0.0.0.0/0 109.196.42.186 tcp dpt:2711 /* from loc */ to:1.1.1.1:22000

Chain net_dnat (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp – * * 0.0.0.0/0 109.196.42.186 tcp dpt:2711 /* from net */ to:1.1.1.1:22000

@zotinas comments you’ve accomplished?

Hello,
In my first statement I said that so I managed to make it work that way.
But I do not want that. I wish to make server bypass the firewall for certain cases.
ex. my case.
Problm 2:
if i have NAT 1: 1 how can forward that all protocols and ports by internal ip in a single firewall rule.
now for each port and protocol i have a rule.