Topic: Giving a public IP to a PC on my private network

[msilkjr]

My ISP has givin me 3 static IP's. How do I give a pc on my network 1 of those address's?

Example :  65.65.45.45 = outside
           192.168.1.1 = server
           192.168.1.100-200 = my network
           65.65.45.46 = pc on my network (how do i give this address?)

[Boris]

Not with SME (or small residential routers). You need a bit more advanced firewall that can do noNAT routing while still firewalling traffic. for small setup (up to 5 computers and 4 incoming connections) you could try gnatbox lite from http://www.gta.com/products/gblight/

[frederikbay]

I have it working on one of our servers here is a little how to:

Use this link http://tech-geeks.org/contrib/mdrone/1-to-1/



Login to Server using Putty

in root dir use mkdir nat

cd nat

wget http://tech-geeks.org/contrib/mdrone/1-to-1/1-to-1-iptables.tar.gz

follow the readme until you get to 3c.

3d. pico /opt/1_to_1/makefrag.pl

after line 43 - print BEGIN ("    /sbin/iptables -t nat --append CustomNATout -s $data[1] -j SNAT --to $data[0] \n");

insert this line

print BEGIN ("\n    /sbin/iptables -A FORWARD  -j ACCEPT\n");

then CTRL-X and save on exit

continue to following the readme and you are all set



--------------------------------------------------------------------------------


If you want to restrict the trafic instead of having all ports open you can add lines like this in the file:

/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/34CustomNAT

pico /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/34CustomNAT

instead of lines

# Apply all rules for incoming packets to be NATted
    /sbin/iptables -t nat --append CustomNATin -d xx.xx.xx.xx -p all -j DNAT --to 10.0.0.1

You add these lines, depending on the ports you want to open, delete or add more lines. (remember to insert your external ip instead of the x'es and substitute 10.0.0.1 with the server address you want to nat to):

# Apply specific rules for incoming packets to be NATted
# Webservices port 80
    /sbin/iptables -t nat --append CustomNATin -d xx.xx.xx.xx -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
# FTP Service port 21
    /sbin/iptables -t nat --append CustomNATin -d xx.xx.xx.xx -p tcp --dport 21 -j DNAT --to 10.0.0.1:21
# MySQL port 3306
     /sbin/iptables -t nat --append CustomNATin -d xx.xx.xx.xx -p tcp --dport 3306 -j DNAT --to 10.0.0.1:3306

Hope it helps you  

Frederik

[taufik]

Why in my Esmith i don have this File:
/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/34CustomNAT

[Boris]

Because you didn't install NAT 1-to-1 contrib?

[raem]

frederikbay

> I have it working on one of our servers here is a little how to:

Could you provide a little practical guidance please ?

Using the steps in this howto, does this mean that I can connect a second sme server in server & gateway mode on my existing LAN, and that that server will have all server & gateway functionality independently of my main server & gateway box ?

Looking at
http://tech-geeks.org/contrib/mdrone/1-to-1/readme.txt
it says
This particular setup forwards ALL traffic from an external IP address to an IP address on an internal machine. Be sure that you implement appropriate security on the internal machine.

This updated package will help you configure your SME v5.6 or v6.0 Server to perform 1:1 NAT.  You should use this utility if you have a need to provide an additional external IP address or multiple external IP addresses to your SME Server and have requests to those external IP addresses directed to specific internal addresses of computers on your internal network.

[taufik]

Thanks boris,now i have that file.
In /opt/1_to_1/config.txt i write:

new external ip, new internal ip, allow
202.53.254.139, 192.168.217.139, 0/0

why my internal ip address 192.168.217.139 now can acces the internet after the server i restart?
before it can.

Thanks,.

[frederikbay]

Hi Ray

In short to answer your question - yes you should be able to set it up, so you had a seperate SME server in server gateway mode - I have not tried this, in my setup I had to forward traffic to a windows machine.

There is a more complete howto here:

http://no.longer.valid/phpwiki/index.php/How%20to%20have%202%20public%20ip%27s%20on%20external%20NIC%20and%20route%20it%20to%20a%20piece%20of%20hardware%20on%20your%20local%20network

and another tread on the subject here:

http://forums.contribs.org/index.php?topic=22414.msg109655#msg109655

Would maybe be nice to have a server-manager panel for this, but i'm not that far in my understanding of SME  

Frederik

[wallyrp]

Good Evening,

I've followed this how-to without success. I'm trying to get a remote desktop connection working on my network through an SME box. My friend has a SonicWall network appliance and was able to do a 1-1 NAT very easy and is working just fine. After following the how-to, I was unable to ping the address I created, nor was I able to see a eth1:0 in ifconfig. I typed the following commands to be able to create eth1:0 with the full understanding that when I reboot the box, it will be gone.

ifconfig eth1:0 xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx

route add -host xxx.xxx.xxx.xxx dev eth1:0

I'm kind of starting to get desperate here. I need to open up RDP to a specific internal box to get something approved by the state dept of education. Any ideas folks?

[Franco]

On your /etc/rc.d/rc.local
add a command to fit your IP(gateway has to be same already configured):

Code: [Select]


#load second IP
ip address add XXX.XXX.XXX.XXX dev eth1


[wallyrp]

Good Morning,

I've heard that the box that you are trying to attach to via RDP must have the gateway set to the firewall that is doing the port forwarding. I still haven't had success with running RDP through an SME box and I must have a public IP address that is addresses to this server so that a company can access a server at the customer's location. I haven't seen much discussion on this issue since the majority of folks just use pptp or vpn to gain access to desktops behind the firewall. Any ideas?

I'll try this whole shabang again but I'm not hopeful.

[Franco]

Inside the network, your box will have the same IP range as the others (example: 192.168.130.XX), from the outside the network SME will listen to two IP addresses, one is the original and the other you'll be adding. With NAT 1:1 you'll be exposing this box completelly, and since you're talking Windows here, I recommend some protection. A search on the forums will reveal how to enable this on only certain ports, and also how to make your box listen only to certain IP's from the outside.

[Arnie]

Gentlemen,

Please remember that 192.168.x.x addresses are NON ROUTABLE

If you want to do a 1to1 NAT to an inside box, it must have a real world address or the upstream router will drop the traffic.

[Franco]

If you want to do a 1to1 NAT to an inside box, it must have a real world address or the upstream router will drop the traffic.

He cannot have a real IP inside his lan, SME just wasn't designed for that. And it's why he needs to use a 192.168.XX.XX whatever IP.