Shorewall users - Aug 2002 - Static NAT vs. Proxy ARP ?

Hi All,

  I have been going over the shorewall docs and noticed that Proxy ARP seems
to be preferred over Static NAT... But what I can''t find is _why_
(especially since ISP''s caching arp replies for long periods seem to be
a
problem?)  I have a pretty basic setup I''d like to create, but
don''t want to
shoot myself in the foot...

  I was going to install shorewall to provide firewall, NAT, and a DMZ for
my home network.  I have 3 static IP''s from my ISP and decided on:
   $FW  x.x.x.1 eth0
   $FW  x.x.x.2 eth0:1 (Mail server)
   $FW  x.x.x.3 eth0:2 (web server)

  I was just going to alias all three IP''s to my external interface
(eth0),
and use static NAT to direct stuff to a 192.168.1.X network in the DMZ.  Is
there some reason to prefer proxy ARP to this?  Am I going to cause myself
problems later?

Thanks!
Steve

On Sun, 18 Aug 2002, Steve wrote:
> 
> Hi All,
> 
>   I have been going over the shorewall docs and noticed that Proxy ARP
seems
> to be preferred over Static NAT... But what I can''t find is _why_
> (especially since ISP''s caching arp replies for long periods seem
to be a
> problem?)
Exactly the same problem occurs if you move a system from parallel to your
firewall to behind it using static NAT. In both cases, traffic to the 
system''s external IP must be sent to the MAC of the firewall''s
external
interface but the ISPs gateway wants to continue sending it to the MAC of 
the system that you moved.

I have a pretty basic setup I''d like to create, but don''t want
to
> shoot myself in the foot...
> 
>   I was going to install shorewall to provide firewall, NAT, and a DMZ for
> my home network.  I have 3 static IP''s from my ISP and decided on:
>    $FW  x.x.x.1 eth0
>    $FW  x.x.x.2 eth0:1 (Mail server)
>    $FW  x.x.x.3 eth0:2 (web server)
> 
Of course you can''t use the "eth0:n" notation with
iptables/Shorewall.
>   I was just going to alias all three IP''s to my external
interface (eth0),
> and use static NAT to direct stuff to a 192.168.1.X network in the DMZ.  Is
> there some reason to prefer proxy ARP to this?  Am I going to cause myself
> problems later?
> 
I prefer Proxy ARP for servers in the DMZ because then they have the same
IP address internally and externally (and the server itself knows what its
real IP address is!). This avoids the issues covered in FAQ 2a.

In summary, you have to be a lot more careful with your DNS setup (or use 
horrible kludges like routing intra-DMZ traffic through the firewall) when 
you use static NAT.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

>> Of course you can''t use the "eth0:n" notation with
iptables/Shorewall
Really?  I wasn''t aware of that...I had been
''playing'' with the Shorewall
config''s and it _seemed_ to take the notation in the Zones file...

>>In summary, you have to be a lot more careful with your DNS setup (or
use
>>horrible kludges like routing intra-DMZ traffic through the firewall)
when
>>you use static NAT.
  I see.  For the 2 or 3 machines I have to worry about, I figured it
wouldn''t be an issue.  But thinking about what you said about the
server
knowing it''s ''real'' IP - its probably easier to keep
straight if a machine
only has one IP (w/Proxy Arp) rather then a ''real'' and
''internal'' IP - I''d
prolly end up confusing them, as you mentioned.  And its never too early to
start learning good habits :-)  Thanks very much for the help !!

Off to figure out proxy arp...
Steve

On Sun, 18 Aug 2002, Steve wrote:
>
>
> >> Of course you can''t use the "eth0:n" notation
with iptables/Shorewall
>
> Really?  I wasn''t aware of that...I had been
''playing'' with the Shorewall
> config''s and it _seemed_ to take the notation in the Zones file...
>
But you would never mention an interface in the zones file...

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Sun, 18 Aug 2002, Steve wrote:
>
>
> >> Of course you can''t use the "eth0:n" notation
with iptables/Shorewall
>
> Really?  I wasn''t aware of that...I had been
''playing'' with the Shorewall
> config''s and it _seemed_ to take the notation in the Zones file...
>
[root@gateway root]# iptables -N foo
[root@gateway root]# iptables -A foo -i eth0:0 -j ACCEPT
Warning: wierd character in interface `eth0:0'' (No aliases, :, ! or *).
[root@gateway root]#

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Sunday, August 18, 2002 6:50 PM
To: Steve
Cc: shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Static NAT vs. Proxy ARP ?

> [root@gateway root]# iptables -N foo
> [root@gateway root]# iptables -A foo -i eth0:0 -j ACCEPT
> Warning: wierd character in interface `eth0:0'' (No aliases, :, !
or *).
> [root@gateway root]#

Hehe - _That_ would have caused me no end of grief!  Thanks !!


Still futzing with Proxy Arp...
Steve

I''m trying to implement nat exception and
ip pool with Shorewall.

But it seems I can''t with the current release :

Natting everything to any destination on a single ip or maybe on a ippool,
but do not nat on a specific destination.

ie :
src 192.168.1.0/24 dst 0.0.0.0/0 nat on 195.132.1.1

the best would be (if i have a pool)
src 192.168.1.0/24 dst 0.0.0.0/0 nat on 195.132.1.1-195.132.1.5 single nat
src 192.168.1.0/24 dst 0.0.0.0/0 nat on 195.132.1.6 pat

and with the exception

src 192.168.1.0/24 dst 213.157.44.0/8 do not nat.


192.168.1.0/24 -----  FW -----Router------- INTERNET
                                                     |
                                                    + --- FW -----
213.157.44.0/8

That way when I reach 213.157.44.0/8, I know which local IP is
accessing the network.
Maybe I''m wrong and there''s another solution (surely) but this
should work with iptables.

PS1 : btw I wonder if I can nat a nat onto itself
ie :
src 192.168.1.0/24 dst 0.0.0.0/0 nat on 192.168.1.0/24 single nat

Very useful if you don''t want to do route things... (the
"route" command
should
not exist on a firewall... but that''s my opinion)

PS2 : btw seems that I have problem natting using this command :
masq file:
eth1                 192.168.1.0/24 195.132.1.1

giving me:
Adding IP Addresses...
Command line is not complete. Try option "help"
Terminated

using
eth1                192.168.1.0/24
works fine


----------------------------------------------------------------
> Jérôme Tytgat
Unix, Network and Security Administrator - Security Ingeneer
mailto:jtytgat@websurg.com       -     http://www.cv.sioban.net
----------------------------------------------------------------

On Mon, 19 Aug 2002, Jerome Tytgat wrote:
> I''m trying to implement nat exception and
> ip pool with Shorewall.
> 
> But it seems I can''t with the current release :
> 
> Natting everything to any destination on a single ip or maybe on a ippool,
> but do not nat on a specific destination.
> 
> ie :
> src 192.168.1.0/24 dst 0.0.0.0/0 nat on 195.132.1.1
>
> 
> the best would be (if i have a pool)
> src 192.168.1.0/24 dst 0.0.0.0/0 nat on 195.132.1.1-195.132.1.5 single nat
> src 192.168.1.0/24 dst 0.0.0.0/0 nat on 195.132.1.6 pat
>
Rather than using this terse notation, can you tell me in English what you
are trying to do? It''s not at all clear from your post.
 
> and with the exception
> 
> src 192.168.1.0/24 dst 213.157.44.0/8 do not nat.
> 
> 
> 192.168.1.0/24 -----  FW -----Router------- INTERNET
>                                                      |
>                                                     + --- FW -----
> 213.157.44.0/8
> 
> That way when I reach 213.157.44.0/8, I know which local IP is
> accessing the network.
> Maybe I''m wrong and there''s another solution (surely) but
this
> should work with iptables.
> 
> PS1 : btw I wonder if I can nat a nat onto itself
> ie :
> src 192.168.1.0/24 dst 0.0.0.0/0 nat on 192.168.1.0/24 single nat
> 
> Very useful if you don''t want to do route things... (the
"route" command
> should
> not exist on a firewall... but that''s my opinion)
> 
Again, from that description I haven''t a clue what problem you are
trying
to solve.
> PS2 : btw seems that I have problem natting using this command :
> masq file:
> eth1                 192.168.1.0/24 195.132.1.1
> 
> giving me:
> Adding IP Addresses...
> Command line is not complete. Try option "help"
> Terminated
> 
> using
> eth1                192.168.1.0/24
> works fine
> 
I''ll have to have a trace (shorewall debug start 2> /tmp/trace). In
the
mean time, turn off ADD_SNAT_ALIASES and add the "195.132.1.1" address
to
eth1 yourself.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Ok sorry...
I''ll try to do my best


Clearly here I prefer to nat a network on a pool of ip instead
of a single ip.
> > src 192.168.1.0/24 dst 0.0.0.0/0 nat on 195.132.1.1
want to nat the traffic from 192.168.1.0/24 to ANY destination, using
the natted ip 195.132.1.1
> > the best would be (if i have a pool)
> > src 192.168.1.0/24 dst 0.0.0.0/0 nat on 195.132.1.1-195.132.1.5 single
nat
> > src 192.168.1.0/24 dst 0.0.0.0/0 nat on 195.132.1.6 pat
want to nat the traffic from 192.168.1.0/24 to ANY destination, using the
pool
of IP 195.132.1.1 to 195.132.1.5 with a nat of 1 to 1, and them using the
195.132.1.6 ip
for patting all the other local ip.

First LOCAL IP going thru the firewall obtain the EXTERNAL IP 195.132.1.1,
the second one obtain 195.132.1.2,
until it reachs 195.132.1.5,
them all the other local IP are natted using one single external ip :
195.132.1.6 (normal behaviour for
the MASQ function)

I clarify PAT/NAT :

PAT=Port address translation, typically what is doing MASQUERADE (several
local ips for one extern ip)
NAT=Network adress translastion, typically SNAT (one local ip for one extern
ip)
> > and with the exception
> >
> > src 192.168.1.0/24 dst 213.157.44.0/8 do not nat.
This is another question in fact :

Can I have a exception in the NAT translation, if I don''t want
my LOCAL IPs (192.168.1.0/24) being translated when I reach the
EXTERNAL network (213.157.44.0/8) BUT they are translated
for ALL other destinations.

It''s the opposite to this config line :

/etc/shorewall/masq
eth0:213.157.44.0/8     192.168.1.0/24

which means NAT only what is going to 213.157.44.0/8 and coming
from 192.168.1.0/24
> > PS1 : btw I wonder if I can nat a nat onto itself
> > ie :
> > src 192.168.1.0/24 dst 0.0.0.0/0 nat on 192.168.1.0/24 single nat
> >
> > Very useful if you don''t want to do route things... (the
"route" command
> > should
> > not exist on a firewall... but that''s my opinion)
> >
> Again, from that description I haven''t a clue what problem you are
trying
> to solve.
I wan''t to NAT one ip for ip, having in LOCAL : 192.168.1.0/24 and
in EXTERNAL 192.168.1.0/24 (when I''m outside the firewall and I try to
reach 192.168.1.1, it goes thru the PRE ROUTING RULES and not
only in the INPUT rules)

> > PS2 : btw seems that I have problem natting using this command :
> > masq file:
> > eth1                 192.168.1.0/24 195.132.1.1
> >
> > giving me:
> > Adding IP Addresses...
> > Command line is not complete. Try option "help"
> > Terminated
> >
> > using
> > eth1                192.168.1.0/24
> > works fine
> >
>
> I''ll have to have a trace (shorewall debug start 2>
/tmp/trace). In the
> mean time, turn off ADD_SNAT_ALIASES and add the "195.132.1.1"
address to
> eth1 yourself.
/etc/shorewall/masq
eth1                    192.168.1.0/24  195.132.1.1

/tmp/trace
+ run_ip addr add :195.132.1.1/8 brd 127.255.255.255 dev
+ ip addr add 195.132.1.1/8 brd 127.255.255.255 dev
Command line is not complete. Try option "help"
+ ''['' -z '''' '']''
+ stop_firewall
+ stopping=Yes


Hope, I''m a little more clear now...

On Mon, 19 Aug 2002, Jerome Tytgat wrote:
> Ok sorry...
> I''ll try to do my best
>
>
> Clearly here I prefer to nat a network on a pool of ip instead
> of a single ip.
>
> > > src 192.168.1.0/24 dst 0.0.0.0/0 nat on 195.132.1.1
>
> want to nat the traffic from 192.168.1.0/24 to ANY destination, using
> the natted ip 195.132.1.1
>
> > > the best would be (if i have a pool)
> > > src 192.168.1.0/24 dst 0.0.0.0/0 nat on 195.132.1.1-195.132.1.5
single
> nat
> > > src 192.168.1.0/24 dst 0.0.0.0/0 nat on 195.132.1.6 pat
>
> want to nat the traffic from 192.168.1.0/24 to ANY destination, using the
> pool
> of IP 195.132.1.1 to 195.132.1.5 with a nat of 1 to 1, and them using the
> 195.132.1.6 ip
> for patting all the other local ip.
>
> First LOCAL IP going thru the firewall obtain the EXTERNAL IP 195.132.1.1,
> the second one obtain 195.132.1.2,
> until it reachs 195.132.1.5,
> them all the other local IP are natted using one single external ip :
> 195.132.1.6 (normal behaviour for
> the MASQ function)
>
> I clarify PAT/NAT :
>
> PAT=Port address translation, typically what is doing MASQUERADE (several
> local ips for one extern ip)
> NAT=Network adress translastion, typically SNAT (one local ip for one
extern
> ip)
>
Thanks -- I now understand what you want to do -- you are correct; you
can''t do that with Shorewall. If you turn off ADD_SNAT_ALIASES, you can
implement a pool:

eth0	192.168.1.0/24	195.132.1.1
> > > and with the exception
> > >
> > > src 192.168.1.0/24 dst 213.157.44.0/8 do not nat.
>
> This is another question in fact :
>
> Can I have a exception in the NAT translation, if I don''t want
> my LOCAL IPs (192.168.1.0/24) being translated when I reach the
> EXTERNAL network (213.157.44.0/8) BUT they are translated
> for ALL other destinations.
>
> It''s the opposite to this config line :
>
> /etc/shorewall/masq
> eth0:213.157.44.0/8     192.168.1.0/24
>
> which means NAT only what is going to 213.157.44.0/8 and coming
> from 192.168.1.0/24
Sounds like you want:

	eth0:!213.157.44.0/8	192.168.1.0/24
>
> > > PS1 : btw I wonder if I can nat a nat onto itself
> > > ie :
> > > src 192.168.1.0/24 dst 0.0.0.0/0 nat on 192.168.1.0/24 single nat
> > >
> > > Very useful if you don''t want to do route things... (the
"route" command
> > > should
> > > not exist on a firewall... but that''s my opinion)
> > >
> > Again, from that description I haven''t a clue what problem
you are trying
> > to solve.
>
> I want to NAT one ip for ip, having in LOCAL : 192.168.1.0/24 and
> in EXTERNAL 192.168.1.0/24 (when I''m outside the firewall and I
try to
> reach 192.168.1.1, it goes thru the PRE ROUTING RULES and not
> only in the INPUT rules)
>
That''s still as clear as mud -- sorry.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> 
> Thanks -- I now understand what you want to do -- you are correct; you
> can''t do that with Shorewall. If you turn off ADD_SNAT_ALIASES,
you can
> implement a pool:
> 
> eth0 192.168.1.0/24 195.132.1.1
Ok That''s clear, will you implement ip pool in the future ?

BTW, your product is great and work great :)
> 
> Sounds like you want:
> 
> eth0:!213.157.44.0/8 192.168.1.0/24
Yes !! Is this working ???
> 
> That''s still as clear as mud -- sorry.
> 
forget about it...

On Tue, 20 Aug 2002, Jerome Tytgat wrote:
> > 
> > Thanks -- I now understand what you want to do -- you are correct; you
> > can''t do that with Shorewall. If you turn off
ADD_SNAT_ALIASES, you can
> > implement a pool:
> > 
> > eth0 192.168.1.0/24 195.132.1.1
> 
> Ok That''s clear, will you implement ip pool in the future ?
Actually what I meant was:

eth0	192.168.1.0/24	195.132.1.1-195.231.1.5

I doubt that I''ll implement auto add of the pool because I
can''t assume
that any of the handy ip address utilities are available (Shorewall runs
on "router on a floppy" distributions). Doing IP address manupulation
in a
shell script is hard without these utilities.  I can certainly document
the above though.
> 
> BTW, your product is great and work great :)
> 
> > 
> > Sounds like you want:
> > 
> > eth0:!213.157.44.0/8 192.168.1.0/24
> 
> Yes !! Is this working ???
Yes -- you can do that now.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net