The Pragmatic Administrator

The simple way of setting up NAT with iptables and Red Hat / CentOS and Scientific Linux

I always feel intimidated with setting NAT. I knew, of course, how to filter packets with iptables, but I always felt that NAT to be just a tad bit confusing. Then I studied for the RHCE exam and it turns out that it is a lot easier than I expected, with a little help from Red Hat’s firewall tool.

With earlier releases of Red Hat, the firewall tool is limited to just filtering by ports with no NAT or ACLs support. With version 6, the tool was significantly revamped. While ACLs are still not supported, you can now setup NAT with the firewall GUI. To get started, log yourself into the X-Windows GUI and run the following from the terminal.

system-config-firewall

Alternatively, you may run it from the menu -> System- Administration -> firewall. Or if you are logged remotely and you have X-Window running on your workstation, you can forward the tool over SSH to run it locally on your workstation by logging to the server with:

ssh -X username@hostname

and then run the “system-config-firewall.”

(One notable caution: if you have an existing iptables configuration, running this tool will wipe out your rules. Be sure to back /etc/system/iptables before you proceed further on this.)

From there, you will see the following options available:

Select “Masquerading” and then to your right, select the interface or interfaces you want your traffic to go through.

Congratulations, NAT is now setup! The next step is to setup forwarding to your devices or servers. Select “Port Forwarding” to your left:

Then click on add button at your right:

{stub}

Then near the top of the following screen under the Source heading, click on the interface button, select your interface and click on OK

Then click the protocol button, select your protocol and then click on OK

Then click on the port button and select (or enter) your port(s) and then click on OK:

Now under the Destination heading, select “Forward to another port” and enter the IP address of the machine you will forward the packets to in the field:

Then select the Port button or enter the port(s) you will be forwarding to:

Click on OK, then OK to return to the main screen

From there, click on apply (which will write to the /etc/sysconfig/iptables file) and then reload (which will restart iptables).

(If you have backed up your iptables file, you may be able restore them with the custom rules option. However, the iptable backup must be in the iptables-save format, which presumably means that a custom-made one will not work).

You are mostly done here, but there is a couple of more changes youneed to make. First of all, though, lets login in via the command and take a look at the iptables file:

[root@sl6vmware sysconfig]# cat iptables

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -o eth+ -j MASQUERADE

-A PREROUTING -i eth+ -p tcp --dport 20:21 -j DNAT --to-destination 192.168.15.36:20-21

COMMIT

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth+ -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -p icmp -j ACCEPT

-A FORWARD -i lo -j ACCEPT

-A FORWARD -i eth+ -j ACCEPT

-A FORWARD -o eth+ -j ACCEPT

-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d 192.168.15.36 --dport 20:21 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

As you can see there, setting up NAT comprised of a few steps:

1) you set the table type, which at the beginning, would be *nat. If you were to do it from the command line, it would be the first part of the following statement

iptables -t nat <statement>

2) Then, you would set POSTROUTING s. From the command line, it will the second part of the statement we mention earlier.

iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE

At that point, the nat is setup.

3) From this point, it is just the matter of forwarding the packets based on source port (you can add the ACLs at this point, but the GUI tool will most likely overwrite them. Again, make sure that you have a backup!) . That is done by setting up a PREROUTING rule for a port, with:

-A PREROUTING -i eth+ -p tcp —dport 20:21 -j DNAT —to-destination 192.168.15.36:20-21

From the command line, it would be:

iptables -t nat -A PREROUTING -i eth+ -p tcp —dport 20:21 -j DNAT —to- destination 192.168.15.36:20-21

And then, you would add a FORWARD rule with:

-A FORWARD -i eth+ -m state —state NEW -m tcp -p tcp -d 192.168.15.36 — dport 20:21 -j ACCEPT

Which, from the command line would be:

iptables -t filter -A FORWARD -i eth+ -m state —state NEW -m tcp -p tcp -d 192.168.15.36 —dport 20:21 -j ACCEPT

Note that statement must be under the filter table, not under the nat table.

Getting this right via the command-line is fairly tricky even for experienced administrations, which is why the firewall tool is a great way to manage your rules for NAT (assuming that they are simple enough)

But you are not done yet. First, you need to make sure that you actually enable IP forwarding with the kernel. You can set it dynamically with either:

sysctl -w net.ipv4.conf.all.forwarding =1

Or:

echo “1” > /proc/sys/net/ipv4/ip_forward

To change it permanently (which is what you want), add or change the net.ipv4.conf.all.forwarding value in /etc/sysctl.conf to:

net.ipv4.ip_forward = 1

And then reboot (assuming that you didn’t make the change dynamically).

At this point, there is one more thing you may need to do, , particularly if you are running a FTP service.

With FTP, when a client connects to a server, the FTP server returns the response via different port (usually a high-number port above 1024). That becomes a problem when the client attempts to respond to that same port when the server is behind either a firewall or a NAT , as that port will most likely be blocked.

So there are 4 options you choose to address this problem.

1) Use SFTP. It is is encrypted and travels through the same port (22), so that is the best option. However, not all clients would have thats support.

2) Have the FTP server return a response to a specific port and open that port.

3) Have the client use passive mode

4) Modify the nat/firewall dynamically as well as modify the PORT and PASV commands dynamically.

We will go with the last option. Fortunately, it is not complicated in this case. We just need the open the following file:

/etc/sysconfig/iptables-config

And add (or change) the following:

IPTABLES_MODULES=”nf_nat_ftp”

This is a helper module that allows us to dynamically set the ports and track the FTP connectivity. It will load once you restart type iptables, either from the gui or from the command line with:

service iptables restart

If you were to prefer the load the module manual, you would run:

modprobe nf_nat_ftp

Which will load that module as the other supporting modules. You confirm whether it is loaded by running:

lsmod | grep ftp

Which will present you with the following output

nf_nat_ftp 3473 0

nf_conntrack_ftp 12879 1 nf_nat_ftp

nf_nat 22788 3 nf_nat_ftp,ipt_MASQUERADE,iptable_nat

nf_conntrack 79611 8 nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state

Now you are done with NAT. You can start forwarding traffic to your internal servers and have them accessible from outside your network.

For more information on setting up NAT, go to the following links:

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables - A longer guide to setting up IP tables, with a section for NAT.

http://debianclusters.org/index.php/NAT_with_IPTables - Setting up IP tables with Debian-type distributions.

http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html - The problems you will encounter with with NAT and FTP.

Configuring ISCSI with RHEL, Scientific Linux or CentOS 6

I have been playing around with my new QNAP NAS appliance, getting the storage configured and the volumes setup with my Scientific Linux 6 virtual machines using Daniel’s articles as a reference point. While the articles worked well easily for me at the beginning, setting client VMs with authentication to multiple targets took a bit more effort. Hopefully, this post will help those who may encounter this similar problem.

The first thing to do is the go through the configuration wizard to create the targets as documented in the article. Continue on until you get to this screen:

Choose “Use CHAP Authentication” (leave Mutual CHAP disabled for now), assigned it a login user and (THIS IMPORTANT), a password that is up to 16 chapters long. The wizard will not make it obvious that you exceeded your password field, so pay careful attention when you type in your credentials.

At any event, after entering your credentials, continue through the wizard and repeat until you reached the desired number of volumes (or LUNs). You will have the screen similar to this:

Note the IQNs. Those names will become important later.

On the client server, we will setup a iSCSI initiator. First, we will install the following package:

iscsi-initiator-utils

Assuming you have a repo setup, you can install it like this:

yum -y install iscsi-initiator-utils

Then cd to /etc/iscsi. After backing the backup of the existing iscsi.conf file, you will enable or add the following:

node.session.auth.authmethod = CHAP

node.session.auth.username = puttargetusernamehere

node.session.auth.password = puttargetpasswordhere

discovery.sendtargets.auth.authmethod = CHAP

discovery.sendtargets.auth.username = puttargetusernamehere

discovery.sendtargets.auth.password = puttargetpasswordhere

Afterward, save the file and then enable iscsi for startup:

chkconfig iscsi on

And then bring up the service:

service iscsi start

It’s okay if you don’t see the “OK” response back yet. You are not done yet.

Now we will need to initiate a connection the NAS with the following command:

iscsiadm -m discoverydb -t st -p 192.168.15.250 -D

What this will do is to pull a list of targets (this is when the actual ISCSI daemon on the initiator starts up):

[root@localhost iscsi]# iscsiadm -m discoverydb -t st -p 192.168.15.250 -D

Starting iscsid: [ OK ]

192.168.15.250:3260,1 iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0005.c2d7bd

192.168.15.250:3260,1 iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0004.c2d7bd

192.168.15.250:3260,1 iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0003.c2d7bd

192.168.15.250:3260,1 iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0002.c2d7bd

192.168.15.250:3260,1 iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0001.c2d7bd

and save them to the following directory:

root@localhost iscsi]# cd /var/lib/iscsi/

[root@localhost iscsi]# ls

ifaces isns nodes send_targets slp static

[root@localhost iscsi]# find .

.

./static

./nodes

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0003.c2d7bd

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0003.c2d7bd/192.168.15.250,3260,1

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0003.c2d7bd/192.168.15.250,3260,1/default

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0005.c2d7bd

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0005.c2d7bd/192.168.15.250,3260,1

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0005.c2d7bd/192.168.15.250,3260,1/default

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0002.c2d7bd

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0002.c2d7bd/192.168.15.250,3260,1

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0002.c2d7bd/192.168.15.250,3260,1/default

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0001.c2d7bd

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0001.c2d7bd/192.168.15.250,3260,1

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0001.c2d7bd/192.168.15.250,3260,1/default

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0004.c2d7bd

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0004.c2d7bd/192.168.15.250,3260,1

./nodes/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0004.c2d7bd/192.168.15.250,3260,1/default

./slp

./send_targets

./send_targets/192.168.15.250,3260

./send_targets/192.168.15.250,3260/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0004.c2d7bd,192.168.15.250,3260,1,default

./send_targets/192.168.15.250,3260/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0003.c2d7bd,192.168.15.250,3260,1,default

./send_targets/192.168.15.250,3260/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0005.c2d7bd,192.168.15.250,3260,1,default

./send_targets/192.168.15.250,3260/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0001.c2d7bd,192.168.15.250,3260,1,default

./send_targets/192.168.15.250,3260/st_config

./send_targets/192.168.15.250,3260/iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0002.c2d7bd,192.168.15.250,3260,1,default

./ifaces

./isns

(It should be noted while the login credentials are saved as well in that directory, the files are only readable by root).

Finally, you will enable the initiator to login and attach to a specific LUN. Enter following with IQN of the LUN you will be using:

iscsiadm -m node -T iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0002.c2d7bd —login

For some reason, you have to pull a list of target first from the volume, otherwise, you will encounter something similar to this:

iscsiadm: no records found!

Now, assuming you have the correct login in the iscsi.conf and on the NAS volume, you will get the following screen:

[root@localhost iscsi]# iscsiadm -m node -T iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0002.c2d7bd —login

Logging in to [iface: default, target: iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0002.c2d7bd, portal: 192.168.15.250,3260]

Login to [iface: default, target: iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0002.c2d7bd, portal: 192.168.15.250,3260] successful.

Otherwise, you will get the following screen:

[root@localhost iscsi]# iscsiadm -m node -T iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0002.c2d7bd —login

Logging in to [iface: default, target: iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0002.c2d7bd, portal: 192.168.15.250,3260]

iscsiadm: Could not login to [iface: default, target: iqn.2004-04.com.qnap:ts-419pplus:iscsi.kvm0002.c2d7bd, portal: 192.168.15.250,3260].

iscsiadm: initiator reported error (19 - encountered non-retryable iSCSI login failure)

You will probably need to recheck your login. Worse case, you can always wiped the initiator config with:

iscsiadm -m discoverydb -t st -p 192.168.15.250 -o delete

From this point, when you established a successful ISCSI connect, you will see the following in kernel buffer:

csi4 : iSCSI Initiator over TCP/IP

scsi 4:0:0:0: Direct-Access QNAP iSCSI Storage 3.1 PQ: 0 ANSI: 5

sd 4:0:0:0: [sda] 104857600 512-byte logical blocks: (53.6 GB/50.0 GiB)

sd 4:0:0:0: [sda] Write Protect is off

sd 4:0:0:0: [sda] Mode Sense: 2f 00 00 00

sd 4:0:0:0: [sda] Write cache: disabled, read cache: enabled, doesn’t support DPO or FUA

sda: unknown partition table

sd 4:0:0:0: [sda] Attached SCSI disk

sd 4:0:0:0: Attached scsi generic sg0 type 0

If you see this, you are done. RHEL OS sees it as a regular block device and configures it accordingly. You may now partition and format it for production use.