Melbin Mathew

Configure Nat Routing Between Two Network Interfaces

Network Address Translation (Nat) help to route the request through the gateway. It will help the system administrator to control the traffic over the network and monitor the users usage.

Nat is done using two Ethernet interfaces and basically the public address is accessible by the internal users, but the public people wont able to access the internal network with out the help of system administrator.

This help to prevent the access to internal network with our administrator permission and increase the security.

This is done with the help of iptables and ip forwarding on kernel parameter.

1. Edit,

#vi /etc/sysctl.conf

change the parameter,

net.ipv4.ip_forward = 1

and restart the network. The value can see on runing the command

#sysctl -p

2. The iptable command used to make it done is,

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

where eth0 is the external network.It may vary depend on the interface naming.

command will configure nat between public and internal interfaces.

Save the iptables rule using the command,

#iptables save

Configure Apf with Nat

Apf can able to configure to make the nat working. We need to edit the post routing rule on apf configuration file.

# vi /etc/apf/postroute.rules

and add the same line

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

save and exit and reload apf

#apf -r 

How to configure APF on Linux Machines

Firewall is an important layer on any operating systems. It prevent the attacks,DDOS, unwanted entries on virus and keep the system free of trouble. A user can easily manage there firewall settings on their machines. It would be great to configure the firewall on the machine. Without configuring the firewall we are making an our system to a open entry to the ‘www’. It is something similar to a door that prevent thieves enter into the house.

Installing Apf is a good apart on Linux Machine to make the box secure. For example if your system is infected by virus program that are capable of send your credit card information.. what would be the damage cause to you?you know the value is high. So it would be good to make measures to prevent the unwanted attackers. Prevention is better than cure.

Installation And Configuration Of Apf

Requirements:
- Root SSH access to your server

Lets begin!
Login to your server through SSH and su to the root user.

1. cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3. tar -xvzf apf-current.tar.gz

4. cd apf-0.9.5-1/ or whatever the latest version is.

5. Run the install file: ./install.sh
You will receive a message saying it has been installed

.: APF installed
Install path: /etc/apf
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf

6. Lets configure the firewall: vi /etc/apf/conf.apf
We will go over the general configuration to get your firewall running. This isn’t a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

We like to use DShield.org’s “block” list of top networks that have exhibited
suspicious activity.
FIND: USE_DS=”0″
CHANGE TO: USE_DS=”1″

7. Configuring Firewall Ports:

Cpanel Servers
We like to use the following on our Cpanel Servers

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500″
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”53″

Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,80,443,43,2089″
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53″

Ensim Servers
This should work on Ensim servers as stated by other users, although we can’t guarantee it will work.

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,19638″
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”53″

Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,80,443,43″
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53″

Save the changes: :wq

8. Starting the firewall
/usr/local/sbin/apf -s

Other commands:
usage /usr/local/sbin/apf [OPTION]
-s|–start …………. load firewall policies
-r|–restart ……….. flush & load firewall
-f|–flush|–stop …… flush firewall
-l|–list ………….. list chain rules
-st|–status ……….. firewall status
-a HOST|–allow HOST … add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST|–deny HOST …. add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall

9. After everything is fine, change the DEV option
Stop the firewall from automatically clearing itself every 5 minutes from cron.
We recommend changing this back to “0″ after you’ve had a chance to ensure everything is working well and tested the server out.

vi /etc/apf/conf.apf

FIND: DEVM=”1″
CHANGE TO: DEVM=”0″

Save your changes! :wq
Restart the firewall: /usr/local/sbin/apf -r

10. New – Make APF Start automatically at boot time
To autostart apf on reboot, run this:

chkconfig –level 2345 apf on

To remove it from autostart, run this:

chkconfig –del apf

Thanks to R-fx networks for developing and maintaining this product.