NAT Forward

Here4U · March 31, 2017, 8:57am

Ive got a NAS on internal network (..*.44 and would like certain ip adresses from remote location(s) to be able to mount shared folders from it. I generated the rules below

add action=dst-nat chain=dstnat comment=“Samba allowed 137 TCP” dst-port=137 in-interface=ether1 protocol=tcp src-address-list=anat to-addresses=10.1.1.44 to-ports=137
add action=dst-nat chain=dstnat comment=“Samba allowed 137 UDP” dst-port=137 in-interface=ether1 protocol=udp src-address-list=anat to-addresses=10.1.1.44 to-ports=137
add action=dst-nat chain=dstnat comment=“Samba allowed 138 TCP” dst-port=137 in-interface=ether1 protocol=tcp src-address-list=anat to-addresses=10.1.1.44 to-ports=138
add action=dst-nat chain=dstnat comment=“Samba allowed 138 UDP” dst-port=138 in-interface=ether1 protocol=udp src-address-list=anat to-addresses=10.1.1.44 to-ports=138
add action=dst-nat chain=dstnat comment=“Samba Allowed 139 TCP” dst-port=139 in-interface=ether1 protocol=tcp src-address-list=anat to-addresses=10.1.1.44 to-ports=139
add action=dst-nat chain=dstnat comment=“Samba allowed 139 UDP” dst-port=137 in-interface=ether1 protocol=udp src-address-list=anat to-addresses=10.1.1.44 to-ports=139
add action=dst-nat chain=dstnat comment=“Samba allowed 445 TCP” dst-port=445 in-interface=ether1 protocol=tcp src-address-list=anat to-addresses=10.1.1.44 to-ports=445
add action=dst-nat chain=dstnat comment=“Samba allowed 445 UDP” dst-port=445 in-interface=ether1 protocol=udp src-address-list=anat to-addresses=10.1.1.44 to-ports=445
add action=dst-nat chain=dstnat comment=“Samba allowed 901 TCP” dst-port=137 in-interface=ether1 protocol=tcp src-address-list=anat to-addresses=10.1.1.44 to-ports=901
add action=dst-nat chain=dstnat comment=“Samba allowed 901 UDP” dst-port=137 in-interface=ether1 protocol=udp src-address-list=anat to-addresses=10.1.1.44 to-ports=901

But for some reason it just doesnt seem to work, any suggestions on a better rule set for making this work? If there is some unclear here i´ll try to recap quickly

Remote ip adresses (i.ex.) 184.74.53.45 and 185.173.19.5 need access to the nas inside my local network on 172.16.240.44 via ether1. So connections from these addresses should be forwarded to the NAS, the rest should be treated as any other connection attempt. And no, VPN access is not an option.

In advance, thanks for the help.

Sob · March 31, 2017, 11:27am

You need to find out why exactly it doesn’t work. First make sure there are some packets actually arriving to your router (if e.g. ISP doesn’t try to protect you by dropping them). Then check if they are passing through your router (using Tools->Torch or logging rule in postrouting). And finally check NAS config, if it accepts connections from any address. I could imagine that it would allow only local subnets. Default config in Windows does that, so why couldn’t NAS.

Btw, you probably don’t need all those ports. I can access network share remotely with just tcp/445 forwarded.

sash7 · March 31, 2017, 11:46am

Also may check did you have accept rule for these connections. In firewall forward chain.

idlemind · March 31, 2017, 4:11pm

Segway, any chance they are all a member of the same Active Directory domain? I’m thinking MS Direct Access is a far more secure option.

Depending on what you are doing on the server side you are likely opening up user credentials to sniffing as they pass through the Internet. It is common in phishing attacks to embed an image via SMB and users that are setup to download images in Outlook end up sending their credentials out to the remote SMB server, most people have a global allow outbound w/an established and related only back in. Those credentials are then dictionary or brute force hacked and ker-blamo some nasty folks have access to your resources and a machine.

If your specific requirements negate this issue then ignore that issue but it is something I would take seriously …