[ale] iptables problems...static NAT and filtering rules...

Chris Woodfield rekoil at semihuman.com
Thu Aug 5 20:54:34 EDT 2004 

Ok, I've poked at this some more, and I came upon a rather obvious 
solution...I needed to define each public IP as an alias to the 
firewall's outside interface. If only things were that simple... :(

Now what I'm noticing is this: I currently have one of my hosts behind 
the firewall via static NAT (192.168.0.43 private IP, 216.27.162.43 
public), and a host outside the firewall (216.27.162.41).

The *really* odd part is that I can successfully traverse the firewall 
and access my outside host for all protocols except ICMP. What's 
stranger is that I can't get anywhere else other than a host outside 
the firewall. But if I fall back to a MASQERADE rule, everything works 
properly.

Here's what I see in the /proc/net/ip_conntrack when I try to access a 
host outside my local network:

tcp      6 45 SYN_SENT src=192.168.0.43 dst=17.250.248.77 sport=63520 
dport=80 [UNREPLIED] src=17.250.248.77 dst=216.27.162.43 sport=80 
dport=63520 use=1

Next, I ran tcpdump while trying to access a local and a remote host. 
Here's what I found:

Accessing local host via ssh:

20:45:34.104717 216.27.162.41.22 > 216.27.162.43.63908: . ack 879 win 
7616 <nop,nop,timestamp 266366176 3352729108> (DF)
20:45:34.164818 216.27.162.41.22 > 216.27.162.43.63908: P 932:1524(592) 
ack 879 win 7616 <nop,nop,timestamp 266366236 3352729108> (DF)

ssh is succcessful, tcpdump sees packets in both directions.

Accessing local host via ssh:

20:46:57.413268 216.27.162.43.63911 > 64.94.1.34.22: S 
2611093937:2611093937(0) win 32768 <mss 1460,nop,wscale 
0,nop,nop,timestamp 3352729274 0> (DF) [tos 0x10]
20:46:59.968362 216.27.162.43.63911 > 64.94.1.34.22: S 
2611093937:2611093937(0) win 32768 <mss 1460,nop,wscale 
0,nop,nop,timestamp 3352729279 0> (DF) [tos 0x10]

tcpdump only sees packets going out, none coming back.

Is there anything else I'm missing here? This is starting to look more 
like a kernel bug than anything...I'm running 2.4.25.

Thanks,

-C

On Aug 5, 2004, at 2:47 PM, Christopher Woodfield wrote:

> Hello,
>
> I tried to set up static NAT rules on my iptables firewall, and was 
> not able to get it to work. A possible cause of the problem (which I 
> haven't been able to test yet) is that I have a series of 
> port-specific rules for each host in addition to the SNAT and DNAT 
> rules.
>
> Here are my SNAT/DNAT rules. $HOSTNAME variables are public IPs and 
> $HOSTNAME_NAT are private IPs; $INETIF is the outside interface and 
> $LANIF is the inside:
>
> # Set up Static SNAT entries (private to public)
> $IPTABLES -t nat -A POSTROUTING -o $INETIF -s $TINO_NAT -j SNAT 
> --to-source $TINO
> $IPTABLES -t nat -A POSTROUTING -o $INETIF -s $ELECTRO_NAT -j SNAT 
> --to-source $ELECTRO
> $IPTABLES -t nat -A POSTROUTING -o $INETIF -s $TWEEK_NAT -j SNAT 
> --to-source $TWEEK
>
> # Set up Static DNAT entries (public to private)
> $IPTABLES -t nat -A PREROUTING -i $INETIF -d $TINO -j DNAT 
> --to-destination $TINO_NAT
> $IPTABLES -t nat -A PREROUTING -i $INETIF -d $ELECTRO -j DNAT 
> --to-destination $ELECTRO_NAT
> $IPTABLES -t nat -A PREROUTING -i $INETIF -d $TWEEK -j DNAT 
> --to-destination $TWEEK_NAT
> #
>
> Then I have a series of port rules, an example is below:
>
> # ssh
> $IPTABLES -A FORWARD -p tcp -i $INETIF -o $LANIF -d $TINO_NAT --dport 
> 22 -j ACCEPT
>
> Are rules like these evaluated before or after the DNAT transformation 
> is done? That is, should the -d on these rules be $TINO_NAT or $TINO?
>
> Thanks,
>
> -C
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list