Solved

iptables SNAT not working for reply packets

Posted on 2004-09-13
7
634 Views
Last Modified: 2012-05-05
I've the following setup

    L1                            L3
     |                             |
     |[ 172.16.0.10 ]        |[172.16.0.30]        
___|________________ |_______________172.16.0.0/16
            |
            | eth0 [172.16.0.20 ]
            |
 -------- L2 --------- ( Firewall )
            |
            | eth1 [ 192.168.0.20 ]
_______|_____________________________192.168.0.0/24
            |
            |
          W2k

Now what I need is
1. 172.16.0.0/16 should be able to access any machine in network 192.168.0.0/24 with a single IP exposed, so I've
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.20
and thats working fine.
2. From 192.168.0.0/24 network should only access service's of 172.16.0.0/16 network which will be port forwarded by L2, so I've
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to 172.16.0.30
and thats working fine.
3. From 192.168.0.0/24 network one should not be able to access any machine of 172.16.0.0/16 directly.
For that I've not added any special rule, as what i think is the rule  I've added in point 1 , should work for that too as when somebody try to ping a machine from W2K machine  to  say L1 the reply will be always matched by that rule defined in point 1 and a reply should never reach to W2K machine.

Am I wrong here ?..., as this is not happening ..ping from W2K to L1 or L3  is working fine. Why its like that ?
Do I need to explicitly block the forwarding of packets from eth1 to eth0 ?

My default Policies are -
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Thanks




0
Comment
Question by:macv
  • 3
  • 2
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12044335
> Do I need to explicitly block the forwarding of packets from eth1 to eth0 ?

Yes. What you'll want to do is to use a default DENY stance for the FORWARD chain and explicitly permit traffic to 172.16.0.30
0
 

Author Comment

by:macv
ID: 12051424
But that way somebody can direclty access 172.16.0.30 , i want the complete 172.16.0.0/16 hidden behind firewall , No direct access, only through port forwarding.

Can you explain why
 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.20
won't block the traffic going from 192.168.0.0/24  network to 172.16.0.0/16 network ?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12055923
>  But that way somebody can direclty access 172.16.0.30

Only if you permit it. You can, in the FORWARD rule, restrict the traffic to be just what you are port forwarding (80/tcp).

To say why machines in 192.168.0.0/24 can touch machines in the 172.16.0.0/16 network I'd need to see all of your iptables rules.
0
 

Author Comment

by:macv
ID: 12062063
here is the script which i use to create the iptalble : -  ( actually i've create it by modifying ur iptables-gw ) :
#--------- start ---------
iiptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.20

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 172.16.0.30

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -d 172.16.0.20 -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -j firewalled
#---------- End --------

Well i am confused how other rule does matter, when rule -
   iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.20
says that every packet going out through eth1 should have a source address translation to 192.168.0.20 and that should include a case when a packet is send from 172.16.0.0/16 network as reply against a ping request made from 192.168.0.0/24 network i.e. reply packet should have a source address 192.168.0.20 whereas we are expecting a packet from 172.16.x.x and that should show a packet loss ... shouldn't be it like this?


0
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 12066094
With the rules you have the only ping that makes sense from a node in 192.168.0.0/24 (say 192.168.0.1) is 'ping 192.168.0.20'. Your firewall rules don't block icmp and 192.168.0.20 is visible. However if you have routes set on the nodes in 192.168.0.0 telling them to reach IP's in the 172.16.0.0/16 network via 192.168.0.20 (which would be a bad idea in this case) you might be able to ping with the rule set you are using (I haven't tested that).

The SNAT rule you are using only applies to connections initiated from a node in 172.16.0.0/16. Their outbound packet will have a source IP of 192.168.0.20.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now