macv
asked on
iptables SNAT not working for reply packets
I've the following setup
L1 L3
| |
|[ 172.16.0.10 ] |[172.16.0.30]
___|________________ |_______________172.16.0.0
|
| eth0 [172.16.0.20 ]
|
-------- L2 --------- ( Firewall )
|
| eth1 [ 192.168.0.20 ]
_______|__________________
|
|
W2k
Now what I need is
1. 172.16.0.0/16 should be able to access any machine in network 192.168.0.0/24 with a single IP exposed, so I've
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.20
and thats working fine.
2. From 192.168.0.0/24 network should only access service's of 172.16.0.0/16 network which will be port forwarded by L2, so I've
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to 172.16.0.30
and thats working fine.
3. From 192.168.0.0/24 network one should not be able to access any machine of 172.16.0.0/16 directly.
For that I've not added any special rule, as what i think is the rule I've added in point 1 , should work for that too as when somebody try to ping a machine from W2K machine to say L1 the reply will be always matched by that rule defined in point 1 and a reply should never reach to W2K machine.
Am I wrong here ?..., as this is not happening ..ping from W2K to L1 or L3 is working fine. Why its like that ?
Do I need to explicitly block the forwarding of packets from eth1 to eth0 ?
My default Policies are -
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Thanks
L1 L3
| |
|[ 172.16.0.10 ] |[172.16.0.30]
___|________________ |_______________172.16.0.0
|
| eth0 [172.16.0.20 ]
|
-------- L2 --------- ( Firewall )
|
| eth1 [ 192.168.0.20 ]
_______|__________________
|
|
W2k
Now what I need is
1. 172.16.0.0/16 should be able to access any machine in network 192.168.0.0/24 with a single IP exposed, so I've
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.20
and thats working fine.
2. From 192.168.0.0/24 network should only access service's of 172.16.0.0/16 network which will be port forwarded by L2, so I've
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to 172.16.0.30
and thats working fine.
3. From 192.168.0.0/24 network one should not be able to access any machine of 172.16.0.0/16 directly.
For that I've not added any special rule, as what i think is the rule I've added in point 1 , should work for that too as when somebody try to ping a machine from W2K machine to say L1 the reply will be always matched by that rule defined in point 1 and a reply should never reach to W2K machine.
Am I wrong here ?..., as this is not happening ..ping from W2K to L1 or L3 is working fine. Why its like that ?
Do I need to explicitly block the forwarding of packets from eth1 to eth0 ?
My default Policies are -
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Thanks
ASKER
But that way somebody can direclty access 172.16.0.30 , i want the complete 172.16.0.0/16 hidden behind firewall , No direct access, only through port forwarding.
Can you explain why
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.20
won't block the traffic going from 192.168.0.0/24 network to 172.16.0.0/16 network ?
Can you explain why
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.20
won't block the traffic going from 192.168.0.0/24 network to 172.16.0.0/16 network ?
> But that way somebody can direclty access 172.16.0.30
Only if you permit it. You can, in the FORWARD rule, restrict the traffic to be just what you are port forwarding (80/tcp).
To say why machines in 192.168.0.0/24 can touch machines in the 172.16.0.0/16 network I'd need to see all of your iptables rules.
Only if you permit it. You can, in the FORWARD rule, restrict the traffic to be just what you are port forwarding (80/tcp).
To say why machines in 192.168.0.0/24 can touch machines in the 172.16.0.0/16 network I'd need to see all of your iptables rules.
ASKER
here is the script which i use to create the iptalble : - ( actually i've create it by modifying ur iptables-gw ) :
#--------- start ---------
iiptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.20
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 172.16.0.30
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -d 172.16.0.20 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j firewalled
#---------- End --------
Well i am confused how other rule does matter, when rule -
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.20
says that every packet going out through eth1 should have a source address translation to 192.168.0.20 and that should include a case when a packet is send from 172.16.0.0/16 network as reply against a ping request made from 192.168.0.0/24 network i.e. reply packet should have a source address 192.168.0.20 whereas we are expecting a packet from 172.16.x.x and that should show a packet loss ... shouldn't be it like this?
#--------- start ---------
iiptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.20
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 172.16.0.30
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -d 172.16.0.20 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j firewalled
#---------- End --------
Well i am confused how other rule does matter, when rule -
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.20
says that every packet going out through eth1 should have a source address translation to 192.168.0.20 and that should include a case when a packet is send from 172.16.0.0/16 network as reply against a ping request made from 192.168.0.0/24 network i.e. reply packet should have a source address 192.168.0.20 whereas we are expecting a packet from 172.16.x.x and that should show a packet loss ... shouldn't be it like this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes. What you'll want to do is to use a default DENY stance for the FORWARD chain and explicitly permit traffic to 172.16.0.30