Hi all,
I'm using the rc.firewall.iptables.dual and .multi script as a guide to create
a firewall script for my network. I have it working and functional, however
there is a small point that to me seems to not be working correctly. I'm using
iptables 1.1.2 and kernel 2.4.2.
I am connecting the internet and two private lans with two nics. On one nic is
my main private lan(1). On the other nic are two aliased addresses, one going
to the internet, one going to the second private lan(2). I've created
variables for the three interfaces, but when it's run the interface for the 2nd
private lan and the internet are the same.
For the moment, I've skipped over all TOS/Egress/Mangling/Check Flags and State
portions of the scripts. I've implemented my previous packet filtering, and
masquerading. I'm now using SNAT and DNAT. In the script I'm using as a
guide, SNAT is matching packets based on an interface:
# $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET \
# -j SNAT --to $EXT_IP
In my script, I'm basing it on IP addresses, and leaving interface based
matching to the packet filtering. Partly because the interface for intnet2 and
the internet are the same, and partly for simplicity.:
privateIP = "10.0.0.0/24"
# Private net 1: SNAT to outside
iptables -t nat -A POSTROUTING -s $intnet1 -d ! $privateIP -j SNAT \
--to-source $extip
# Private net 2: SNAT to outside
iptables -t nat -A POSTROUTING -s $intnet2 -d ! $privateIP -j SNAT \
--to-source $extip
This is all I'm doing for SNAT. I'm using DNAT to forward some ports, and
that's it for the nat table. Then I have a whole host of rules in my filter
table. I don't have mangle table support in the kernel.
For testing I had this in my filter table:
iptables -A FORWARD -j ACCEPT (or policy=accept)
Connecting to the internet from either private lan works fine, as well as
connecting to forwarded ports from the internet to either private lan.
The problem lies when I connect from private lan to private lan. It works,
however the source IP address is converted to my $extip, as seen from the
server I'm connecting to, instead of a private ip.
I thought the above rules explicitly stated: "Anything coming from 10.0.x
(intnet1) going to anywhere but 10.x SNAT to $extip." and "Anything coming from
10.1.x(intnet2) going to anywhere but 10.x SNAT to $extip." Thus the
implication would be, "Anything else, don't nat it." Which it should then be
forwarded AS IS based upon the filter table.
Is this reasoning incorrect?
When transfering data from intnet1 to intnet2, I run the command:
iptables -L -t nat -v
several times, and watch the packet and byte count for the rules in the nat
table. No change.
Then I run the command iptables -L -v For the filter table, to see which
rules my data is tickling. When using the above 'Forward All' rule, it's
counters increment. When using more explicit packet filtering rules, I see
these ones get the all the data. All other forward rules have zero data.:
115K 8138K ACCEPT all eth0 eth1 10.0.0.0/16 !10.0.0.0/24
125K 44M ACCEPT all eth1 eth0 !10.0.0.0/24 10.0.0.0/16
1775 879K ACCEPT all eth1 eth1 10.1.0.0/16 !10.0.0.0/24
1704 497K ACCEPT all eth1 eth1 !10.0.0.0/24 10.1.0.0/16
10.0/16 is intnet1 eth0, 10.1/16 is intnet2 eth1.
Below this I have some specific rules for source intnet1, dest intnet2, etc,
but they are not touched (ie):
trx rule p if source dest port
0 0 DROP tcp any 10.1.0.0/16 10.0.0.0/16 dpt:1433
0 0 ACCEPT tcp any 10.0.0.0/16 10.1.0.0/16 spts:1024:65535 dpt:1433
0 0 ACCEPT tcp any 10.1.0.0/16 10.0.0.0/16 spt:1433 dpts:1024:65535
This seems to me that it's being SNATted prior to the filter/forward ruleset,
even though the SNAT rule shouldn't match the packets, and it's in the
POSTROUTING chain.
If this were so, then a connection from 10.0.0.5 to 10.1.0.5, being snatted:
$extip to 10.1.0.5 would be forwarded on rule #1 above, and responses would
come across rule # 2, which would explain to me the large amount of data.
(Here I was using a windows remote admin program, little control transfers to,
yet much graphical data coming back).
Should I add in a rule prior to the above SNAT rules in the nat table with
something like:
iptables -t nat -A POSTROUTING -s $intnet1 -d $intnet2 -j ACCEPT
Can this even be put there?
Where are my rules incorrect?
Thanks!
Cory
