DNAT/MASQ Precedence

DNAT/MASQ Precedence

[Katriel Traum]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello list,
I'm starting to set up a DMZ/LAN setup, and came across a problem/question.
The setup I want to do is a multi-homed firewall, with one intf. to a private 
LAN and another to a DMZ.
The FW will MASQ the LAN, and DNAT into the DMZ.

I want to redirect _all_ traffic into the DMZ (is that even possible?) and in 
the same time MASQ the LAN. The question is will they collide? If I use a 
ruleset such as:
iptables -A PREROUTING -i $INET_IF -j DNAT --to-destination $DMZ_IP 
iptables -A POSTROUTING -o $INET_IF -j MASQUERADE
(yes, there's only one computer in the DMZ)

Will I get return traffic into my lan? won't it be DNATed into the DMZ?

Thanks,

+katriel
pgp key: traum.org.il/gpg.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+OX2dDWy+Hv/461sRAqmWAJwJ5/vSBMlj/2dHS/seXuPrcTv81QCg/tan
C1xvdNg6gFpdAZRx84tsaR8=
=9ku+
-----END PGP SIGNATURE-----

Re: DNAT/MASQ Precedence

[Athan]

[-- Attachment #1: Type: text/plain, Size: 1457 bytes --]

On Thu, Jan 30, 2003 at 07:31:38PM +0000, Katriel Traum wrote:
> I want to redirect _all_ traffic into the DMZ (is that even possible?) and in 
> the same time MASQ the LAN. The question is will they collide? If I use a 
> ruleset such as:
> iptables -A PREROUTING -i $INET_IF -j DNAT --to-destination $DMZ_IP 
> iptables -A POSTROUTING -o $INET_IF -j MASQUERADE
> (yes, there's only one computer in the DMZ)
> 
> Will I get return traffic into my lan? won't it be DNATed into the DMZ?

  You need at least one public IP that is *NOT* in the DMZ.  Then change
the DMZ rule to exclude on this:

iptables -A PREROUTING -i $INET_IF -d ! <not-DMZ IP> -j DNAT --to-destination $DMZ_IP

This IP would also be the IP on the outgoing interface of the firewall.
So should automatically get used for MASQUERADE.  If it's all static,
then just use SNAT instead of MASQUERADE and you can specify the IP to
be sure of it:

iptables -A POSTROUTING -o $INET_IF -s <LAN network> -j SNAT --to-source <not DMZ IP>

Note the '-s' bit on that rule so you only SNAT traffic coming from the
LAN, and not that from the DMZ.

  I'm sure others will correct me if anything in this is wrong ;).

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: DNAT/MASQ Precedence

[Katriel Traum]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 30 January 2003 19:34, Athan wrote:
> On Thu, Jan 30, 2003 at 07:31:38PM +0000, Katriel Traum wrote:
> > I want to redirect _all_ traffic into the DMZ (is that even possible?)
> > and in the same time MASQ the LAN. The question is will they collide? If
> > I use a ruleset such as:
> > iptables -A PREROUTING -i $INET_IF -j DNAT --to-destination $DMZ_IP
> > iptables -A POSTROUTING -o $INET_IF -j MASQUERADE
> > (yes, there's only one computer in the DMZ)
> >
> > Will I get return traffic into my lan? won't it be DNATed into the DMZ?
>
>   You need at least one public IP that is *NOT* in the DMZ.  Then change
> the DMZ rule to exclude on this:
>
> iptables -A PREROUTING -i $INET_IF -d ! <not-DMZ IP> -j DNAT
> --to-destination $DMZ_IP

Well, the problem is I have 1 public IP via a cable modem.
So I ask again, if I DNAT everything into the DMZ lan, and try to MASQ my 
private lan, will I even get return traffic?


>
> This IP would also be the IP on the outgoing interface of the firewall.
> So should automatically get used for MASQUERADE.  If it's all static,
> then just use SNAT instead of MASQUERADE and you can specify the IP to
> be sure of it:
>
> iptables -A POSTROUTING -o $INET_IF -s <LAN network> -j SNAT --to-source
> <not DMZ IP>
>
> Note the '-s' bit on that rule so you only SNAT traffic coming from the
> LAN, and not that from the DMZ.
>
>   I'm sure others will correct me if anything in this is wrong ;).
>
> -Ath

- -- 
+katriel                                                כתריאל+
pgp key: traum.org.il/gpg.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+OkjODWy+Hv/461sRAvv4AKCFs+zLCmzRs6lgjQtNV9T9IrZGJgCcD5bg
41rSU533ygx88Bjz40TlwXU=
=rV9v
-----END PGP SIGNATURE-----

Re: DNAT/MASQ Precedence

[Athan]

[-- Attachment #1: Type: text/plain, Size: 2216 bytes --]

On Fri, Jan 31, 2003 at 09:58:35AM +0000, Katriel Traum wrote:
> On Thursday 30 January 2003 19:34, Athan wrote:
> > On Thu, Jan 30, 2003 at 07:31:38PM +0000, Katriel Traum wrote:
> > > I want to redirect _all_ traffic into the DMZ (is that even possible?)
> > > and in the same time MASQ the LAN. The question is will they collide? If
> > > I use a ruleset such as:
> > > iptables -A PREROUTING -i $INET_IF -j DNAT --to-destination $DMZ_IP
> > > iptables -A POSTROUTING -o $INET_IF -j MASQUERADE
> > > (yes, there's only one computer in the DMZ)
> > >
> > > Will I get return traffic into my lan? won't it be DNATed into the DMZ?
> >
> >   You need at least one public IP that is *NOT* in the DMZ.  Then change
> > the DMZ rule to exclude on this:
> >
> > iptables -A PREROUTING -i $INET_IF -d ! <not-DMZ IP> -j DNAT
> > --to-destination $DMZ_IP
> 
> Well, the problem is I have 1 public IP via a cable modem.
> So I ask again, if I DNAT everything into the DMZ lan, and try to MASQ my 
> private lan, will I even get return traffic?

  That would be a problem yes, as the PREROUTING gets done before the
POSTROUTING and will change the packets prior to the routing decision.
You may be able to get away with reserving a range of ports to be used
with SNAT though as the --to-source argument can take a range of port
numbers.

	iptables -A PREROUTING -i $INET_IF -p tcp --dport ! port1:port2 -j DNAT --to-destination $IP 

	iptables -A POSTROUTING -o $INET_IF -s <LAN network> -j SNAT --to-source $IP:port1-port2

Note that the DNAT rule DOES now mention protocol explicitly, it has to
for --dport to be valid.  Duplicate the line with "-p udp" if you also
need UDP to be working.
  For non UDP/TCP (i.e. ICMP) to work correctly you have to hope a few
rules with the appropriate -m state will do the right thing.  AIUI they
should as how they treat things should be based on the connection
tracking table.

HTH,

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: DNAT/MASQ Precedence

[Katriel Traum]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 31 January 2003 10:14, Athan wrote:
> On Fri, Jan 31, 2003 at 09:58:35AM +0000, Katriel Traum wrote:
> > On Thursday 30 January 2003 19:34, Athan wrote:
> > > On Thu, Jan 30, 2003 at 07:31:38PM +0000, Katriel Traum wrote:
> > > > I want to redirect _all_ traffic into the DMZ (is that even
> > > > possible?) and in the same time MASQ the LAN. The question is will
> > > > they collide? If I use a ruleset such as:
> > > > iptables -A PREROUTING -i $INET_IF -j DNAT --to-destination $DMZ_IP
> > > > iptables -A POSTROUTING -o $INET_IF -j MASQUERADE
> > > > (yes, there's only one computer in the DMZ)
> > > >
> > > > Will I get return traffic into my lan? won't it be DNATed into the
> > > > DMZ?
> > >
> > >   You need at least one public IP that is *NOT* in the DMZ.  Then
> > > change the DMZ rule to exclude on this:
> > >
> > > iptables -A PREROUTING -i $INET_IF -d ! <not-DMZ IP> -j DNAT
> > > --to-destination $DMZ_IP
> >
> > Well, the problem is I have 1 public IP via a cable modem.
> > So I ask again, if I DNAT everything into the DMZ lan, and try to MASQ my
> > private lan, will I even get return traffic?
>
>   That would be a problem yes, as the PREROUTING gets done before the
> POSTROUTING and will change the packets prior to the routing decision.
> You may be able to get away with reserving a range of ports to be used
> with SNAT though as the --to-source argument can take a range of port
> numbers.
>
> 	iptables -A PREROUTING -i $INET_IF -p tcp --dport ! port1:port2 -j DNAT
> --to-destination $IP
>
> 	iptables -A POSTROUTING -o $INET_IF -s <LAN network> -j SNAT --to-source
> $IP:port1-port2
>
> Note that the DNAT rule DOES now mention protocol explicitly, it has to
> for --dport to be valid.  Duplicate the line with "-p udp" if you also
> need UDP to be working.
>   For non UDP/TCP (i.e. ICMP) to work correctly you have to hope a few
> rules with the appropriate -m state will do the right thing.  AIUI they
> should as how they treat things should be based on the connection
> tracking table.
Okay, sounds good, so say I want to save me a 2000 SNAT ports (I don't think 
I'll have 2000 sockets open at the same time)
here's the ruleset I should use:

iptables -A PREROUTING -i $INET_IF -p tcp --dport ! 60000:62000 -j DNAT \
- --to-destination $DMZ_IP
iptables -A PREROUTING -i $INET_IF -p udp --dport ! 60000:62000 -j DNAT \
- --to-destination $DMZ_IP

iptables -A POSTROUTING -o $INET_IF -i $LAN_IF -j SNAT --to-source \
 $INET_IP:60000-62000
 
as for ICMP, I didn't quite understand you. can you elaborate?

Thanks!
>
> -Ath

- -- 
+katriel                                                כתריאל+
pgp key: traum.org.il/gpg.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+OnaeDWy+Hv/461sRAltIAKCU6yz8Skmcl20bHgnv9aPGOj8PlACdEM3r
KxSFqh3zQlw1guKUYi5poxE=
=saOz
-----END PGP SIGNATURE-----

Re: DNAT/MASQ Precedence

[Athan]

[-- Attachment #1: Type: text/plain, Size: 1554 bytes --]

On Fri, Jan 31, 2003 at 01:14:06PM +0000, Katriel Traum wrote:
> Okay, sounds good, so say I want to save me a 2000 SNAT ports (I don't think 
> I'll have 2000 sockets open at the same time)
> here's the ruleset I should use:
> 
> iptables -A PREROUTING -i $INET_IF -p tcp --dport ! 60000:62000 -j DNAT \
> - --to-destination $DMZ_IP
> iptables -A PREROUTING -i $INET_IF -p udp --dport ! 60000:62000 -j DNAT \
> - --to-destination $DMZ_IP
> 
> iptables -A POSTROUTING -o $INET_IF -i $LAN_IF -j SNAT --to-source \
>  $INET_IP:60000-62000

   Looks good at first glance here.

> as for ICMP, I didn't quite understand you. can you elaborate?

  For TCP to operate correctly you *NEED* some ICMP working.  ICMP isn't
just for ping!  There are things like network, host and port
unreachable.  There's also things like Path MTU discovery which involves
an ICMP message being sent back if a packet is too big for part of the
route and has the Do not Fragment (DF) flag set.
  Basically not allowing ICMP in a blind fashion is NOT the way to do
things.  You probably just need to make sure you have the proper FORWARD
rules (filter chain, it's the default so no -t) to allow both
ESTABLISHED and RELATED.  You can find these in any mention of SNAT in
docs/howtos.

HTH,

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: DNAT/MASQ Precedence

[Katriel Traum]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 31 January 2003 11:19, Athan wrote:
> On Fri, Jan 31, 2003 at 01:14:06PM +0000, Katriel Traum wrote:
> > Okay, sounds good, so say I want to save me a 2000 SNAT ports (I don't
> > think I'll have 2000 sockets open at the same time)
> > here's the ruleset I should use:
> >
> > iptables -A PREROUTING -i $INET_IF -p tcp --dport ! 60000:62000 -j DNAT \
> > - --to-destination $DMZ_IP
> > iptables -A PREROUTING -i $INET_IF -p udp --dport ! 60000:62000 -j DNAT \
> > - --to-destination $DMZ_IP
> >
> > iptables -A POSTROUTING -o $INET_IF -i $LAN_IF -j SNAT --to-source \
> >  $INET_IP:60000-62000
>
>    Looks good at first glance here.
>
> > as for ICMP, I didn't quite understand you. can you elaborate?
>
>   For TCP to operate correctly you *NEED* some ICMP working.  ICMP isn't
> just for ping!  There are things like network, host and port
> unreachable.  There's also things like Path MTU discovery which involves
> an ICMP message being sent back if a packet is too big for part of the
> route and has the Do not Fragment (DF) flag set.
>   Basically not allowing ICMP in a blind fashion is NOT the way to do
> things.  You probably just need to make sure you have the proper FORWARD
> rules (filter chain, it's the default so no -t) to allow both
> ESTABLISHED and RELATED.  You can find these in any mention of SNAT in
> docs/howtos.
Ofcourse ICMP is important. I wan't going to leave it out.
The qiestion is will the rule:
iptables -A PREROUTING -i $INET_IF -p icmp --dport ! 60000:62000 -j DNAT \
- --to-destination $DMZ_IP

do it? and what about ICMP messages aimed back at the LAN?
This will all be acompanied with the apropriate -m state entries.

Katriel
>
> HTH,
>
> -Ath

- -- 
+katriel                                                כתריאל+
pgp key: traum.org.il/gpg.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+Onz3DWy+Hv/461sRAphzAJ9ZBpO+lsHt2x468/Pwf4bmM/LJYACgioZ5
5E+0wiAx7l3IC0JuyetYGts=
=5J6o
-----END PGP SIGNATURE-----

Re: DNAT/MASQ Precedence

[Athan]

[-- Attachment #1: Type: text/plain, Size: 1339 bytes --]

On Fri, Jan 31, 2003 at 01:41:11PM +0000, Katriel Traum wrote:
> On Friday 31 January 2003 11:19, Athan wrote:
> >   Basically not allowing ICMP in a blind fashion is NOT the way to do
> > things.  You probably just need to make sure you have the proper FORWARD
> > rules (filter chain, it's the default so no -t) to allow both
> > ESTABLISHED and RELATED.  You can find these in any mention of SNAT in
> > docs/howtos.
> Ofcourse ICMP is important. I wan't going to leave it out.
> The qiestion is will the rule:
> iptables -A PREROUTING -i $INET_IF -p icmp --dport ! 60000:62000 -j DNAT \
> - --to-destination $DMZ_IP
> 
> do it? and what about ICMP messages aimed back at the LAN?
> This will all be acompanied with the apropriate -m state entries.

   This I'm mostly sure won't work.  As I kind of said above, what you
want is -m state --state RELATED rules to do it, as RELATED includes
'icmp to do with this connection'.  No need for ports or IPs as it'll
get info on which connections to do it for and where to pass it from the
connection tracking.

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]