Nat for two private subnets with subnet routing

Nat for two private subnets with subnet routing

[Gerry Weaver]

Hello All,

I'm having a bit of trouble setting up a linux router with two private 
subnets. Each subnet can access the internet, but they cannot 
communicate with each other. I've include my rules. Any and all advice 
would be greatly appreciated.

Thanks in advance,
-G

### setup networking ############################################
LAN_IP1="10.10.10.1/24"

LAN_IP2="10.10.11.254/24"

echo "Bringing down interfaces"

# bring down interfaces

ip link set $WAN_IFACE down

ip link set $LAN_IFACE1 down

ip link set $LAN_IFACE2 down

echo "Setting interface addresses"

# set interface addresses

ip addr add $WAN_IP dev $WAN_IFACE

ip addr add $LAN_IP1 dev $LAN_IFACE1

ip addr add $LAN_IP2 dev $LAN_IFACE2

echo "Cleanup iptables"

# clean up the tables

iptables -F

iptables -X

iptables -Z

echo "Setting default policies"

# Set the default policies

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

echo "Bringing up interfaces"

# bring up interfaces

ip link set $WAN_IFACE up

ip link set $LAN_IFACE1 up

ip link set $LAN_IFACE2 up

echo "Adding default route"

# add default route

ip route add default via $INET_ROUTER dev eth0

echo "Enable forwarding"

# Enable ip_forward

echo "1" > /proc/sys/net/ipv4/ip_forward

### setup firewall
#######################################################                                                                               

# Let stuff on the local loopback through

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

echo "Setup SNAT..."

# Source NAT

iptables -t nat -A POSTROUTING -s 10.10.11.0/24 -j SNAT --to  $WAN_IP

echo "Accept internal addresses"

# packets with valid internal address are accepted on $LAN_IFACE

iptables -t mangle -A PREROUTING -i $LAN_IFACE1 -s 
$INTERNAL_ADDRESS_RANGE1 -j ACCEPT

iptables -t mangle -A PREROUTING -i $LAN_IFACE2 -s 
$INTERNAL_ADDRESS_RANGE2 -j ACCEPT

#iptables -t mangle -A PREROUTING -i $LAN_IFACE1 -s 
$INTERNAL_ADDRESS_RANGE2 -j ACCEPT

#iptables -t mangle -A PREROUTING -i $LAN_IFACE2 -s 
$INTERNAL_ADDRESS_RANGE1 -j ACCEPT

# no packets with $LAN_IP accepted on $WAN_IFACE

iptables -t mangle -A PREROUTING -i $WAN_IFACE -s 
$INTERNAL_ADDRESS_RANGE1 -j DROP

iptables -t mangle -A PREROUTING -i $WAN_IFACE -s 
$INTERNAL_ADDRESS_RANGE2 -j DROP

# allow connections to firewall from LAN

iptables -A INPUT -p ALL -i $LAN_IFACE1 -s $INTERNAL_ADDRESS_RANGE1 -d 
$LAN_BCAST_ADDRESS1 -j ACCEPT

iptables -A INPUT -p ALL -i $LAN_IFACE2 -s $INTERNAL_ADDRESS_RANGE2 -d 
$LAN_BCAST_ADDRESS2 -j ACCEPT

iptables -A OUTPUT -o $WAN_IFACE -j ACCEPT

# First off, allow through standard subnet-subnet traffic.  It doesn't need

# to be logged, so get it out of there

# Accept the traffic to and from the subnets

iptables -A FORWARD -p all -s $INTERNAL_ADDRESS_RANGE1 -d 
$INTERNAL_ADDRESS_RANGE1 -j ACCEPT

iptables -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE2 -d 
$INTERNAL_ADDRESS_RANGE2 -j ACCEPT

#iptables -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE1 -d 
$INTERNAL_ADDRESS_RANGE2 -j ACCEPT

#iptables -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE2 -d 
$INTERNAL_ADDRESS_RANGE1 -j ACCEPT

# Put in a syn flood rule to stop people from a DOS attack

# Commented out while testing things

iptables -N syn-flood

iptables -A FORWARD -p tcp --syn -j syn-flood

iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN

iptables -A syn-flood -j DROP

# Allow new connections out (And logged for interest sake)

#iptables -A FORWARD -p tcp -s $INTERNAL_ADDRESS_RANGE --syn -m state 
--state NEW -j LOG --log-prefix "New connection: "

iptables -A FORWARD -p tcp -s $INTERNAL_ADDRESS_RANGE1 --syn -m state 
--state NEW -j ACCEPT

iptables -A FORWARD -p tcp -s $INTERNAL_ADDRESS_RANGE2 --syn -m state 
--state NEW -j ACCEPT

# allow all DNS traffic out

iptables -A FORWARD -p udp -s $INTERNAL_ADDRESS_RANGE1 -j ACCEPT

iptables -A FORWARD -p udp -s $INTERNAL_ADDRESS_RANGE2 -j ACCEPT

# And accept established connections

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Also don't allow fragments - they're bad

iptables -A FORWARD -f -j LOG --log-prefix "IP Fragment: "

iptables -A FORWARD -f -j DROP

# Allow ping out (but not in)

iptables -A FORWARD -p icmp -s $INTERNAL_ADDRESS_RANGE1 -j ACCEPT

iptables -A FORWARD -p icmp -s $INTERNAL_ADDRESS_RANGE2 -j ACCEPT

# And in this bit we'll put the things we do allow in

# Allow web requests to web server

iptables -A FORWARD -p tcp -d $WWW --dport 80 -j ACCEPT

# FTP connections to ftp server

iptables -A FORWARD -p tcp -d $FTP --dport 21 -j ACCEPT

# Allow incoming mail

iptables -A FORWARD -p tcp -d $MAIL --dport 25 -j ACCEPT

# DNS lookups to DNS

iptables -A FORWARD -p tcp -d $DNSa --dport 53 -j ACCEPT

iptables -A FORWARD -p udp -d $DNSa --dport 53 -j ACCEPT

# And DNS requests to Secondary DNS

iptables -A FORWARD -p tcp -d $DNSb --dport 53 -j ACCEPT

iptables -A FORWARD -p udp -d $DNSb --dport 53 -j ACCEPT

# Log and drop stuff

iptables -A FORWARD -p tcp -j LOG --log-prefix "Dropped TCP: "

iptables -A FORWARD -p tcp -j DROP

iptables -A FORWARD -p udp -j LOG --log-prefix "Dropped UDP: "

iptables -A FORWARD -p udp -j DROP

iptables -A FORWARD -p icmp -j LOG --log-prefix "Dropped ICMP: "

iptables -A FORWARD -p icmp -j DROP

# This is to really make sure things disappear

iptables -A FORWARD -j LOG --log-prefix "End Forward chain - Dropped: "

iptables -A FORWARD -j DROP



                                       

Re: Nat for two private subnets with subnet routing

[Antony Stone]

On Wednesday 21 July 2004 10:42 pm, Gerry Weaver wrote:

> Hello All,
>
> I'm having a bit of trouble setting up a linux router with two private
> subnets. Each subnet can access the internet, but they cannot
> communicate with each other. I've include my rules. Any and all advice
> would be greatly appreciated.

I believe that this rule:

> iptables -t nat -A POSTROUTING -s 10.10.11.0/24 -j SNAT --to  $WAN_IP

would benefit from specifying that it only applies to packets leaving via 
$WAN_IFACE, otherwise it is going to SNAT packets from LAN1 to LAN2 and apply 
the source address of $WAN_IP, which is probably not what you want?

> iptables -t mangle -A PREROUTING -i $LAN_IFACE1 -s
> $INTERNAL_ADDRESS_RANGE1 -j ACCEPT

Why are you bothering to specify ACCEPT rules in the mangle table?

> iptables -t mangle -A PREROUTING -i $WAN_IFACE -s
> $INTERNAL_ADDRESS_RANGE1 -j DROP

I do not agree with DROPping packets in the mangle table.   DROP is a 
filtering action, and belongs in the filter tables.

> iptables -A FORWARD -p all -s $INTERNAL_ADDRESS_RANGE1 -d
> $INTERNAL_ADDRESS_RANGE1 -j ACCEPT
>
> iptables -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE2 -d
> $INTERNAL_ADDRESS_RANGE2 -j ACCEPT

I do not understand the above two rules.   Are internal address range1 and 2 
the subnets on LAN1 and LAN2?   If so, packets between same-subnet addresses 
are not going to pass through your firewall.   If not, what are they?

I suggest you firstly identify whether you have a routing problem or a 
firewalling problem.
Disconnect the machine from the WAN link to the Internet, flush all rules in 
all tables and apply default ACCEPT policies to all chains, then see if LAN1 
can communicate with LAN2.
If they can, start with a simple ruleset and build up gradually so that you 
can find out which rule/s break the inter-LAN routing.
If they cannot, then your problem is a routing problem, not netfilter, and I 
suggest you check the routing table on the firewall.

If you want further help, please post the output of: "iptables -L -nvx; 
iptables -L -t nat -nvx; iptables -L -t mangle -nvx; route -n".

Regards,

Antony.

-- 
If builders made buildings the way programmers write programs, then the first 
woodpecker to come along would destroy civilisation.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Nat for two private subnets with subnet routing

[John A. Sullivan III]

On Wed, 2004-07-21 at 18:02, Antony Stone wrote:
> On Wednesday 21 July 2004 10:42 pm, Gerry Weaver wrote:
> 
> > Hello All,
> >
> > I'm having a bit of trouble setting up a linux router with two private
> > subnets. Each subnet can access the internet, but they cannot
> > communicate with each other. I've include my rules. Any and all advice
> > would be greatly appreciated.
> 
> I believe that this rule:
> 
> > iptables -t nat -A POSTROUTING -s 10.10.11.0/24 -j SNAT --to  $WAN_IP
> 
> would benefit from specifying that it only applies to packets leaving via 
> $WAN_IFACE, otherwise it is going to SNAT packets from LAN1 to LAN2 and apply 
> the source address of $WAN_IP, which is probably not what you want?
> 
> > iptables -t mangle -A PREROUTING -i $LAN_IFACE1 -s
> > $INTERNAL_ADDRESS_RANGE1 -j ACCEPT
> 
> Why are you bothering to specify ACCEPT rules in the mangle table?
> 
> > iptables -t mangle -A PREROUTING -i $WAN_IFACE -s
> > $INTERNAL_ADDRESS_RANGE1 -j DROP
> 
> I do not agree with DROPping packets in the mangle table.   DROP is a 
> filtering action, and belongs in the filter tables.
> 
> > iptables -A FORWARD -p all -s $INTERNAL_ADDRESS_RANGE1 -d
> > $INTERNAL_ADDRESS_RANGE1 -j ACCEPT
> >
> > iptables -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE2 -d
> > $INTERNAL_ADDRESS_RANGE2 -j ACCEPT
> 
> I do not understand the above two rules.   Are internal address range1 and 2 
> the subnets on LAN1 and LAN2?   If so, packets between same-subnet addresses 
> are not going to pass through your firewall.   If not, what are they?
> 
> I suggest you firstly identify whether you have a routing problem or a 
> firewalling problem.
> Disconnect the machine from the WAN link to the Internet, flush all rules in 
> all tables and apply default ACCEPT policies to all chains, then see if LAN1 
> can communicate with LAN2.
> If they can, start with a simple ruleset and build up gradually so that you 
> can find out which rule/s break the inter-LAN routing.
> If they cannot, then your problem is a routing problem, not netfilter, and I 
> suggest you check the routing table on the firewall.
> 
> If you want further help, please post the output of: "iptables -L -nvx; 
> iptables -L -t nat -nvx; iptables -L -t mangle -nvx; route -n".
> 
> Regards,
> 
> Antony.
Antony has given some excellent advice here and has identified your
problem as doing NAT on your internal traffic.  I learn quite a bit from
Antony but would contest one statement he makes.  After testing and
corroboration from other experienced members of this list, I do
recommend dropping malicious packets as soon as possible and that means
in the mangle table.  Other, more generic DROP rules I, of course, put
in the filter table but rules regarding bad tcp flags, spoofs, etc., I
put in mangle.  Take care, all - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Firewall IP change

[Frédéric Gonzatti]

Hi all,

I've got a big problem with my firewall which have three ethernet cards.
eth0 : 172.16.2.1/255.255.255.0 ---->LAN
eth1: 192.168.2.1/255.255.255.0----->DMZ
eth2: 192.168.3.1/255.255.255.0-----> WAN

This firewall is connect to a router which have Wan IP 192.168.3.254 and a 
public IP for WAN : 62.160.X.X/255.255.255.255
This configurations is working !!!

I have tried to replace the Wan IP of my firewall by a public IP : 62.160.X.Y
# ifconfig eth2 62.160.X.Y netmask 255.255.255.248
# route add default gw 62.160.X.Z (which is new Ip of the router (WAN and LAN 
interfaces of the router are the same)

I can access to the internet from my firewall but unfortunately not from my 
LAN.
So now I come back to my old configuration until I ask why it was not working.
Have you got any idea please ?

My iptables script is :

iptables -t filter -F
iptables -t nat -F

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT



###########
# FORWARD #
###########

			##############
			# LAN -->DMZ #
			##############


iptables -t nat -A PREROUTING -d 172.16.2.1 -p tcp --dport 110 -j DNAT 
--to-destination 192.168.2.150:110
iptables -t filter -A FORWARD -i eth0 -o eth1 -s 172.16.0.0/16 -d 
192.168.2.150/32 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j 
ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.2.150/32 -d 
172.16.0.0/16 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT




			###############
			# LAN --> WAN #
			###############




####################################
# PROTOCOLE IDENT : TCP et UDP 113 #
####################################
iptables -t filter -A FORWARD -p tcp --dport 113 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --sport 113 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 113 -j ACCEPT
iptables -t filter -A FORWARD -p udp --sport 113 -j ACCEPT



###################################
# HTTP, HTTPS : TCP 80 et TCP 443 #
###################################
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p tcp 
--dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p tcp 
--sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p tcp 
--dport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p tcp 
--sport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p udp 
--dport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p udp 
--sport 443 -j ACCEPT

##################
# Protocole POP3 #
##################

iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p tcp 
--dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p tcp 
--sport 110 -m state --state ESTABLISHED -j ACCEPT

#################
# Protocole FTP #
#################


modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport 21 -m 
state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport 21 -m 
state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport 20 -m 
state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport 20 -m 
state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport 
1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport 
1024:65535 -m state --state ESTABLISHED -j ACCEPT





			
iptables -t filter -A INPUT -j DROP
iptables -t filter -A OUTPUT -j DROP
iptables -t filter -A FORWARD -j DROP


Thanks

Fred99

Re: Firewall IP change

[Antony Stone]

On Friday 23 July 2004 1:57 pm, Frédéric Gonzatti wrote:

> Hi all,
>
> I've got a big problem with my firewall which have three ethernet cards.
> eth0 : 172.16.2.1/255.255.255.0 ---->LAN
> eth1: 192.168.2.1/255.255.255.0----->DMZ
> eth2: 192.168.3.1/255.255.255.0-----> WAN
>
> This firewall is connect to a router which have Wan IP 192.168.3.254 and a
> public IP for WAN : 62.160.X.X/255.255.255.255
> This configurations is working !!!

This means that your WAN router must be doing SNAT for you on packets to the 
Internet, and the corresponding DNAT on packets coming back again.

> I have tried to replace the Wan IP of my firewall by a public IP :
> 62.160.X.Y # ifconfig eth2 62.160.X.Y netmask 255.255.255.248
> # route add default gw 62.160.X.Z (which is new Ip of the router (WAN and
> LAN interfaces of the router are the same)
>
> I can access to the internet from my firewall but unfortunately not from my
> LAN.
> So now I come back to my old configuration until I ask why it was not
> working. Have you got any idea please ?

Yes; if you want to use your WAN router in bridging mode (which it is if you 
have the same address on both internal and external interfaces) with a public 
IP on your firewall, then you need to SNAT outbound packets (which will 
automatically DNAT reply packets for you too):

iptables -A POSTROUTING -t nat -o eth2 -j DNAT --to 62.160.X.Y

Regards,

Antony.

-- 
This email was created using 100% recycled electrons.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Firewall IP change

[Frédéric Gonzatti]

Thanks for your answer but if I understand whant you mean, I have only to add 
the following line in my iptables script :
iptables -A POSTROUTING -t nat -o eth2 -j DNAT --to 62.160.X.Y
With this line the computers on my LAN and my DMZ will allow to exit to the 
Internet ??

With the two following lines will it work ?
iptables -t nat POSTROUTING -s 172.16.0.0/16 -o eth2 -j MASQUERADE
iptables -t nat POSTROUTING -s 192.168.2.0/24 -o eth2 -j MASQUERADE

Thanks

Frederic

Re: Firewall IP change

[Antony Stone]

On Monday 26 July 2004 1:13 pm, Frédéric Gonzatti wrote:

> Thanks for your answer but if I understand whant you mean, I have only to
> add the following line in my iptables script :
> iptables -A POSTROUTING -t nat -o eth2 -j DNAT --to 62.160.X.Y

Please note the correction posted by Jason Opperisano - I typed a D instead of 
an S:

iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to 62.160.X.Y

> With this line the computers on my LAN and my DMZ will allow to exit to the
> Internet ??

Yes.

> With the two following lines will it work ?
> iptables -t nat POSTROUTING -s 172.16.0.0/16 -o eth2 -j MASQUERADE
> iptables -t nat POSTROUTING -s 192.168.2.0/24 -o eth2 -j MASQUERADE

Yes, that would work as well, but:

1. Why do you want to specify the source addresses?   Do you have any other 
subnets on the inside of your firewall (if not, why bother to specify, if 
yes, don't you want those other addresses to have access to the Internet?)

2. Do you have a dynamic (DHCP) address on eth2?   If so, then MASQUERADE is 
the correct target, but if ti's a static address, SNAT is marginally more 
efficient.

Regards,

Antony.

-- 
If J. Random Websurfer clicks on a button that promises dancing pigs on his 
computer monitor, and instead gets a hortatory message describing the 
potential dangers of the applet - he's going to choose dancing pigs over 
computer security any day. If the computer prompts him with a warning screen 
like: "The applet DANCING PIGS could contain malicious code that might do 
permanent damage to your computer, steal your life's savings, and impair your 
ability to have children," he'll click "OK" without even reading it. Thirty 
seconds later he won't even remember that the warning screen even existed.

 - Bruce Schneier "Secrets and Lies"

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Firewall IP change

[Frédéric Gonzatti]

Thanks Antony,

According to your explanations I think I 'd rather to include the following 
line in my iptable script :
iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to 62.160.X.Y

But to be sure : I've got two computers on my DMZ which have IP included in 
192.168.2.0/255.255.255.0 and other computers on my LAN which have IP 
included in 172.16.0.0/255.255.0.0  and static public IP on my WAN Firewall.
So the best way is to use the line you advice me ?
Where on my script do I have to add this line ? At the beginning, just after a 
modprobe iptable_nat line ?

Last question : Do you see some clumsy things or errors in my script ?
Unfortunately I think there are .... ;-(

Thanks again for your help

Frederic

Re: Firewall IP change

[Antony Stone]

On Monday 26 July 2004 2:20 pm, Frédéric Gonzatti wrote:

> Thanks Antony,
>
> According to your explanations I think I 'd rather to include the following
> line in my iptable script :
> iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to 62.160.X.Y
>
> But to be sure : I've got two computers on my DMZ which have IP included in
> 192.168.2.0/255.255.255.0 and other computers on my LAN which have IP
> included in 172.16.0.0/255.255.0.0  and static public IP on my WAN
> Firewall. So the best way is to use the line you advice me ?

Yes.

> Where on my script do I have to add this line ? At the beginning, just
> after a modprobe iptable_nat line ?

I like to put it just before or just after the FORWARD rules, because it's for 
packets which are being routed through the firewall.

> Last question : Do you see some clumsy things or errors in my script ?
> Unfortunately I think there are .... ;-(

You have approximately twice as many rules as I would expect to see - you are 
allowing each individual protocol (defined by its source port)n in an 
ESTABLISHED rule; most people would just use one ESTABLISHED rule to allow 
all reply packets, no matter which protocol.

Also you have specific rules for FTP data connection on port 20 - better to 
just leave these out and handle the packets as RELATED to the control 
connection on port 21.

I prefer a simple ruleset if possible because it's easier to work with.

Regards,

Antony.

-- 
The difference between theory and practice is that in theory there is no 
difference, whereas in practice there is.

                                                     Please reply to the list;
                                                           please don't CC me.

Distributed firewall

[Gianni Mantellini]

Hi to all, I'm new in this mailing list. My interest is if there's anybody
who knows a "Distributed Firewall" for PDA's who mount the Familiar
distribution of Linux, even commercial or open source. Sorry for my English
and thanks to all.

Re: Firewall IP change

[Fred]

Hi all,

I've changed my external IP of my firewall (public IP now).
I can access to the internet from my LAN but it's very very slow now.
My bandwith looks good.
Have you got any idea ?

Thanks

Fred

Re: Firewall IP change

[Antony Stone]

On Friday 30 July 2004 2:22 pm, Fred wrote:

> Hi all,
>
> I've changed my external IP of my firewall (public IP now).
> I can access to the internet from my LAN but it's very very slow now.
> My bandwith looks good.

What exactly do you mean by that last statement?   I would have said that 
"very very slow" and "bandwidth looks good" mean almost opposite things.

> Have you got any idea ?

Where are your LAN machines getting their DNS from?
What are you using to test, and finding things "very very slow"?
Do you see the same speed problem if you download something to the firewall as 
downloading to an internal LAN machine?
Are you seeing lots of packets matching your DROP rules?
Have you tried a packet sniffer to see if there are unreplied packets on your 
LAN or external link?

Regards,

Antony.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Firewall IP change

[Zoup]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 30 July 2004 05:22, Fred Wrote:
> Hi all,
>
> I've changed my external IP of my firewall (public IP now).
> I can access to the internet from my LAN but it's very very slow now.
> My bandwith looks good.
> Have you got any idea ?
>
> Thanks
>
> Fred

Please send us your Rules in nat and filter table .

- -- 
Marriage is the only adventure open to the cowardly.
		-- Voltaire
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBDGZGdei4RgWTmzARAlFlAJ9tPcY6bkyR6AAE91fHktXQocv+0QCeOZPk
y2mJIdujruW7sYx8NbKldZw=
=Ky3G
-----END PGP SIGNATURE-----

Re: Firewall IP change

[Frédéric Gonzatti]

If I replace in my iptables script :
iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to my_public_IP
by
iptables -t nat POSTROUTING -o eth1 -j MASQUERADE

...I can access to the internet faster !

Have you got any idea ?

My ipatbles script is present in one of my mail (Firewall IP change title)

Thanks,

Fred

Re: Firewall IP change

[Antony Stone]

On Monday 02 August 2004 1:07 pm, Frédéric Gonzatti wrote:

> If I replace in my iptables script :
> iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to my_public_IP
> by
> iptables -t nat POSTROUTING -o eth1 -j MASQUERADE
>
> ...I can access to the internet faster !
>
> Have you got any idea ?

Which is your external interface?   eth1 or eth2?

How are you measuring "faster"?

Where are your DNS servers?

Regards,

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Firewall IP change

[Frédéric Gonzatti]

Sorry, my external interface is eth2 (it's just an error when I wrote the 
mail).
Some pages takes lots of time to appear when I'm using the first line in my 
script. When I'm using the second one they appear immediately.
My DNS server is on my LAN with a private IP address 172.16.2.200.

Regards,

Frederic

> On Monday 02 August 2004 1:07 pm, Frédéric Gonzatti wrote:
> > If I replace in my iptables script :
> > iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to my_public_IP
> > by
> > iptables -t nat POSTROUTING -o eth1 -j MASQUERADE
> >
> > ...I can access to the internet faster !
> >
> > Have you got any idea ?
>
> Which is your external interface?   eth1 or eth2?
>
> How are you measuring "faster"?
>
> Where are your DNS servers?
>
> Regards,
>
> Antony.

Re: Firewall IP change

[Antony Stone]

On Monday 02 August 2004 3:12 pm, Frédéric Gonzatti wrote:

> Sorry, my external interface is eth2 (it's just an error when I wrote the
> mail).
> Some pages takes lots of time to appear when I'm using the first line in my
> script. When I'm using the second one they appear immediately.
> My DNS server is on my LAN with a private IP address 172.16.2.200.

Please show us:

1. The exact rules you are referring to (no typos, no hidden addresses, the 
exact rules as they appear in the scripts).

2. The routing table (output of "route -n") of the firewall

3. The interface configuration (output of "ifconfig") from the firewall.

Regards,

Antony.

> > On Monday 02 August 2004 1:07 pm, Frédéric Gonzatti wrote:
> > > If I replace in my iptables script :
> > > iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to my_public_IP
> > > by
> > > iptables -t nat POSTROUTING -o eth1 -j MASQUERADE
> > >
> > > ...I can access to the internet faster !
> > >
> > > Have you got any idea ?
> >
> > Which is your external interface?   eth1 or eth2?
> >
> > How are you measuring "faster"?
> >
> > Where are your DNS servers?
> >
> > Regards,
> >
> > Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Firewall IP change

[Frédéric Gonzatti]

1-My iptables rules are the following :
iptables -t filter -F
iptables -t nat -F

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

iptables -t nat POSTROUTING -o eth2 -j MASQUERADE

###########
# FORWARD #
###########

                        ##############
                        # LAN -->DMZ #
                        ##############



iptables -t filter -A FORWARD -i eth0 -o eth1 -s 172.16.0.0/16 -d 
192.168.2.150/32 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j 
ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.2.150/32 -d 
172.16.0.0/16 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT




                        ###############
                        # LAN --> WAN #
                        ###############




####################################
# PROTOCOLE IDENT : TCP et UDP 113 #
####################################
iptables -t filter -A FORWARD -p tcp --dport 113 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --sport 113 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 113 -j ACCEPT
iptables -t filter -A FORWARD -p udp --sport 113 -j ACCEPT



###################################
# HTTP, HTTPS : TCP 80 et TCP 443 #
###################################
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p tcp 
--dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p tcp 
--sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p tcp 
--dport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p tcp 
--sport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p udp 
--dport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p udp 
--sport 443 -j ACCEPT

##################
# Protocole POP3 #
##################

iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p tcp 
--dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p tcp 
--sport 110 -m state --state ESTABLISHED -j ACCEPT

#################
# Protocole FTP #
#################


modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport 21 -m 
state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport 21 -m 
state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport 20 -m 
state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport 20 -m 
state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport 
1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport 
1024:65535 -m state --state ESTABLISHED -j ACCEPT


iptables -t filter -A INPUT -j DROP
iptables -t filter -A OUTPUT -j DROP
iptables -t filter -A FORWARD -j DROP

2- My default route is the IP of the LAN interface of my router which is a 
public IP (62.160.X.X/255.255.255.248)

3- eth0 : 172.16.2.1/255.255.0.0
    eth1: 192.168.2.1/255.255.255.0
    eth2: 62.160.X.Y/255.255.255.248

Regards,

Frederic



> On Monday 02 August 2004 3:12 pm, Frédéric Gonzatti wrote:
> > Sorry, my external interface is eth2 (it's just an error when I wrote the
> > mail).
> > Some pages takes lots of time to appear when I'm using the first line in
> > my script. When I'm using the second one they appear immediately.
> > My DNS server is on my LAN with a private IP address 172.16.2.200.
>
> Please show us:
>
> 1. The exact rules you are referring to (no typos, no hidden addresses, the
> exact rules as they appear in the scripts).
>
> 2. The routing table (output of "route -n") of the firewall
>
> 3. The interface configuration (output of "ifconfig") from the firewall.
>
> Regards,
>
> Antony.
>
> > > On Monday 02 August 2004 1:07 pm, Frédéric Gonzatti wrote:
> > > > If I replace in my iptables script :
> > > > iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to my_public_IP
> > > > by
> > > > iptables -t nat POSTROUTING -o eth1 -j MASQUERADE
> > > >
> > > > ...I can access to the internet faster !
> > > >
> > > > Have you got any idea ?
> > >
> > > Which is your external interface?   eth1 or eth2?
> > >
> > > How are you measuring "faster"?
> > >
> > > Where are your DNS servers?
> > >
> > > Regards,
> > >
> > > Antony.

RE: Firewall IP change

[Jason Opperisano]

> IP on your firewall, then you need to SNAT outbound packets (which will 
> automatically DNAT reply packets for you too):

> iptables -A POSTROUTING -t nat -o eth2 -j DNAT --to 62.160.X.Y
                                            ^
Antony-

I know you say SNAT in the explanation, but a rogue D made it into the example rule...  stupid S & D right next to each other...
  
  iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to 62.160.X.Y

-j

Re: Firewall IP change

[Antony Stone]

On Saturday 24 July 2004 5:58 pm, Jason Opperisano wrote:

> Antony-
>
> I know you say SNAT in the explanation, but a rogue D made it into the
> example rule...  stupid S & D right next to each other...
>
>   iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to 62.160.X.Y

Thanks :)   That *is* what I meant, yes.

At least this error would be picked up by netfilter too, if someone tried to 
use the command I'd mistyped.

You'd think they would have put Source and Destination further apart on the 
keyboard.....   huh.

Regards,

Antony.

-- 
I think, therefore I am.
I'm pink, therefore I'm Spam.
I drink, therefore I think I am.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Firewall IP change

[Jason Opperisano]

> 1-My iptables rules are the following :
> iptables -t filter -F
> iptables -t nat -F
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables -t filter -P INPUT DROP
> iptables -t filter -P FORWARD DROP
> iptables -t filter -P OUTPUT DROP
>
> iptables -t filter -A INPUT -i lo -j ACCEPT
> iptables -t filter -A OUTPUT -o lo -j ACCEPT
>
> iptables -t nat POSTROUTING -o eth2 -j MASQUERADE

something tells me this is still not the output that Antony requested, as that last line is not a valid command (there's no "-A" in it).

> [bunch of rules snipped out]

i don't see any rule that allows for DNS resolution.  is this due to sanitizing, or do you really not have one?

i'm thinking something along the lines of:

	iptables -A FORWARD -p udp -s 172.16.0.0/16 --dport 53 -j ACCEPT
-OR-
	iptables -A FORWARD -p udp -s $INTERNAL_DNS_SRV --dport 53 -j ACCEPT

Try posting the output of:

echo -e "\n*** FILTER ***\n"; iptables -vxnL && echo -e "\n*** NAT ***\n"; iptables -t nat -vxnL && echo -e "\n*** MANGLE ***\n"; iptables -t mangle -vxnL

And the output of:

ip addr show
ip route list

as we're not making much progress under the current method...

-j