NAT to a client

NAT to a client

[varun_saa]

Hello,
     My server is om Mandrake 10.1
eth0 is WAN with static IP connected to 512K DSL.
eth1 is LAN - 192.168.0.0/24.

I have the iptables rules :

# Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Apr 26 14:50:01 2005
# Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
*mangle
:PREROUTING ACCEPT [707:100355]
:INPUT ACCEPT [704:99811]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [541:74129]
:POSTROUTING ACCEPT [611:85191]
COMMIT
# Completed on Tue Apr 26 14:50:01 2005
# Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 3128 --sport 80 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 --dport 3128 --sport 80 -j ACCEPT
-A INPUT -s 62.0.0.0/255.0.0.0 -i eth0 -j REJECT
-A INPUT -p tcp -m tcp -s 217.81.0.0/255.255.0.0 -i eth0 -j REJECT
-A INPUT -i eth0 -j DROP
-A INPUT -p tcp -m tcp -i eth1 --sport 80 -j DROP
-A INPUT -m state -i eth1 --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 --dport 25 --sport 1024: -j ACCEPT  --syn 
-A FORWARD -p tcp -i eth1 -o eth0 --dport 110 --sport 1024: -j ACCEPT  --syn 
-A FORWARD -p tcp -i eth1 -o eth0 --dport 1863 --sport 1024: -j ACCEPT  --syn 
-A FORWARD -p tcp -i eth1 -o eth0 --dport 5050 --sport 1024: -j ACCEPT  --syn 
-A OUTPUT -p udp --dport 53 --sport 1024: -j ACCEPT
-A OUTPUT -p tcp -m owner -o eth0 --dport 80 --sport 1024: --uid-owner squid -j ACCEPT  --syn 
COMMIT
# Completed on Tue Apr 26 14:50:01 2005


I would like to bypass squid proxy and do 
a NAT for a client - 192.168.0.253.

Howto do it ?

Thanks in advance

Varun

Re: NAT to a client

[Jason Opperisano]

On Thu, Apr 28, 2005 at 11:22:21AM +0500, varun_saa@vsnl.net wrote:
> Hello,
>      My server is om Mandrake 10.1
> eth0 is WAN with static IP connected to 512K DSL.
> eth1 is LAN - 192.168.0.0/24.
> 
> I have the iptables rules :
> 
> # Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
> *nat
> :OUTPUT ACCEPT [0:0]
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o eth0 -j MASQUERADE

so you MASQ all outbound traffic

> COMMIT
> # Completed on Tue Apr 26 14:50:01 2005
> # Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
> *mangle
> :PREROUTING ACCEPT [707:100355]
> :INPUT ACCEPT [704:99811]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [541:74129]
> :POSTROUTING ACCEPT [611:85191]
> COMMIT
> # Completed on Tue Apr 26 14:50:01 2005
> # Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
> *filter
> :FORWARD ACCEPT [0:0]
> :INPUT DROP [0:0]
> :OUTPUT ACCEPT [0:0]

the policies of FORWARD and OUTPUT are set to ACCEPT.

> -A INPUT -j ACCEPT

and hey--so is INPUT.  no further rule in INPUT will ever be matched as
you just accepted all packets.

> -A INPUT -s 127.0.0.1 -j ACCEPT

normally written as "-A INPUT -i lo -j ACCEPT"

> -A INPUT -p tcp -m tcp -i eth1 --dport 3128 --sport 80 -j ACCEPT

the source port of traffic destined to a squid proxy is not 80, it's
1024:65535...why do i *constantly* see this in rules sets?

> -A INPUT -p udp -m udp -i eth1 --dport 3128 --sport 80 -j ACCEPT

and it's tcp only, not udp.

> -A INPUT -s 62.0.0.0/255.0.0.0 -i eth0 -j REJECT
> -A INPUT -p tcp -m tcp -s 217.81.0.0/255.255.0.0 -i eth0 -j REJECT
> -A INPUT -i eth0 -j DROP
> -A INPUT -p tcp -m tcp -i eth1 --sport 80 -j DROP
> -A INPUT -m state -i eth1 --state ESTABLISHED,RELATED -j ACCEPT

again--all of those are completely irrelevant.  good thing too--since
you're not allowing any ESTABLISHED,RELATED to come back through eth0,
which i guess is pretty secure, but it'd be less hassle to just power
off the firewall and cancel your ISP service.

> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -p tcp -i eth1 -o eth0 --dport 25 --sport 1024: -j ACCEPT  --syn 
> -A FORWARD -p tcp -i eth1 -o eth0 --dport 110 --sport 1024: -j ACCEPT  --syn 
> -A FORWARD -p tcp -i eth1 -o eth0 --dport 1863 --sport 1024: -j ACCEPT  --syn 
> -A FORWARD -p tcp -i eth1 -o eth0 --dport 5050 --sport 1024: -j ACCEPT  --syn 

those all look pretty good; but remember, you set the policy of FORWARD
to ACCEPT, so any packets not matching the above rules will make it
through anyways.

> -A OUTPUT -p udp --dport 53 --sport 1024: -j ACCEPT
> -A OUTPUT -p tcp -m owner -o eth0 --dport 80 --sport 1024: --uid-owner squid -j ACCEPT  --syn 

nice work there.  oh, and since the policy of OUTPUT is ACCEPT, all
other output traffic is allowed out anyways.

> I would like to bypass squid proxy and do 
> a NAT for a client - 192.168.0.253.

i can't see how that would possibly be dropped anyways, but:

  -A FORWARD -i eth1 -o eth0 -p tcp --syn -s 192.168.0.253 \
     --sport 1024: --dport 80 -j ACCEPT

you'd probably also need to allow DNS resolution for that client as well
(unless you have an internal DNS server):

  -A FORWARD -i eth1 -o eth0 -p udp -s 192.168.0.253 \
     --sport 1024: --dport 53 -j ACCEPT


you already have the necessary MASQ rule.

-j

--
"Stewie: For God's sake, shake me. Shake me like a British nanny."
        --Family Guy

Re: NAT to a client

[Taylor, Grant]

> the source port of traffic destined to a squid proxy is not 80, it's
> 1024:65535...why do i *constantly* see this in rules sets?

Does Squid send out requests on behalf of it's clients from port 3128 to port 80 and thus have returning traffic from 80 to 3128?  I know this is not the situation where clients connect to Squid, but rather when Squid connects to the web servers.  Seeing as how this rule is running on eth1, the internal LAN interface, this is irrelevant.



Grant. . . .

Re: NAT to a client

[Jason Opperisano]

On Thu, Apr 28, 2005 at 12:21:22PM -0500, Taylor, Grant wrote:
> >the source port of traffic destined to a squid proxy is not 80, it's
> >1024:65535...why do i *constantly* see this in rules sets?
> 
> Does Squid send out requests on behalf of it's clients from port 3128 to 
> port 80 and thus have returning traffic from 80 to 3128? 

heeeeeeeeeeeeeeell no.  squid proxy 101:

1)   client:$UNPRIV -> proxy:3128

2)                     proxy:$UNPRIV -> origin-server:80

where UNPRIV = 1024 - 65535

client connects to squid, squid connects to web server; two separate
unrelated connections (besides the fact that 1 inspires 2).  i
understand that the number 3128 falls within the range 1024 - 65535; and
if squid is configured to bind only to the internal interface, you'd
have a 1/64511 chance of seeing a squid server use sport = 3128 and
dport = 80 to fetch content from an origin web server, but it's not
likely enough to deserve a dedicated filter rule, IMHO.

-j

--
"Peter: Wh-Who are you?
 Death: I'm Callista Flockhart. Who do you think I am? I'm Death."
        --Family Guy

Re: NAT to a client

[Taylor, Grant]

> client connects to squid, squid connects to web server; two separate
> unrelated connections (besides the fact that 1 inspires 2).  i
> understand that the number 3128 falls within the range 1024 - 65535; and
> if squid is configured to bind only to the internal interface, you'd
> have a 1/64511 chance of seeing a squid server use sport = 3128 and
> dport = 80 to fetch content from an origin web server, but it's not
> likely enough to deserve a dedicated filter rule, IMHO.

*nod*

I was very aware and would expect that the there were two distinctly different TCP connections, even though the 2nd one is caused by the 1st one.  What I was not aware of is if Squid would send traffic to web servers from a known port and thus would be able to filter based on that.  I can't say as I'm surprised or disappointed by that fact.



Grant. . . .