Re: Private IP getting past IPTables NAT

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Gáspár Lajos" <swifty@freemail.hu>
To: Lesley Kimmel <ljkimmel99@hotmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Private IP getting past IPTables NAT
Date: Fri, 02 Mar 2012 11:12:20 +0100	[thread overview]
Message-ID: <4F509D04.4020009@freemail.hu> (raw)
In-Reply-To: <SNT143-ds16D3D97D04EB6A5DC9E540C26D0@phx.gbl>

Hi,

2012-03-02 04:53 keltezéssel, Lesley Kimmel írta:
> I apologize if this is a duplicate email.  I have sent several times 
> as I was having issues with the spam filter.
>
> All;
>
> We have a Linux virtual server which we use as a NAT/Router (running 
> IPTables 1.2.11) to front-end a set of virtual machines on a private 
> (192.168.0.x) network.  In this private network are two web servers 
> and a few other application servers.  Our intent is to utilize two 
> public IP addresses on the NAT server to NAT to each back-end web server:
>
> External Interfaces:
> eth1 = abc.abc.abc.1 => 192.168.0.1 (webserver #1)
> eth1:0 = abc.abc.abc.2 => 192.168.0.2 (webserver #2)
> Internal Interface:
> eth0 = 192.168.0.3
>
> We had accomplished this with the following IPTables configuration
> Table: nat
> Chain PREROUTING (policy DROP)
Please do not filter in the nat table. It is used only for address 
rewriting and therefore is sees only the first packet in a connection!!!

> target    prot    in    out    source        destination
> DNAT        tcp    eth1    any    anywhere        abc.abc.abc.1 
> to:192.168.0.1
> DNAT        tcp    eth1    any    anywhere        abc.abc.abc.2 
> to:192.168.0.2
If these are only webservers then use the --dport 80 option...

> ACCEPT    all    eth0    any    192.168.0.0/24    anywhere    #(to 
> allow all outgoing traffic)
Again! Do not filter in nat!

>
> Chain POSTROUTING (policy DROP)
> target    prot    in    out    source        destination
> SNAT        all    any    eth1    192.168.0.1    anywhere 
> to:abc.abc.abc.1
(You do not really need this here, because you have a redundant rule 
(192.168.0.0/24 -> abc.abc.abc.1). But you can keep it :D )

> SNAT        all    any    eth1    192.168.0.2    anywhere 
> to:abc.abc.abc.2
> SNAT        all    any    eth1    192.168.0.0/24    anywhere 
> to:abc.abc.abc.1   #SNAT all other traffic to ip #1
Again! Do not filter in nat!

> Chain OUTPUT (policy ACCEPT)
>
> Table: filter
> Chain Input (policy ACCEPT)
> target    prot    in    out    source        destination
Set up here the enabled services... and use here the drop policy for any 
non enabled service
iptables -t filter -A INPUT -j ACCEPT -i lo
iptables -t filter -A INPUT -j ACCEPT -m conntrack --state 
ESTABLISHED,RELATED

> Chain FORWARD (policy ACCEPT)
> target    prot    in    out    source        destination
Set up here the forwarded services... and drop policy again... be aware 
that here you can filter the in_to_out and the out_to_in connections too..
iptables -t filter -A FORWARD -j ACCEPT -m conntrack --state 
ESTABLISHED,RELATED
iptables -t filter -A FORWARD -j ACCEPT -i eth0 -s 192.168.0.0/24
iptables -t filter -A FORWARD -j ACCEPT -o eth0 -d 192.168.0.1 --dport 80
iptables -t filter -A FORWARD -j ACCEPT -o eth0 -d 192.168.0.2 --dport 80

> Chain OUTPUT (policy ACCEPT)
> target    prot    in    out    source        destination
You can ignore this chain, but mainly this is the place for to filter 
all outgoing connections...
iptables -t filter -A OUTPUT -j ACCEPT -o lo

> Everything APPEARS to work correctly with this configuration.  
> However, several times a day network monitoring tools on the public 
> side of the NAT server see packets with source addresses from the 
> private network (e.g. 192.168.0.4).  In order to troubleshoot we 
> minimized our configuration to try to isolate the problem.  We took 
> out the NATing for the second IP:
Yes. It should work correctly... :-\

> With this configuration the 'leaking' of the private IP addresses 
> seems to stop.  However, we need to have the functionality of the 
> second IP address. Any insight into why the 'leak' is happening and 
> how we can add the second IP back in?
>
> Also, I have monitored the traffic across the NAT box with tcpdump.  
> The majority of traffic is NAT'd as expected.  Only occasionally do 
> packets 'escape'.  These packets have always been either FIN or RST 
> packets.
tcpdump is a very interesting tool... it sees packets on the line even 
before the iptables does...

AFAIK: RST and FIN packets are not considered as part of the 
connection... so maybe they do not hit the nat table anyhow... but this 
is very odd...
Two more things:
  1. your iptables version is VERY VERY VERY old...
  2. maybe there is a problem with your "virtual server" setup...

Swifty

next prev parent reply	other threads:[~2012-03-02 10:12 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-03-02  3:53 Private IP getting past IPTables NAT Lesley Kimmel
2012-03-02 10:12 ` Gáspár Lajos [this message]
2012-03-02 13:16   ` Lesley Kimmel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F509D04.4020009@freemail.hu \
    --to=swifty@freemail.hu \
    --cc=ljkimmel99@hotmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.