[LARTC] DNAT issues

[LARTC] DNAT issues

[Vlad Mihai]

Hi guys,

Suppose I have the following configuration:

	      ------------------ 
LAN --------| eth0      eth1 |-------Internet
            |                |
            ------------------
               Linux Router

eth0_IP = 192.168.0.1    (LAN)
eth1_IP = 194.105.29.2   (IP)

I use the machine only as a router so all the other services (HTTP, FTP)
are 
hosted on another machine, connected in my LAN (192.168.0.2)

My LAN clients use the Linux machine as a NAT firewall. (SNAT in fact)

I have only one IP given by my ISP, for my whole home network
(194.105.29.2)
So accessing different services on my LAN, from the internet, must be
done through 
that single IP (even though the services are hosted on different
machines). 
So the solution is DNAT :)

Here is what I have done:
iptables -t nat -A PREROUTING -i eth1 -d 194.105.29.2 -p TCP --dport 80
-j DNAT --to-destination 192.168.0.2

When I try to access the web server from the Internet the DNAT is
working!

Now, the problem comes when a machine like 192.168.0.121 wants to access
the web server.
(Keep in mind that the client - 192.168.0.121 is on the same subnet as
the web server - 192.168.0.2) 
This machine (192.168.0.121) will send a request to 194.105.29.2 wanting
to access the web server.
The router will "redirect" the request to 192.168.0.2 (as it is supposed
to do).

Now when the packets arrive on 192.168.0.2, the web server will see
packets from 192.168.0.121.
He will send the packets to 192.168.0.121 as it was requested, BUT NOT
THROUGH THE ROUTER!!!
192.168.0.2 is on the same subnet as 192.168.0.121, so the packets will
follow the shorter route, 
avoiding the Linux router. 

Now, the web browser on 192.168.0.121 will see packets coming from
192.168.0.2, and it will assume 
they are bogus packets, and will ignore them... SO, NO CONNECTION...

Remember 192.168.0.121 asked for packets from 194.105.29.2 and not from
192.168.0.2!!!

What can I do to allow my LAN clients to access the web server through
the router?
Please write me a line of code :) I am new to "iptables" :( 

Thanking you in advance,
Mihai Vlad 
    


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] DNAT issues

[Ethy H. Brito]

On Thu, 21 Aug 2003, Vlad Mihai wrote:

> Now, the web browser on 192.168.0.121 will see packets coming from
> 192.168.0.2, and it will assume
> they are bogus packets, and will ignore them... SO, NO CONNECTION...
>
> Remember 192.168.0.121 asked for packets from 194.105.29.2 and not from
> 192.168.0.2!!!
>
> What can I do to allow my LAN clients to access the web server through
> the router?
> Please write me a line of code :) I am new to "iptables" :(

This is a DNS problem. It is a commom mistake to admit that the internal
network is part of the internet. IT IS NOT.
This may be easly solved creating "zones" at you DNS server.
Your web server must be identified as part of your internal net. If it is
not identified like this you will have to make lots of malabarithm to
overcome this.
Consult DNS server man pages to configure it. This is not the only solution
but the simplest one for sure.

Regards

Ethy H. Brito         /"\
InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860     X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil   / \

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

FW: [LARTC] DNAT issues

[Vlad Mihai]

Thanks very much. I never thought of that :)

However the idea comes from a tutorial listed at ww.netfilter.org.
There, the author explains the same issue and gives a solution...
But that solution is not working for me.

I have posted that part of the tutorial here:
http://www.concorde.utcluj.ro/iptables2.pdf
since netfilter.org is down.

The section explaining my issue is located on the second page - the left
column.

Take a look there if you have time, and maybe some of u will understand
better than me :)

The problem with the routing still remains unsolved for me :( 

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]
On Behalf Of Ethy H. Brito
Sent: Thursday, August 21, 2003 9:22 PM
To: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] DNAT issues

On Thu, 21 Aug 2003, Vlad Mihai wrote:

> Now, the web browser on 192.168.0.121 will see packets coming from
> 192.168.0.2, and it will assume
> they are bogus packets, and will ignore them... SO, NO CONNECTION...
>
> Remember 192.168.0.121 asked for packets from 194.105.29.2 and not
from
> 192.168.0.2!!!
>
> What can I do to allow my LAN clients to access the web server through
> the router?
> Please write me a line of code :) I am new to "iptables" :(

This is a DNS problem. It is a commom mistake to admit that the internal
network is part of the internet. IT IS NOT.
This may be easly solved creating "zones" at you DNS server.
Your web server must be identified as part of your internal net. If it
is
not identified like this you will have to make lots of malabarithm to
overcome this.
Consult DNS server man pages to configure it. This is not the only
solution
but the simplest one for sure.

Regards

Ethy H. Brito         /"\
InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860     X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil   / \

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

FW: [LARTC] DNAT issues

[Vlad Mihai]

Thanks very much. I never thought of that :)

However the idea comes from a tutorial listed at ww.netfilter.org.
There, the author explains the same issue and gives a solution...
But that solution is not working for me.

I have posted that part of the tutorial here:
http://www.concorde.utcluj.ro/iptables2.pdf
since netfilter.org is down.

The section explaining my issue is located on the second page - the left
column.

Take a look there if you have time, and maybe some of u will understand
better than me :)

The problem with the routing still remains unsolved for me :( 

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]
On Behalf Of Ethy H. Brito
Sent: Thursday, August 21, 2003 9:22 PM
To: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] DNAT issues

On Thu, 21 Aug 2003, Vlad Mihai wrote:

> Now, the web browser on 192.168.0.121 will see packets coming from
> 192.168.0.2, and it will assume
> they are bogus packets, and will ignore them... SO, NO CONNECTION...
>
> Remember 192.168.0.121 asked for packets from 194.105.29.2 and not
from
> 192.168.0.2!!!
>
> What can I do to allow my LAN clients to access the web server through
> the router?
> Please write me a line of code :) I am new to "iptables" :(

This is a DNS problem. It is a commom mistake to admit that the internal
network is part of the internet. IT IS NOT.
This may be easly solved creating "zones" at you DNS server.
Your web server must be identified as part of your internal net. If it
is
not identified like this you will have to make lots of malabarithm to
overcome this.
Consult DNS server man pages to configure it. This is not the only
solution
but the simplest one for sure.

Regards

Ethy H. Brito         /"\
InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860     X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil   / \

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] DNAT issues

[S Mohan]

My points:

1. When you call directly by IP, DNS does not come to play. Why should the
DNS matter then?
2. The port redirection happens on incoming packets on eth1 and not eth0
(LAN I/F). Thus LAN traffic should not be affected.
3. In any case, port 80 requests are not redirected to 194.x.x.x IP.

My solution, in case the redirection affects LAN traffic would be to give a
not condition for the local subnet as source.
iptables -t nat -A PREROUTING -i eth1 -s !192.168.0.1/24 -d 194.105.29.2 -p
TCP --dport 80 \
-j DNAT --to-destination 192.168.0.2

This makes sure that local traffic is not redirected.

Mohan
-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Vlad Mihai
Sent: Friday, August 22, 2003 12:33 AM
To: lartc@mailman.ds9a.nl
Subject: FW: [LARTC] DNAT issues




Thanks very much. I never thought of that :)

However the idea comes from a tutorial listed at ww.netfilter.org.
There, the author explains the same issue and gives a solution...
But that solution is not working for me.

I have posted that part of the tutorial here:
http://www.concorde.utcluj.ro/iptables2.pdf
since netfilter.org is down.

The section explaining my issue is located on the second page - the left
column.

Take a look there if you have time, and maybe some of u will understand
better than me :)

The problem with the routing still remains unsolved for me :(

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]
On Behalf Of Ethy H. Brito
Sent: Thursday, August 21, 2003 9:22 PM
To: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] DNAT issues

On Thu, 21 Aug 2003, Vlad Mihai wrote:

> Now, the web browser on 192.168.0.121 will see packets coming from
> 192.168.0.2, and it will assume
> they are bogus packets, and will ignore them... SO, NO CONNECTION...
>
> Remember 192.168.0.121 asked for packets from 194.105.29.2 and not
from
> 192.168.0.2!!!
>
> What can I do to allow my LAN clients to access the web server through
> the router?
> Please write me a line of code :) I am new to "iptables" :(

This is a DNS problem. It is a commom mistake to admit that the internal
network is part of the internet. IT IS NOT.
This may be easly solved creating "zones" at you DNS server.
Your web server must be identified as part of your internal net. If it
is
not identified like this you will have to make lots of malabarithm to
overcome this.
Consult DNS server man pages to configure it. This is not the only
solution
but the simplest one for sure.

Regards

Ethy H. Brito         /"\
InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860     X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil   / \

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/