Masquerade problems

Masquerade problems

[john bowers]

Hi , I have a Nat/firewall box that  has worked beautifully for me for quite 
a while. The only thing I have not been able to fiigure out is that  I have 
never been able to initiate any kind of services from inside the firewall 
box to the local network. I can ssh from the local net into the firewall no 
problem, but if i try to ssh back into my local network it just disapears, 
but shows up in the iptables -v -L stats for the rules that would allow it 
as having passed the filter.  If I try to ping an address on my local 
private addressed network I just get the message "operation not allowed", or 
something of that sort.  I have a route for the local network entered in the 
routing table and actually routes for each of the individual host , but I 
don't know what is going on. Is this a routing problem or am I misusing the 
Masquerade function? when Any help would greatly be appreciated as I don't 
know where else to ask

Here is a abreviated portion of my Nat router rules.

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

iptables -t nat --policy POSTROUTING DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
###############################################################################


iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE


################################################################################
# INPUT RULES

#RELATED & ESTABLISHED RULES
iptables -A INPUT -i ppp0 \
	-m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o ppp0 \
	-m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o eth0 \
	-m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ppp0 -o $LAN_INTERFACE \
	-m state --state ESTABLISHED,RELATED -j ACCEPT

###################################################################################
# Forward related, established rules

iptables -A FORWARD -i $LAN_INTERFACE -o ppp0 \
	-m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -o ppp0 \
	-m state --state ESTABLISHED,RELATED -j ACCEPT

_________________________________________________________________
Get holiday tips for festive fun. 
http://special.msn.com/network/happyholidays.armx

Re: Masquerade problems

[Ralf Spenneberg]

Am Mon, 2003-12-15 um 12.34 schrieb john bowers:
> Is this a routing problem or am I misusing the 
> Masquerade function? when Any help would greatly be appreciated as I don't 
> know where else to ask
> iptables --policy OUTPUT DROP
> iptables -A OUTPUT -o lo -j ACCEPT
> iptables -A OUTPUT -o eth0 \
> 	-m state --state ESTABLISHED,RELATED -j ACCEPT

You are missing an OUTPUT rule:
iptables -A OUTPUT -o eth0 -m state --state NEW -j ACCEPT

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: VPN mit Linux
Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

MASQUERADE problems

[Jan-Aage Frydenbø-Bruvoll]

Dear List,

We are trying to set up an OpenVPN server with forwarding to a
specific range of IP addresses. Our configuration limits who gets
access to what networks via a combination of OpenVPN user-specific
routing instructions and static iptables rules, both in the FORWARD
chain and in the nat table POSTROUTING chain.

For my own user, for instance, my OpenVPN client would be instructed
to route network 1.2.3.0/24 (obfuscated) via the tunnel, and use PtP
addresses 10.39.1.2 10.39.1.1 for the local and remote end,
respectively.

On the server we'd have this set of rules:

$ iptables -t filter -S FORWARD
-P FORWARD DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.39.1.2/32 -i tun0 -o eth0 -j ACCEPT

$ iptables -t nat -S POSTROUTING
-P POSTROUTING DROP
-A POSTROUTING -s 10.39.1.2/32 -o eth0 -j MASQUERADE

Our problem is this: the MASQUERADE rule only triggers for certain
types of traffic! We have HTTPS, SSH and various other protocols
running just fine, but for some inexplicable reason the MASQUERADE
rule does not trigger on traffic to port 80. The recipient IP does not
seem to matter, and we can see via tcpdump that the packets end up in
the POSTROUTING chain without being rewritten. Correspondingly, we can
see other protocols' packets arrive and leave the chain, correctly
rewritten, and they will then (obviously) turn up on the recipient
side and be replied to.

We have also tried using a correspondingly crafted SNAT rule instead
of the MASQUERADE rule - this exhibits the exact same behaviour.
Everything but port 80 works.

The VPN server is a Gentoo machine with kernel 3.14.14 and iptables
toolkit version 1.4.21-r1, explicitly recompiled against this kernel.

Would the list know of any known bugs, or see any obvious mistakes in
this setup? It's quite frankly driving us a bit mad a the moment - we
cannot see the sense in it.

Your kind assistance will be greatly appreciated.

Best regards
Jan