IPTABLES:Let external address appear as an internal address

IPTABLES:Let external address appear as an internal address

[mabra]

Hi All !

Just this moment, I am completely "destroyed", I am working on iptables
rules and cannot make it work.

[usining debian squeeze, iptables, monit monitoring program].
[eth1: internet==$EXTIF, eth0: local==$INTIF]
[192.168.6.254 ist the LAN port of the firewall at eth0]

The problem is this: The monit daemon is configured to accepts
packtes on the internal address only and I think, this is right.
Usually nearly nothing internal should accepts packets from outside.
The daemon cannot be bind to a specific interface, but just by
ip address and mask. Internally, everything works fine [http requests
from inside 192.168.26.0/24 are working]. To allow to redirect packtes
from outside to this daemon, I wrote this two filters, where the
incoming external trafiic should use port 9995:

$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTADDR --dport 9995 \
-j DNAT --to-destination 192.168.6.254:2812

$IPTABLES -t nat -A POSTROUTING -p tcp -d 192.168.6.254 --dport 2812 \
-j SNAT --to-source 192.168.6.254:3000

The deamon gets accessed, but denies the request, because it's seen
source address is not from the LAN, but the external client ip address.
So my SNAT does not seem to work.

I used the same pair of rules to redirect the traffic to another LAN
machine. Making a tcpdump there shows, that it works. That
tcpdump shows 192.168.6.254:3000 as the source address.

Could someone probably give me some help??

Thanks anyway,
++mabra

Re: IPTABLES:Let external address appear as an internal address

[Andrew Beverley]

On Fri, 2012-08-31 at 13:11 +0200, mabra@manfbraun.de wrote:
> [usining debian squeeze, iptables, monit monitoring program].
> [eth1: internet==$EXTIF, eth0: local==$INTIF]
> [192.168.6.254 ist the LAN port of the firewall at eth0]
> 
> The problem is this: The monit daemon is configured to accepts
> packtes on the internal address only and I think, this is right.
> Usually nearly nothing internal should accepts packets from outside.
> The daemon cannot be bind to a specific interface, but just by
> ip address and mask. Internally, everything works fine [http requests
> from inside 192.168.26.0/24 are working]. To allow to redirect packtes
> from outside to this daemon, I wrote this two filters, where the
> incoming external trafiic should use port 9995:
> 
> $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTADDR --dport 9995 \
> -j DNAT --to-destination 192.168.6.254:2812
> 
> $IPTABLES -t nat -A POSTROUTING -p tcp -d 192.168.6.254 --dport 2812 \
> -j SNAT --to-source 192.168.6.254:3000
> 
> The deamon gets accessed, but denies the request, because it's seen
> source address is not from the LAN, but the external client ip address.
> So my SNAT does not seem to work.

I may have misunderstood, in which case a diagram would be useful, but
is the monit daemon on the same machine as the iptables rules? If so,
SNAT will have no effect, as it only works on the POSTROUTING table (as
packets leave the machine). It will therefore have no effect on packets
to process on the local machine.

Off the top of my head, I'm not sure of the solution you could use. You
might want to look at the IFB interface to see if that can be used in
any way.

Andy

RE: IPTABLES:Let external address appear as an internal address

[mabra]

-----Original Message-----
From: Andrew Beverley [mailto:andy@andybev.com] 
Sent: Friday, August 31, 2012 7:36 PM
To: mabra@manfbraun.de
Cc: netfilter@vger.kernel.org
Subject: Re: IPTABLES:Let external address appear as an internal address

On Fri, 2012-08-31 at 13:11 +0200, mabra@manfbraun.de wrote:
> [usining debian squeeze, iptables, monit monitoring program].
> [eth1: internet==$EXTIF, eth0: local==$INTIF]
> [192.168.6.254 ist the LAN port of the firewall at eth0]
> 
> The problem is this: The monit daemon is configured to accepts packtes 
> on the internal address only and I think, this is right.
> Usually nearly nothing internal should accepts packets from outside.
> The daemon cannot be bind to a specific interface, but just by ip 
> address and mask. Internally, everything works fine [http requests 
> from inside 192.168.26.0/24 are working]. To allow to redirect packtes 
> from outside to this daemon, I wrote this two filters, where the 
> incoming external trafiic should use port 9995:
> 
> $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTADDR --dport 9995 \ -j 
> DNAT --to-destination 192.168.6.254:2812
> 
> $IPTABLES -t nat -A POSTROUTING -p tcp -d 192.168.6.254 --dport 2812 \ 
> -j SNAT --to-source 192.168.6.254:3000
> 
> The deamon gets accessed, but denies the request, because it's seen 
> source address is not from the LAN, but the external client ip address.
> So my SNAT does not seem to work.

I may have misunderstood, in which case a diagram would be useful, but is the monit daemon on the same machine as the iptables rules? If so, SNAT will have no effect, as it only works on the POSTROUTING table (as packets leave the machine). It will therefore have no effect on packets to process on the local machine.

Off the top of my head, I'm not sure of the solution you could use. You might want to look at the IFB interface to see if that can be used in any way.

Andy

=======================================================================

Hi !

Thanks for your reply.

I studied the diagrams over and over and over again [Although , there are different
schemas on the net, the last I've used, was on wikipedia]. What you said, comes to
my mind, but I am not sure, because, what is a "local process" is not quit clear in the
diagram and the diagram has even not the usual LO interface, which is alway present
too.

Yes, the monit daemon runs on the firewall machine with the iptables. The problem
came to my mind, while I am re-building the box so, that no service directly uses
the internet interface [eth1 for me]. Currently, I am finding each minute something
new.

Even the internal web cannot be used on the local machine, which is a must
for me. I saw the latter shortly, as I started to write a cron job, which pulls something
out of my web for some monitoring reason. This is not working [both, curl and wget 
say me: connection refused]. This web, running on apache is reachable from outside
[internet] and from the LAN, but not from the local machine. Seems to be the same
issue. I am working on this for about three day now and I am out of hope. If there
is no way to make this work, I would need additional hardware :-(
This all was just recognized, as I startet to change my host and the firewall
to have no longer something run on the internet address.

This would lead to the situation to run all used services [web, monitoring etc.]
onto the public address of the firewall. Oh my ! From my point of view, this is
the worst case solution ever.

I would pretty become happy for each new thought. BTW, I've looked into
the mentioned IFB interface, but this will be out of my ability. I am "migrating"
to linux for years and I am not that experienced.

Best regards,
++mabra

RE: IPTABLES:Let external address appear as an internal address

[Andrew Beverley]

On Sat, 2012-09-01 at 01:05 +0200, mabra@manfbraun.de wrote:
> I studied the diagrams over and over and over again [Although , there
> are different schemas on the net, the last I've used, was on
> wikipedia].

I assume you mean this one[1]. That is the most accurate, although it
might be a bit too detailed for a beginner.

>  What you said, comes to my mind, but I am not sure,
> because, what is a "local process"

A process running on the same machine that iptables is running on.
Packets to/from the local process will go via the INPUT/OUTPUT chains
instead of FORWARD.

>  is not quit clear in the diagram and
> the diagram has even not the usual LO interface, which is alway present
> too.

The local interface is like a normal physical interface, so can be
treated as such when looking at the packet flow diagram. If you're
accessing a local process through lo, then packets will come in from lo,
travel through INPUT, and be received by the local process. Return
packets generated by the process will be returned via OUTPUT back to the
lo interface.

> Yes, the monit daemon runs on the firewall machine with the iptables.

In which case you cannot use POSTROUTING to alter packets destined to
it.

> Even the internal web cannot be used on the local machine,

There is no technical reason that it cannot.

> This is not working [both, curl and wget 
> say me: connection refused].

In which case either the daemon is refusing the connection or the
packets are being rejected by an iptables rule.

> Seems to be the same
> issue.

Same issue as what?

>  I am working on this for about three day now and I am out of hope.

What exactly are you trying to achieve? I have not used monit, but I
would be surprised if you have to translate addresses and ports to make
it work how you want it to.

P.S. I recommend a better email client than MS Outlook if you want to
partake in mailing lists. This will allow you to perform proper quoting
when replying :-)

Andy

[1]
http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg

RE: IPTABLES:Let external address appear as an internal address

[mabra]

Hello !

Ok, configured Outlook to make better replies ;-)
[And I have notes in your original text].

I just spoke about Monit, because I thought, it is easier to describe.
The main problem is accessing the apache web. For this, I have this
iptable statements:

#from extern to apache [apache using 192.168.2.254]:
$IPTABLES -t nat -A PREROUTING -i eth1 -d $EXTADDR -p tcp --dport 80 -j DNAT --to-destination $INTADDR

#from LAN machines [coming from 192.168.2.0/24]:
$IPTABLES -t nat -A PREROUTING -i eth0  -d $EXTADDR -p tcp --dport 80 -j DNAT --to-destination $INTADDR

This works fine. But if I am logged onto the firewall machine and use
iceweasel interactively [on the gnome desktop] and or curl/wget from
a cron job, this fails. I get a request timeout. This, in turn, may indicate,
that I am missing a backward rule.

This is my main concern [or my too small understanding of iptables ;-) ]

Thank you for your replies so far!!

Regards,
++mabra

See my infra here:

http://www.manfbraun.de/cont/tech/probs/Infra-1.png


> -----Original Message-----
> From: netfilter-owner@vger.kernel.org [mailto:netfilter-
> owner@vger.kernel.org] On Behalf Of Andrew Beverley
> Sent: Saturday, September 01, 2012 5:15 PM
> To: mabra@manfbraun.de
> Cc: netfilter@vger.kernel.org
> Subject: RE: IPTABLES:Let external address appear as an internal address
> 
> On Sat, 2012-09-01 at 01:05 +0200, mabra@manfbraun.de wrote:
> > I studied the diagrams over and over and over again [Although , there
> > are different schemas on the net, the last I've used, was on
> > wikipedia].
> 
> I assume you mean this one[1]. That is the most accurate, although it might be
> a bit too detailed for a beginner.
> 
> >  What you said, comes to my mind, but I am not sure, because, what is
> > a "local process"
> 
> A process running on the same machine that iptables is running on.
> Packets to/from the local process will go via the INPUT/OUTPUT chains instead
> of FORWARD.

From network programming, a process must to bind to an ip-address or
interface. Does your statement mean, that roting never happens in the
local machine ? If there is routing, then there is the POSTROUTING's SNAT
which would help me. I am just thinging about making an additional interface,
say, "eth0:0=192.168.1.1". In this case, can I have iptables route the
packet to this interface? Then this would be another network!

> 
> >  is not quit clear in the diagram and
> > the diagram has even not the usual LO interface, which is alway
> > present too.
> 
> The local interface is like a normal physical interface, so can be treated as such
> when looking at the packet flow diagram. If you're accessing a local process
> through lo, then packets will come in from lo, travel through INPUT, and be
> received by the local process. Return packets generated by the process will be
> returned via OUTPUT back to the lo interface.
> 
> > Yes, the monit daemon runs on the firewall machine with the iptables.
> 
> In which case you cannot use POSTROUTING to alter packets destined to it.
> 
> > Even the internal web cannot be used on the local machine,
> 
> There is no technical reason that it cannot.
> 
> > This is not working [both, curl and wget say me: connection refused].
> 
> In which case either the daemon is refusing the connection or the packets are
> being rejected by an iptables rule.
> 
> > Seems to be the same
> > issue.
> 
> Same issue as what?
Same situation like cron with wget/curl to access the "external apache"
web.
> 
> >  I am working on this for about three day now and I am out of hope.
> 
> What exactly are you trying to achieve? I have not used monit, but I would be
> surprised if you have to translate addresses and ports to make it work how you
> want it to.
> 
> P.S. I recommend a better email client than MS Outlook if you want to partake
> in mailing lists. This will allow you to perform proper quoting when replying :-)
> 
> Andy
> 
> [1]
> http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-
> flow.svg
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of
> a message to majordomo@vger.kernel.org More majordomo info at
> http://vger.kernel.org/majordomo-info.html

RE: IPTABLES:Let external address appear as an internal address

[Andrew Beverley]

On Sun, 2012-09-02 at 13:48 +0200, mabra@manfbraun.de wrote:
> Ok, configured Outlook to make better replies ;-)

Good stuff, although my previous comment still stands :)

> #from extern to apache [apache using 192.168.2.254]:
> $IPTABLES -t nat -A PREROUTING -i eth1 -d $EXTADDR -p tcp --dport 80 -j DNAT --to-destination $INTADDR
> 
> #from LAN machines [coming from 192.168.2.0/24]:
> $IPTABLES -t nat -A PREROUTING -i eth0  -d $EXTADDR -p tcp --dport 80 -j DNAT --to-destination $INTADDR

Why are you using DNAT here? Does Apache not respond to each IP address
that the server has? Have you set Apache to listen on all interfaces/IP
addresses? (See the "Listen" directive).

> This works fine. But if I am logged onto the firewall machine and use
> iceweasel interactively [on the gnome desktop] and or curl/wget from
> a cron job, this fails. I get a request timeout. This, in turn, may indicate,
> that I am missing a backward rule.

Possibly you are dropping traffic from the local network device. To
check whether this is the case, I recommend temporarily removing *all*
iptables rules (and setting the default policy to ACCEPT). If it then
starts working, you know that the problem is that you are dropping
packets somewhere with netfilter.

The output of "iptables-save" would be useful at this point.

> Thank you for your replies so far!!

No problem.

> > A process running on the same machine that iptables is running on.
> > Packets to/from the local process will go via the INPUT/OUTPUT chains instead
> > of FORWARD.
> 
> From network programming, a process must to bind to an ip-address or
> interface. Does your statement mean, that roting never happens in the
> local machine ?

The packets will still traverse the various parts of the network stack,
but I guess there isn't really routing as such to do, although there's
nothing to stop you forcing routing to a network outside of your
machine.

>  If there is routing, then there is the POSTROUTING's SNAT
> which would help me. I am just thinging about making an additional interface,
> say, "eth0:0=192.168.1.1". In this case, can I have iptables route the
> packet to this interface? Then this would be another network!

I'm not sure I understand. I think you are complicating the problem
unnecessarily. If you want to access local processes via networking on
the local machine, then there is no need for fancy routing or address
translation.

Andy