Re: ready to cry over NATting!

[David T-G <davidtg-netfilter@justpickone.org>]

[-- Attachment #1: Type: text/plain, Size: 4984 bytes --]

Ralf, et al --

...and then Ralf Spenneberg said...
% 
% Am Die, 2003-05-20 um 12.29 schrieb David T-G:
...
% > Lifting directly from the "Made Simple" HOWTO, I tried
% > 
% >   modprobe ipt_MASQUERADE # If this fails, try continuing anyway
% >   iptables -F; iptables -t nat -F; iptables -t mangle -F
% >   iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to my.ip.add.ress
% >   echo 1 > /proc/sys/net/ipv4/ip_forward
% >   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
% >   iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
% >   iptables -P INPUT DROP   #only if the first two are succesful
% >   iptables -A FORWARD -i eth1 -o eth1 -j REJECT
% What are you trying to achieve?
% These rules do not allow any traffic through your firewall (Forward
% REJECT).

As I said, I was lifting from the HOWTO :-)  I thought that that rule
rejected anything coming in on eth1 (external interface) that was due to
go back out on eth1.

The interesting thing is that traffic *did* go through the firewall,
since network is the only way I can access it.  I ran that script and was
not locked out.

Again I don't understand!


% 
% > So I went to Rusty's NAT HOWTO and built up some commands from it:
% > 
% >   Goal 1: NAT from eth1 (LAN) to and through eth0 (WAN) for client
% > 
% Ok. lets see. You have got 3 tables: filter, nat, and mangle.
% NAT is quite easy to setup:
% 
% # Flush all
% iptables -F
% iptables -t nat -F
% iptables -t mangle -F
% # configure NAT
% iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
% # Turn on routing
% echo 1 > /proc/sys/net/ipv4/ip_forward

I tried that, too, and couldn't get in from the outside any more.
Perhaps at that point I didn't need to, though.

I can follow the flushes easily enough.

I'm not sure why I want to do postrouting going out the LAN interface; I
thought that NAT was for internal machines trying to get out.  I *think*
that what I want is SNAT == source translation, and the NAT HOWTO doesn't
talk about DNAT == destination translation so I don't know that it's
needed -- but, of course, also don't really know about what I'm speaking.

[Oh, phooey -- I just realized that I had a typo, and you're obviously
going from what I wrote!  eth0 is the LAN and eth1 is the WAN; sorry!]


% 
% You should be able to ping now from a internal client to an external IP
% address. Note, that dns resolution might not work yet.

This is one test case that I didn't try since the firewall was otherwise
locked up.


% >   Goal 2: Allow various connections and confirm that they work
% Now you are trying to filter. The filter table has three chains. Each
% chain with a specific task:
% INPUT only filters packets with the local machine as destination

Oh, INPUT from any interface; OK.


% OUTPUT only filters packets originating on the local machine
% FORWARD only sees those packets not covered by INPUT and OUTPUT being
% forwarded by the firewall.

OK.  But this FORWARD is different from the NAT forward, right?


% If you want to allow new connections from the inside you need the
% following rules:
% # Deny everything through the machine
% iptables -P FORWARD DROP
% # Allow new connections from the inside
% iptables -A FORWARD -i eth1 -o eth0 -m match --match NEW -j ACCEPT
% # Allow established connections
% iptables -A FORWARD -m match --match RELATED,ESTABLISHED -j ACCEPT
% 
% Your firewall is still accessable, because when the firewall takes part
% in the communication only INPUT and OUTPUT are used.

Ahhh...  OK.


% > 
% >   Goal 3: Disallow Bad Stuff from WAN
% > 
% >   Goal 4: Disallow Bad Stuff from LAN
% > 
% > is a good step-by-step approach but I can't even get past #1 :-(
% Tell me if you know what I am talking about and if it helps you to get
% past #1.

I'm close, I think.  I'd start with

  # flush everything
  iptables -t filter -F ; iptables -t mangle -F ; iptables -t nat -F
  # allow masquerading
  iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

to just forward packets from inside clients and then perhaps add

  # outbound connections through
  iptables -t filter -A FORWARD -i eth0 -o eth1 -m match --match NEW -j ACCEPT
  # returning connections through
  iptables -t filter -A FORWARD -m match --match RELATED,ESTABLISHED -j ACCEPT

to allow things like pings to go out and in.  Then I'd need

  # incoming to
  iptables -t filter -A INPUT ACCEPT

to just let everything going to the box -- like my ssh -- get there.  Not
yet secure, but a start, right?


% Cheers,
% 
% Ralf


Thanks *so* much! & HAND

:-D
-- 
David T-G                      * There is too much animal courage in 
(play) davidtg@justpickone.org * society and not sufficient moral courage.
(work) davidtgwork@justpickone.org  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!


[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]