From mboxrd@z Thu Jan 1 00:00:00 1970 From: Madison Kelly Subject: Rewrote script; Still can't get out from DNAT'ed servers... Date: Thu, 19 Feb 2004 10:36:12 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <4034D7EC.2010206@alteeve.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org Hi all, A few days ago I posted a problem I had with 'iptables' (Fedora Core 1, 2.4.2166 kernel) and NAT'ed servers. I never got a reply but I also found some big problems so I re-wrote a good chunk of my script but the problem remains. I hope no one minds me asking again for help with the new info in 'iptables-save' :) I have my network setup like this: LAN clients - 192.168.1.0/24, eth0 SRV clients - 192.168.2.0/24, eth1 Public IPs - 111.222.33.32/27, eth2 eth0 - 192.168.1.1 eth1 - 192.168.2.1 eth2 - 111.222.33.34 eth2:0 - 111.222.33.46 eth2:1 - 111.222.33.47 eth2:2 - 111.222.33.48 I have all of my LAN SNAT'ed behind the firewall's IP address and that network is working great. I have each Server client DNAT/SNAT'ed behind a single public IP address. For example, the machine I am currently testing from is DNAT to 192.168.2.12 and SNAT'ed to 111.222.33.47. I have a test web server up and 'sshd' running and I specifically allowed ports 22 and 80 into that server. Internet and LAN clients -can- connect to the server just fine. The problem lies in that the server -cannot- connect out to the Internet. I think it has something to do with the DNAT because when I simply SNAT the 192.168.2.0/24 subnet behind the firewall (as though it too where a LAN subnet) then I can connect out fine. Does anyone have any suggestions as to what I could be doing wrong? I admit the script is still being debug'ed so there may still be unrelated problems, too. Thanks again for any potential help! Madison PS - Watch the answer end up being one that was staring me in the face! :) -= 'iptables-save' =- # Generated by iptables-save v1.2.9 on Thu Feb 19 10:20:06 2004 *mangle :PREROUTING ACCEPT [39:3516] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [39:3516] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [36:3216] COMMIT # Completed on Thu Feb 19 10:20:06 2004 # Generated by iptables-save v1.2.9 on Thu Feb 19 10:20:06 2004 *nat :PREROUTING ACCEPT [4:400] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -d 111.222.33.47 -j DNAT --to-destination 192.168.2.12 -A PREROUTING -d 111.222.33.48 -j DNAT --to-destination 192.168.2.11 -A PREROUTING -d 111.222.33.46 -j DNAT --to-destination 192.168.2.15 -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth2 -j SNAT --to-source 111.222.33.34 -A POSTROUTING -s 192.168.2.12 -j SNAT --to-source 111.222.33.47 -A POSTROUTING -s 192.168.2.11 -j SNAT --to-source 111.222.33.48 -A POSTROUTING -s 192.168.2.15 -j SNAT --to-source 111.222.33.46 COMMIT # Completed on Thu Feb 19 10:20:06 2004 # Generated by iptables-save v1.2.9 on Thu Feb 19 10:20:06 2004 *filter :INPUT DROP [0:0] :FORWARD DROP [3:300] :OUTPUT ACCEPT [0:0] :FWIN - [0:0] :FWOUT - [0:0] :LANIN - [0:0] :LANOUT - [0:0] :LDROP - [0:0] :LREJECT - [0:0] :LTREJECT - [0:0] :SRVIN - [0:0] :SRVOUT - [0:0] :TCPACCEPT - [0:0] :TREJECT - [0:0] :UDPACCEPT - [0:0] :ULDROP - [0:0] :ULREJECT - [0:0] :ULTREJECT - [0:0] -A INPUT -i eth2 -j FWIN -A INPUT -i eth0 -j FWIN -A INPUT -i eth1 -j FWIN -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT -A FORWARD -i eth2 -o eth0 -j LANIN -A FORWARD -i eth0 -o eth2 -j LANOUT -A FORWARD -i eth2 -o eth1 -j SRVIN -A FORWARD -i eth1 -o eth2 -j SRVOUT -A FORWARD -i eth1 -o eth0 -j LANIN -A FORWARD -i eth0 -o eth1 -j LANOUT -A OUTPUT -o eth2 -j FWOUT -A OUTPUT -o eth0 -j FWOUT -A OUTPUT -o eth1 -j FWOUT -A FWIN -m state --state INVALID -j TREJECT -A FWIN -p tcp -m mac --mac-source 00:50:BA:D2:31:0F -m tcp --dport 22 -j TCPACCEPT -A FWIN -p tcp -m mac --mac-source 00:02:B3:07:F6:1A -m tcp --dport 22 -j TCPACCEPT -A FWIN -p tcp -m mac --mac-source 00:60:97:6D:A1:0E -m tcp --dport 22 -j TCPACCEPT -A FWIN -p udp -m mac --mac-source 00:50:BA:D2:31:0F -m udp --dport 22 -j UDPACCEPT -A FWIN -p udp -m mac --mac-source 00:02:B3:07:F6:1A -m udp --dport 22 -j UDPACCEPT -A FWIN -p udp -m mac --mac-source 00:60:97:6D:A1:0E -m udp --dport 22 -j UDPACCEPT -A FWIN -i eth0 -p tcp -m tcp --dport 53 -j TCPACCEPT -A FWIN -i eth0 -p udp -m udp --dport 53 -j UDPACCEPT -A FWIN -i eth1 -p tcp -m tcp --dport 53 -j TCPACCEPT -A FWIN -i eth1 -p udp -m udp --dport 53 -j UDPACCEPT -A FWIN -p icmp -m icmp --icmp-type 5 -j TREJECT -A FWIN -p icmp -m icmp --icmp-type 9 -j TREJECT -A FWIN -p icmp -m icmp --icmp-type 10 -j TREJECT -A FWIN -p icmp -m icmp --icmp-type 15 -j TREJECT -A FWIN -p icmp -m icmp --icmp-type 16 -j TREJECT -A FWIN -p icmp -m icmp --icmp-type 17 -j TREJECT -A FWIN -p icmp -m icmp --icmp-type 18 -j TREJECT -A FWIN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A FWIN -p icmp -m icmp --icmp-type 8 -j TREJECT -A FWIN -p icmp -m icmp ! --icmp-type 8 -j ACCEPT -A FWIN -m state --state ESTABLISHED -j ACCEPT -A FWIN -p tcp -m tcp --dport 1024:65535 -m state --state RELATED -j TCPACCEPT -A FWIN -p udp -m udp --dport 1024:65535 -m state --state RELATED -j UDPACCEPT -A FWIN -j TREJECT -A FWOUT -j ACCEPT -A LANIN -m state --state INVALID -j TREJECT -A LANIN -p icmp -m icmp --icmp-type 5 -j TREJECT -A LANIN -p icmp -m icmp --icmp-type 9 -j TREJECT -A LANIN -p icmp -m icmp --icmp-type 10 -j TREJECT -A LANIN -p icmp -m icmp --icmp-type 15 -j TREJECT -A LANIN -p icmp -m icmp --icmp-type 16 -j TREJECT -A LANIN -p icmp -m icmp --icmp-type 17 -j TREJECT -A LANIN -p icmp -m icmp --icmp-type 18 -j TREJECT -A LANIN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A LANIN -p icmp -m icmp --icmp-type 8 -j TREJECT -A LANIN -p icmp -m icmp ! --icmp-type 8 -j ACCEPT -A LANIN -m state --state ESTABLISHED -j ACCEPT -A LANIN -p tcp -m tcp --dport 1024:65535 -m state --state RELATED -j TCPACCEPT -A LANIN -p udp -m udp --dport 1024:65535 -m state --state RELATED -j UDPACCEPT -A LANIN -s 192.168.2.12 -d 192.168.1.100 -p tcp -m tcp --dport 22 -j TCPACCEPT -A LANIN -s 192.168.2.12 -d 192.168.1.100 -p udp -m udp --dport 22 -j UDPACCEPT -A LANIN -j TREJECT -A LANOUT -s 192.168.1.0/255.255.255.0 -o eth2 -j ACCEPT -A LANOUT -j ACCEPT -A LDROP -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP Dropped " --log-level 6 -A LDROP -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP Dropped " --log-level 6 -A LDROP -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP Dropped " --log-level 6 -A LDROP -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT Dropped " -A LDROP -j DROP -A LREJECT -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP Rejected " --log-level 6 -A LREJECT -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP Rejected " --log-level 6 -A LREJECT -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP Rejected " --log-level 6 -A LREJECT -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT Rejected " -A LREJECT -j REJECT --reject-with icmp-port-unreachable -A LTREJECT -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP Rejected " --log-level 6 -A LTREJECT -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP Rejected " --log-level 6 -A LTREJECT -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP Rejected " --log-level 6 -A LTREJECT -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT Rejected " -A LTREJECT -j TREJECT -A SRVIN -m state --state INVALID -j TREJECT -A SRVIN -p icmp -m icmp --icmp-type 5 -j TREJECT -A SRVIN -p icmp -m icmp --icmp-type 9 -j TREJECT -A SRVIN -p icmp -m icmp --icmp-type 10 -j TREJECT -A SRVIN -p icmp -m icmp --icmp-type 15 -j TREJECT -A SRVIN -p icmp -m icmp --icmp-type 16 -j TREJECT -A SRVIN -p icmp -m icmp --icmp-type 17 -j TREJECT -A SRVIN -p icmp -m icmp --icmp-type 18 -j TREJECT -A SRVIN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A SRVIN -p icmp -m icmp --icmp-type 8 -j TREJECT -A SRVIN -p icmp -m icmp ! --icmp-type 8 -j ACCEPT -A SRVIN -m state --state ESTABLISHED -j ACCEPT -A SRVIN -p tcp -m tcp --dport 1024:65535 -m state --state RELATED -j TCPACCEPT -A SRVIN -p udp -m udp --dport 1024:65535 -m state --state RELATED -j UDPACCEPT -A SRVIN -d 192.168.2.12 -p tcp -m tcp --dport 22 -j TCPACCEPT -A SRVIN -d 192.168.2.12 -p tcp -m tcp --dport 53 -j TCPACCEPT -A SRVIN -d 192.168.2.12 -p tcp -m tcp --dport 80 -j TCPACCEPT -A SRVIN -d 192.168.2.12 -p udp -m udp --dport 22 -j UDPACCEPT -A SRVIN -d 192.168.2.12 -p udp -m udp --dport 53 -j UDPACCEPT -A SRVIN -d 192.168.2.12 -p udp -m udp --dport 80 -j UDPACCEPT -A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 22 -j TCPACCEPT -A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 25 -j TCPACCEPT -A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 53 -j TCPACCEPT -A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 80 -j TCPACCEPT -A SRVIN -d 192.168.2.11 -p tcp -m tcp --dport 110 -j TCPACCEPT -A SRVIN -d 192.168.2.11 -p udp -m udp --dport 22 -j UDPACCEPT -A SRVIN -d 192.168.2.11 -p udp -m udp --dport 25 -j UDPACCEPT -A SRVIN -d 192.168.2.11 -p udp -m udp --dport 53 -j UDPACCEPT -A SRVIN -d 192.168.2.11 -p udp -m udp --dport 80 -j UDPACCEPT -A SRVIN -d 192.168.2.11 -p udp -m udp --dport 110 -j UDPACCEPT -A SRVIN -d 192.168.2.15 -p tcp -m tcp --dport 22 -j TCPACCEPT -A SRVIN -d 192.168.2.15 -p tcp -m tcp --dport 53 -j TCPACCEPT -A SRVIN -d 192.168.2.15 -p tcp -m tcp --dport 80 -j TCPACCEPT -A SRVIN -d 192.168.2.15 -p udp -m udp --dport 22 -j UDPACCEPT -A SRVIN -d 192.168.2.15 -p udp -m udp --dport 53 -j UDPACCEPT -A SRVIN -d 192.168.2.15 -p udp -m udp --dport 80 -j UDPACCEPT -A SRVIN -j TREJECT -A SRVOUT -s 192.168.2.0/255.255.255.0 -o eth2 -j ACCEPT -A SRVOUT -j ACCEPT -A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec -j ACCEPT -A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/sec -j LOG --log-prefix "Possible SynFlood " -A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TREJECT -A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A TCPACCEPT -m limit --limit 2/sec -j LOG --log-prefix "Mismatch in TCPACCEPT " -A TCPACCEPT -j TREJECT -A TREJECT -p tcp -j REJECT --reject-with tcp-reset -A TREJECT -p udp -j REJECT --reject-with icmp-port-unreachable -A TREJECT -p icmp -j DROP -A TREJECT -j REJECT --reject-with icmp-port-unreachable -A UDPACCEPT -p udp -j ACCEPT -A UDPACCEPT -m limit --limit 2/sec -j LOG --log-prefix "Mismatch on UDPACCEPT " -A UDPACCEPT -j TREJECT -A ULDROP -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_TCP" -A ULDROP -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_UDP" -A ULDROP -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_ICMP" -A ULDROP -f -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_FRAG" -A ULDROP -j DROP -A ULREJECT -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix "LREJECT_TCP" -A ULREJECT -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix "LREJECT_UDP" -A ULREJECT -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix "LREJECT_UDP" -A ULREJECT -f -m limit --limit 2/sec -j ULOG --ulog-prefix "LREJECT_FRAG" -A ULREJECT -j REJECT --reject-with icmp-port-unreachable -A ULTREJECT -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix "LTREJECT_TCP" -A ULTREJECT -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix "LTREJECT_UDP" -A ULTREJECT -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix "LTREJECT_ICMP" -A ULTREJECT -f -m limit --limit 2/sec -j ULOG --ulog-prefix "LTREJECT_FRAG" -A ULTREJECT -p tcp -j REJECT --reject-with tcp-reset -A ULTREJECT -p udp -j REJECT --reject-with icmp-port-unreachable -A ULTREJECT -p icmp -j DROP -A ULTREJECT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Thu Feb 19 10:20:06 2004 -= 'iptables-save' =-