DNAT Rules.

DNAT Rules.

[Vincent Blondel]

Hi,

I am trying to configure next set up so a public host can connect to my web server located in a dmz.

                  -----------------------
  public host --> |  eth1        eth2   | -->  web server
    x.x.x.x       | 1.2.3.4    10.1.1.1 |      10.1.1.2:80
                  ----------------------

As far as I can understand, this typically corresponds to a mix of DNAT, SNAT and FORWARD rules. Below you can find the
rules I have configured until now.

#####################################################################

# Enable ip forward
echo 1 > /proc/sys/net/ipv4/ip_forward

# Unlimited traffic on the loopback interface
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set the default policy to drop
iptables --policy INPUT   DROP
iptables --policy OUTPUT  DROP
iptables --policy FORWARD DROP

iptables -t nat --policy PREROUTING  DROP
iptables -t nat --policy OUTPUT      DROP
iptables -t nat --policy POSTROUTING DROP

iptables -t mangle --policy PREROUTING  DROP
iptables -t mangle --policy POSTROUTING DROP

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 1.2.3.4

iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 1024:65535 -d 1.2.3.4 --dport 80 -j DNAT --to-destination 10.1.1.2
iptables -A FORWARD -i eth1 -o eth2 -p tcp --sport 1024:65535 -d 10.1.1.2 --dport 80 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT

#####################################################################

But the problem is that it doesn't work and I don't know why ? So can somebody help me to solve this problem ?

Regards
Vincent

Re: DNAT Rules.

[Edmundo Carmona]

I'd say:

iptables -t nat -A PREROUTING -i eth1 -d 1.2.3.4 -p tcp --dport 80 -j
DNAT --to-destination 10.1.1.2
iptables -A FORWARD -p tcp --dport 80 -d 10.1.1.2 -j ACCEPT

also:
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

IMHO... well... you can delete the H from IMHO... but that's just me! :-)

On 9/25/05, Vincent Blondel <vincent@xtra-net.org> wrote:
> Hi,
>
> I am trying to configure next set up so a public host can connect to my web server located in a dmz.
>
>                   -----------------------
>   public host --> |  eth1        eth2   | -->  web server
>     x.x.x.x       | 1.2.3.4    10.1.1.1 |      10.1.1.2:80
>                   ----------------------
>
> As far as I can understand, this typically corresponds to a mix of DNAT, SNAT and FORWARD rules. Below you can find the
> rules I have configured until now.
>
> #####################################################################
>
> # Enable ip forward
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Unlimited traffic on the loopback interface
> iptables -A INPUT  -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Set the default policy to drop
> iptables --policy INPUT   DROP
> iptables --policy OUTPUT  DROP
> iptables --policy FORWARD DROP
>
> iptables -t nat --policy PREROUTING  DROP
> iptables -t nat --policy OUTPUT      DROP
> iptables -t nat --policy POSTROUTING DROP
>
> iptables -t mangle --policy PREROUTING  DROP
> iptables -t mangle --policy POSTROUTING DROP
>
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 1.2.3.4
>
> iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 1024:65535 -d 1.2.3.4 --dport 80 -j DNAT --to-destination 10.1.1.2
> iptables -A FORWARD -i eth1 -o eth2 -p tcp --sport 1024:65535 -d 10.1.1.2 --dport 80 -m state --state NEW -j ACCEPT
>
> iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> #####################################################################
>
> But the problem is that it doesn't work and I don't know why ? So can somebody help me to solve this problem ?
>
> Regards
> Vincent
>
>
>

Re: DNAT Rules. (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2005.09.25 14:35, Vincent Blondel - vincent@xtra-net.org wrote:
> Hi,
> 
> I am trying to configure next set up so a public host can connect to my web
> server located in a dmz.
> 
>                   -----------------------
>   public host --> |  eth1        eth2   | -->  web server
>     x.x.x.x       | 1.2.3.4    10.1.1.1 |      10.1.1.2:80
>                   ----------------------
> 
> As far as I can understand, this typically corresponds to a mix of
> DNAT, SNAT and FORWARD rules.
> Below you can find the rules I have configured until now.
> 
> #####################################################################
I think some of these rules are unnecessary and
may be the source of your problems.

From what I remember, the DROP policy in
the nat and mangle tables may cause trouble.

I think the SNAT is not needed either, because
the DNAT rule handles the inverse automatically.

You can look at the traffic counters
(iptables -nvx -L,  etc.)
to see which rules are being matched.

If every packet matches the default
policy in the mangle table, for instance,
how will any get to the filter table?

If all the packets go through the filter table,
is a default drop policy needed anywhere else?

I marked the ones below that
I would try turning off first.

Hope that helps.

> 
> # Enable ip forward
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> # Unlimited traffic on the loopback interface
> iptables -A INPUT  -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # Set the default policy to drop
> iptables --policy INPUT   DROP
> iptables --policy OUTPUT  DROP
> iptables --policy FORWARD DROP
>
#> iptables -t nat --policy PREROUTING  DROP
#> iptables -t nat --policy OUTPUT      DROP
#> iptables -t nat --policy POSTROUTING DROP
#>
#> iptables -t mangle --policy PREROUTING  DROP
#> iptables -t mangle --policy POSTROUTING DROP
#>
#> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 1.2.3.4
> 
> iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 1024:65535 -d 1.2.3.4
> --dport 80 -j DNAT --to-destination 10.1.1.2
> iptables -A FORWARD -i eth1 -o eth2 -p tcp --sport 1024:65535 -d 10.1.1.2
> --dport 80 -m state --state NEW -j ACCEPT
> 
> iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A FORWARD -i eth1 -o eth2 -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> 
> #####################################################################
> 
> But the problem is that it doesn't work and I don't know why ? So can
> somebody help me to solve this problem ?
>

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

Re: DNAT Rules.

[Jörg Harmuth]

Vincent Blondel wrote:
> Hi,
> 
> I am trying to configure next set up so a public host can connect to my web server located in a dmz.
> 
>                   -----------------------
>   public host --> |  eth1        eth2   | -->  web server
>     x.x.x.x       | 1.2.3.4    10.1.1.1 |      10.1.1.2:80
>                   ----------------------
> 
> As far as I can understand, this typically corresponds to a mix of DNAT, SNAT and FORWARD rules. Below you can find the
> rules I have configured until now.
> 
> #####################################################################
> 
> # Enable ip forward
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> # Unlimited traffic on the loopback interface
> iptables -A INPUT  -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT

Ok, until here.

> # Set the default policy to drop
> iptables --policy INPUT   DROP
> iptables --policy OUTPUT  DROP
> iptables --policy FORWARD DROP

This is more a philosophical question and is discussed on this list 
again and again. My opinion is to have a OUTPUT policy of ACCEPT and 
then dedicated DROP Rules where needed.

> iptables -t nat --policy PREROUTING  DROP
> iptables -t nat --policy OUTPUT      DROP
> iptables -t nat --policy POSTROUTING DROP
> 
> iptables -t mangle --policy PREROUTING  DROP
> iptables -t mangle --policy POSTROUTING DROP

Don't do that. Don't filter in nat and mangle. These tables are not 
intended for filtering.

> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 1.2.3.4

Yes.

> iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 1024:65535 -d 1.2.3.4 --dport 80 -j DNAT --to-destination 10.1.1.2
> iptables -A FORWARD -i eth1 -o eth2 -p tcp --sport 1024:65535 -d 10.1.1.2 --dport 80 -m state --state NEW -j ACCEPT

I prefer to add --syn to the FORWARD rule.

> iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT

These two rules can be rewritten to

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

It is not working because you set policies in mangle to DROP and there 
is no rule, that allows packets to pass mangle. But even if you add 
respective rules (or preferably set policies to ACCEPT) in mangle, it 
will probably not work, because nat/POSTROUTING has only a rule for 
outgoing packets via eth1. So the incoming SYN packet will be dropped, 
effectively terminating the connection.

HTH,

Joerg

Re: DNAT Rules.

[Vincent Blondel]

By

- deleting the DROP Rules in nat and mangle tables
- setting up "-m state --state ESTABLISHED,RELATED -j ACCEPT" to the INPUT, OUTPUT and FORWARD rules

the system is up and running. :)

Thanks to all.
Vincent


> Vincent Blondel wrote:
>> Hi,
>>
>> I am trying to configure next set up so a public host can connect to my web server located in a dmz.
>>
>>                   -----------------------
>>   public host --> |  eth1        eth2   | -->  web server
>>     x.x.x.x       | 1.2.3.4    10.1.1.1 |      10.1.1.2:80
>>                   ----------------------
>>
>> As far as I can understand, this typically corresponds to a mix of DNAT, SNAT and FORWARD rules. Below you can find the
>> rules I have configured until now.
>>
>> #####################################################################
>>
>> # Enable ip forward
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>> # Unlimited traffic on the loopback interface
>> iptables -A INPUT  -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>
> Ok, until here.
>
>> # Set the default policy to drop
>> iptables --policy INPUT   DROP
>> iptables --policy OUTPUT  DROP
>> iptables --policy FORWARD DROP
>
> This is more a philosophical question and is discussed on this list
> again and again. My opinion is to have a OUTPUT policy of ACCEPT and
> then dedicated DROP Rules where needed.
>
>> iptables -t nat --policy PREROUTING  DROP
>> iptables -t nat --policy OUTPUT      DROP
>> iptables -t nat --policy POSTROUTING DROP
>>
>> iptables -t mangle --policy PREROUTING  DROP
>> iptables -t mangle --policy POSTROUTING DROP
>
> Don't do that. Don't filter in nat and mangle. These tables are not
> intended for filtering.
>
>> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 1.2.3.4
>
> Yes.
>
>> iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 1024:65535 -d 1.2.3.4 --dport 80 -j DNAT --to-destination 10.1.1.2
>> iptables -A FORWARD -i eth1 -o eth2 -p tcp --sport 1024:65535 -d 10.1.1.2 --dport 80 -m state --state NEW -j ACCEPT
>
> I prefer to add --syn to the FORWARD rule.
>
>> iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A FORWARD -i eth1 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> These two rules can be rewritten to
>
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> It is not working because you set policies in mangle to DROP and there
> is no rule, that allows packets to pass mangle. But even if you add
> respective rules (or preferably set policies to ACCEPT) in mangle, it
> will probably not work, because nat/POSTROUTING has only a rule for
> outgoing packets via eth1. So the incoming SYN packet will be dropped,
> effectively terminating the connection.
>
> HTH,
>
> Joerg
>
>
>