Regarding iptable rules for SNAT

Regarding iptable rules for SNAT

[Ajith Adapa]

Hi,

I have a following setup. GW eth1 (private ip) is connected to the ISP
router. For host H1 I have set the DNS server as 10.12.3.10.

H1 (eth0) --- (eth0) GW (eth1) ---
H1 eth0 = 192.168.1.2
GW eth0 = 192.168.1.1
GW eth1 = 10.12.3.12
DNS = 10.12.3.10

I have added a rule in GW saying iptables -A POSTROUTING -t nat -o
eth1 -j MASQUERADE

Now when I am trying to access internet from host H1, DNS queries are
being sent to 10.12.3.10 which are masqueraded in GW. Once replies
come back from DNS server then GW is replying back to DNS server with
icmp destination unreachable.

Ideal cases once the reply comes back GW has to send it to the host H1 right ?

Sorry if I am wrong or missed any steps down here ?

Regards,
Ajith

Re: Regarding iptable rules for SNAT

[Marek Kierdelewicz]

Hi,

>Ideal cases once the reply comes back GW has to send it to the host H1
>right ?
>Sorry if I am wrong or missed any steps down here ?

Please send output of following command:
sudo iptables-save -t filter

I bet you're filtering traffic destined to H1 from eth1 in FORWARD
chain of filter table.

Best regards,
Marek Kierdelewicz

Re: Regarding iptable rules for SNAT

[Ajith Adapa]

Hi,
As you asked in last mail the output of iptables-save -t filter is

*filter
:INPUT ACCEPT [3902:2580916]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [940:2242708]
COMMIT

Regards,
Ajith



On Tue, Oct 18, 2011 at 1:38 PM, Marek Kierdelewicz <marek@piasta.pl> wrote:
>
> Hi,
>
> >Ideal cases once the reply comes back GW has to send it to the host H1
> >right ?
> >Sorry if I am wrong or missed any steps down here ?
>
> Please send output of following command:
> sudo iptables-save -t filter
>
> I bet you're filtering traffic destined to H1 from eth1 in FORWARD
> chain of filter table.
>
> Best regards,
> Marek Kierdelewicz

Re: Regarding iptable rules for SNAT

[Ajith Adapa]

As requested by you

# iptables-save
# Generated by iptables-save v1.3.5 on Wed Oct 19 18:02:11 2011
*nat
:PREROUTING ACCEPT [11:2277]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed Oct 19 18:02:11 2011
# Generated by iptables-save v1.3.5 on Wed Oct 19 18:02:11 2011
*filter
:INPUT ACCEPT [26929:5199639]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1534:2322150]
COMMIT
# Completed on Wed Oct 19 18:02:11 2011

Regards,
Ajith


On Wed, Oct 19, 2011 at 10:46 AM, Pandu Poluan <pandu@poluan.info> wrote:
>
> On Oct 19, 2011 10:17 AM, "Ajith Adapa" <adapa.ajith@gmail.com> wrote:
>>
>> Hi,
>> As you asked in last mail the output of iptables-save -t filter is
>>
>> *filter
>> :INPUT ACCEPT [3902:2580916]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [940:2242708]
>> COMMIT
>>
>
> Another possibility: a wayward rule in raw table.
>
> Please post the output of iptables-save (without any parameters)
>
> Rgds,
>

Re: Regarding iptable rules for SNAT

[Erik Schorr]

On 10/17/2011 8:42 PM, Ajith Adapa wrote:
> I have a following setup. GW eth1 (private ip) is connected to the ISP
> router. For host H1 I have set the DNS server as 10.12.3.10.
>
> H1 (eth0) --- (eth0) GW (eth1) ---
> H1 eth0 = 192.168.1.2
> GW eth0 = 192.168.1.1
> GW eth1 = 10.12.3.12
> DNS = 10.12.3.10
>
> I have added a rule in GW saying iptables -A POSTROUTING -t nat -o
> eth1 -j MASQUERADE
>
> Now when I am trying to access internet from host H1, DNS queries are
> being sent to 10.12.3.10 which are masqueraded in GW. Once replies
> come back from DNS server then GW is replying back to DNS server with
> icmp destination unreachable.

If there's no reason to SNAT/masquerade traffic from eth0 to a host on 
eth1 (10.12.3.*), you can try inserting an ACCEPT rule in the 
POSTROUTING table just before the MASQUERADE rule, to prevent the 
traffic from 192.168.1.* to 10.12.3.* having its source address changed 
in flight:

# iptables -A POSTROUTING -t nat -o eth1 -m comment --comment "dont masq 
stuff from private net to DMZ net" -s 192.168.1.0/24 -d 10.12.3.0/24 -j 
ACCEPT
# iptables -A POSTROUTING -t nat -o eth1 -m comment --comment "masq 
everything else" -j MASQUERADE

> Ideal cases once the reply comes back GW has to send it to the host H1 right ?
>
> Sorry if I am wrong or missed any steps down here ?
>
> Regards,
> Ajith

Re: Regarding iptable rules for SNAT

[Ajith Adapa]

I am sorry I am not able to get you ..

Since we are using the MASQUERADE rule in POSTROUTING .. all the
traffic from 192.168.*.* subnet will be Source natted to 10.12.*.*
subnet right ? Why we have to again add rule in POSTROUTING chain to
just say accept .. ?

Regards,
Ajith




On Wed, Oct 19, 2011 at 12:03 AM, Erik Schorr <erik-lists@arpa.org> wrote:
> On 10/17/2011 8:42 PM, Ajith Adapa wrote:
>>
>> I have a following setup. GW eth1 (private ip) is connected to the ISP
>> router. For host H1 I have set the DNS server as 10.12.3.10.
>>
>> H1 (eth0) --- (eth0) GW (eth1) ---
>> H1 eth0 = 192.168.1.2
>> GW eth0 = 192.168.1.1
>> GW eth1 = 10.12.3.12
>> DNS = 10.12.3.10
>>
>> I have added a rule in GW saying iptables -A POSTROUTING -t nat -o
>> eth1 -j MASQUERADE
>>
>> Now when I am trying to access internet from host H1, DNS queries are
>> being sent to 10.12.3.10 which are masqueraded in GW. Once replies
>> come back from DNS server then GW is replying back to DNS server with
>> icmp destination unreachable.
>
> If there's no reason to SNAT/masquerade traffic from eth0 to a host on eth1
> (10.12.3.*), you can try inserting an ACCEPT rule in the POSTROUTING table
> just before the MASQUERADE rule, to prevent the traffic from 192.168.1.* to
> 10.12.3.* having its source address changed in flight:
>
> # iptables -A POSTROUTING -t nat -o eth1 -m comment --comment "dont masq
> stuff from private net to DMZ net" -s 192.168.1.0/24 -d 10.12.3.0/24 -j
> ACCEPT
> # iptables -A POSTROUTING -t nat -o eth1 -m comment --comment "masq
> everything else" -j MASQUERADE
>
>> Ideal cases once the reply comes back GW has to send it to the host H1
>> right ?
>>
>> Sorry if I am wrong or missed any steps down here ?
>>
>> Regards,
>> Ajith
>

Re: Regarding iptable rules for SNAT

[Erik Schorr]

On 10/18/2011 8:15 PM, Ajith Adapa wrote:
> I am sorry I am not able to get you ..
>
> Since we are using the MASQUERADE rule in POSTROUTING .. all the traffic
> from 192.168.*.* subnet will be Source natted to 10.12.*.* subnet right
> ? Why we have to again add rule in POSTROUTING chain to just say accept .. ?

The addition of the ACCEPT rule (before the masq rule) for traffic from 
192.168.1.x to 10.12.3.x will make it so those packets don't get 
masqueraded.  Unless there's a specific reason you would really want 
packets from 192.168.1.x to a host on the 10.12.3.x network to be 
masqueraded, you should let that type of traffic go through without 
translation.

Conventionally, you'd only want to masquerade traffic that's coming from 
an internal network and destined to a remote network (for example, 
anything on the internet, beyond your local gateway)

> On Wed, Oct 19, 2011 at 12:03 AM, Erik Schorr <erik-lists@arpa.org
> <mailto:erik-lists@arpa.org>> wrote:
>
>     On 10/17/2011 8:42 PM, Ajith Adapa wrote:
>
>         I have a following setup. GW eth1 (private ip) is connected to
>         the ISP
>         router. For host H1 I have set the DNS server as 10.12.3.10.
>
>         H1 (eth0) --- (eth0) GW (eth1) ---
>         H1 eth0 = 192.168.1.2
>         GW eth0 = 192.168.1.1
>         GW eth1 = 10.12.3.12
>         DNS = 10.12.3.10
>
>         I have added a rule in GW saying iptables -A POSTROUTING -t nat -o
>         eth1 -j MASQUERADE
>
>         Now when I am trying to access internet from host H1, DNS
>         queries are
>         being sent to 10.12.3.10 which are masqueraded in GW. Once replies
>         come back from DNS server then GW is replying back to DNS server
>         with
>         icmp destination unreachable.
>
>
>     If there's no reason to SNAT/masquerade traffic from eth0 to a host
>     on eth1 (10.12.3.*), you can try inserting an ACCEPT rule in the
>     POSTROUTING table just before the MASQUERADE rule, to prevent the
>     traffic from 192.168.1.* to 10.12.3.* having its source address
>     changed in flight:
>
>     # iptables -A POSTROUTING -t nat -o eth1 -m comment --comment "dont
>     masq stuff from private net to DMZ net" -s 192.168.1.0/24
>     <http://192.168.1.0/24> -d 10.12.3.0/24 <http://10.12.3.0/24> -j ACCEPT
>     # iptables -A POSTROUTING -t nat -o eth1 -m comment --comment "masq
>     everything else" -j MASQUERADE
>
>
>         Ideal cases once the reply comes back GW has to send it to the
>         host H1 right ?
>
>         Sorry if I am wrong or missed any steps down here ?
>
>         Regards,
>         Ajith
>
>