From: "Gáspár Lajos" <swifty@freemail.hu>
To: Lesley Kimmel <ljkimmel99@hotmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Private IP getting past IPTables NAT
Date: Fri, 02 Mar 2012 11:12:20 +0100 [thread overview]
Message-ID: <4F509D04.4020009@freemail.hu> (raw)
In-Reply-To: <SNT143-ds16D3D97D04EB6A5DC9E540C26D0@phx.gbl>
Hi,
2012-03-02 04:53 keltezéssel, Lesley Kimmel írta:
> I apologize if this is a duplicate email. I have sent several times
> as I was having issues with the spam filter.
>
> All;
>
> We have a Linux virtual server which we use as a NAT/Router (running
> IPTables 1.2.11) to front-end a set of virtual machines on a private
> (192.168.0.x) network. In this private network are two web servers
> and a few other application servers. Our intent is to utilize two
> public IP addresses on the NAT server to NAT to each back-end web server:
>
> External Interfaces:
> eth1 = abc.abc.abc.1 => 192.168.0.1 (webserver #1)
> eth1:0 = abc.abc.abc.2 => 192.168.0.2 (webserver #2)
> Internal Interface:
> eth0 = 192.168.0.3
>
> We had accomplished this with the following IPTables configuration
> Table: nat
> Chain PREROUTING (policy DROP)
Please do not filter in the nat table. It is used only for address
rewriting and therefore is sees only the first packet in a connection!!!
> target prot in out source destination
> DNAT tcp eth1 any anywhere abc.abc.abc.1
> to:192.168.0.1
> DNAT tcp eth1 any anywhere abc.abc.abc.2
> to:192.168.0.2
If these are only webservers then use the --dport 80 option...
> ACCEPT all eth0 any 192.168.0.0/24 anywhere #(to
> allow all outgoing traffic)
Again! Do not filter in nat!
>
> Chain POSTROUTING (policy DROP)
> target prot in out source destination
> SNAT all any eth1 192.168.0.1 anywhere
> to:abc.abc.abc.1
(You do not really need this here, because you have a redundant rule
(192.168.0.0/24 -> abc.abc.abc.1). But you can keep it :D )
> SNAT all any eth1 192.168.0.2 anywhere
> to:abc.abc.abc.2
> SNAT all any eth1 192.168.0.0/24 anywhere
> to:abc.abc.abc.1 #SNAT all other traffic to ip #1
Again! Do not filter in nat!
> Chain OUTPUT (policy ACCEPT)
>
> Table: filter
> Chain Input (policy ACCEPT)
> target prot in out source destination
Set up here the enabled services... and use here the drop policy for any
non enabled service
iptables -t filter -A INPUT -j ACCEPT -i lo
iptables -t filter -A INPUT -j ACCEPT -m conntrack --state
ESTABLISHED,RELATED
> Chain FORWARD (policy ACCEPT)
> target prot in out source destination
Set up here the forwarded services... and drop policy again... be aware
that here you can filter the in_to_out and the out_to_in connections too..
iptables -t filter -A FORWARD -j ACCEPT -m conntrack --state
ESTABLISHED,RELATED
iptables -t filter -A FORWARD -j ACCEPT -i eth0 -s 192.168.0.0/24
iptables -t filter -A FORWARD -j ACCEPT -o eth0 -d 192.168.0.1 --dport 80
iptables -t filter -A FORWARD -j ACCEPT -o eth0 -d 192.168.0.2 --dport 80
> Chain OUTPUT (policy ACCEPT)
> target prot in out source destination
You can ignore this chain, but mainly this is the place for to filter
all outgoing connections...
iptables -t filter -A OUTPUT -j ACCEPT -o lo
> Everything APPEARS to work correctly with this configuration.
> However, several times a day network monitoring tools on the public
> side of the NAT server see packets with source addresses from the
> private network (e.g. 192.168.0.4). In order to troubleshoot we
> minimized our configuration to try to isolate the problem. We took
> out the NATing for the second IP:
Yes. It should work correctly... :-\
> With this configuration the 'leaking' of the private IP addresses
> seems to stop. However, we need to have the functionality of the
> second IP address. Any insight into why the 'leak' is happening and
> how we can add the second IP back in?
>
> Also, I have monitored the traffic across the NAT box with tcpdump.
> The majority of traffic is NAT'd as expected. Only occasionally do
> packets 'escape'. These packets have always been either FIN or RST
> packets.
tcpdump is a very interesting tool... it sees packets on the line even
before the iptables does...
AFAIK: RST and FIN packets are not considered as part of the
connection... so maybe they do not hit the nat table anyhow... but this
is very odd...
Two more things:
1. your iptables version is VERY VERY VERY old...
2. maybe there is a problem with your "virtual server" setup...
Swifty
next prev parent reply other threads:[~2012-03-02 10:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-02 3:53 Private IP getting past IPTables NAT Lesley Kimmel
2012-03-02 10:12 ` Gáspár Lajos [this message]
2012-03-02 13:16 ` Lesley Kimmel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F509D04.4020009@freemail.hu \
--to=swifty@freemail.hu \
--cc=ljkimmel99@hotmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox