Hello,
Andrew Kraslavsky a écrit :
iptables -t nat -A PREROUTING -d 10.0.0.1 -j DNAT --to-destination
192.168.0.99
If I set up a host on the external/public network with a static route
that causes it to send traffic addressed to 192.168.0.0/24 to the
10.0.0.1 external/public IP address of the firewall/router and then
attempt to access the Web server using 192.168.0.99 as the address,
these directly addressed packets get through the firewall.
Yes.
The reason these packets are not dropped by my filter:FORWARD chain is
because, at that point, the destination IP is 192.168.0.99 regardless of
whether the destination was NATted or not. I.e., I do not how to create
a filtering rule that says "allow traffic from eth0 to 192.168.0.99 on
eth1, but only if it was NATted".
Yes.
I can certainly drop the directly addressed packets in the
mangle:PREROUTING chain, either by adding a rule that tests for and
drops all possible local subnets IP address destinations on incoming
eth0 traffic or, probably more cleanly, add a rule in mangle:PREROUTING
that only allows through packets from eth0 with a destination IP of
10.0.0.1, but it seems like the iptables guidlelines are to only do
filtering in the filter table.
I also did some research on /proc settings but could not find one that
seemed to meet my needs.
You won't find anything in /proc.
The other option I was considering was to define some advanced routing
stuff, but I have not really looked into that in detail yet.
Advanced routing won't help you much either. Routing occurs after the
PREROUTING chain and doesn't know about the original destination address.
You have a handful of options :
1) DROP in the mangle/PREROUTING chain before it is DNATed. Sure, it is
not recommended in guidelines, but it is simple and it works.
iptables -t mangle -A PREROUTING -i eth0 -d 192.168.0.0/24 -j DROP
2) DNAT traffic originally destined to the private address into an
invalid address such as a loopback address, so that the routing drops it.
iptables -t nat -A PREROUTING -i eth0 -d 192.168.0.0/24 \
-j DNAT --to 127.0.0.0
* Note that this rule won't match packets in the INVALID state (and
UNTRACKED, but you should know when you use the NOTRACK target), so you
have to make sure they are dropped in the FORWARD chain.
3) Mark traffic in the mangle/PREROUTING chain before it is DNATed and
filter in the FORWARD chain according to the mark.
iptables -t mangle -A PREROUTING -i eth0 -d ! 10.0.0.1 \
-j MARK --set-mark 1
iptables -A FORWARD -i eth0 -m mark --mark 1 -j DROP
You can also use marks in the other way, to mark valid packets and
accept only those. Or you can use the mark with advanced routing with a
"blackhole" or "unreachable" route.
4) Check the original destination address with the "conntrack" match.
iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 80 \
-m conntrack --ctstate DNAT --ctorigdst 10.0.0.1 -j ACCEPT
5) And last, my favourite option : just don't care about it. After all,
why bother ? ;-)
