SNAT trouble: Linux box ignores incoming packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've got a rather bizarre configuration: Linux box has 4 ethernet
devices (eth0, eth1, eth2, and eth3). eth2 and eth3 are looking to
Internet, eth0 is LAN.

I've configured SNAT so that it should give Internet access to the
192.168.91.0/24 network. Outgoing packets are translated right, and
the external server sends a reply. However, the reply packet seems to
be killed by iptables or otherwise ignored by the box (wireshark
shows it, but the packet isn't going anywhere else). Having said that,
I should notice that SNAT for tcp port 4000 works fine (this one is
for an outgoing connection from the box to 192.168.91.254. I know this
string should be modified but this is not the main trouble for now).

IP forwarding is turned on, and iptables look
like this:

# Generated by iptables-save v1.3.7 on Thu Aug 16 14:10:37 2007
*nat
:PREROUTING ACCEPT [70:7232]
:POSTROUTING ACCEPT [1:73]
:OUTPUT ACCEPT [1:73]
-A POSTROUTING -p ip -s 192.168.92.0/255.255.255.0 -d ! 192.168.92.0/24 -j SNAT --to-source <REALIP>
-A POSTROUTING -p ip -s 192.168.91.0/255.255.255.0 -d ! 192.168.91.0/24 -j LOG --log-prefix "SNAT " 
-A POSTROUTING -p ip -s 192.168.91.0/255.255.255.0 -d ! 192.168.91.0/24 -j SNAT --to-source <REALIP>
-A POSTROUTING -p tcp -s ! 192.168.91.0/24 -d 192.168.91.0/24 --dport 4000 -j SNAT --to-source 192.168.91.223
-A PREROUTING -d <REALIP> -p tcp -m tcp --dport 4000 -j DNAT --to-destination 192.168.91.254
-A OUTPUT -d <REALIP> -p tcp -m tcp --dport 4000 -j DNAT --to-destination 192.168.91.254:4000
COMMIT
# Completed on Thu Aug 16 14:10:37 2007
# Generated by iptables-save v1.3.7 on Thu Aug 16 14:10:37 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7063:2716993]
:FWFORWARD - [0:0]
:FWINPUT - [0:0]
:INPUTDMZ - [0:0]
:INPUTINET - [0:0]
:INPUTETH2 - [0:0]
:INPUTETH3 - [0:0]
:INPUTLAN - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j FWINPUT 
-A FORWARD -j FWFORWARD 
-A OUTPUT -j ACCEPT
-A FWFORWARD -p tcp -d 192.168.91.254 --dport 4000 -j ACCEPT
-A FWFORWARD -i eth2 -j DROP 
-A FWFORWARD -i eth3 -j DROP 
-A FWFORWARD -p ip -d 192.168.92.0/255.255.255.0 -j DROP 
-A FWFORWARD -p ip -d 192.168.91.0/255.255.255.0 -j DROP 
-A FWFORWARD -j ACCEPT 
-A FWINPUT -i lo -j ACCEPT 
-A FWINPUT -p icmp -j ACCEPT
-A FWINPUT -i eth0 -j INPUTLAN 
-A FWINPUT -i eth1 -j INPUTDMZ 
-A FWINPUT -i eth2 -j INPUTINET
-A FWINPUT -i eth3 -j INPUTINET
-A FWINPUT -j DROP 
-A INPUTDMZ -p ip -s ! 192.168.92.0/255.255.255.0 -j DROP 
-A INPUTDMZ -p ip -d 192.168.91.0/24 -j DROP
-A INPUTDMZ -j ACCEPT 
-A INPUTINET -d 192.168.91.0/24 -j ACCEPT
-A INPUTINET -d <REALIP> -j INPUTETH2
-A INPUTINET -d <REALIP> -j INPUTETH3
-A INPUTINET -j DROP
-A INPUTETH2 -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUTETH2 -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUTETH2 -p tcp -m tcp --dport 110 -j ACCEPT 
-A INPUTETH2 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUTETH2 -j DROP 
-A INPUTETH3 -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUTETH3 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUTETH3 -p tcp -m tcp --dport 4000 -j ACCEPT
-A INPUTETH3 -p tcp -m tcp --dport 6112 -j ACCEPT
-A INPUTETH3 -p tcp -m tcp --dport 6200 -j ACCEPT
-A INPUTETH3 -p tcp -m tcp --dport 6113 -j ACCEPT
-A INPUTETH3 -j DROP 
-A INPUTLAN -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUTLAN -p tcp -m tcp --dport 110 -j ACCEPT 
-A INPUTLAN -p tcp -m tcp --dport 3128 -j ACCEPT 
-A INPUTLAN -p ip -s 192.168.91.222 -j ACCEPT 
-A INPUTLAN -p ip -s 192.168.91.254 -j ACCEPT 
-A INPUTLAN -p ip -s 192.168.91.88 -j ACCEPT 
-A INPUTLAN -p ip -s 192.168.91.233 -j ACCEPT 
-A INPUTLAN -p ip -s 192.168.91.0/24 -d ! 192.168.92.0/24 -j ACCEPT 
-A INPUTLAN -j DROP 
COMMIT
# Completed on Thu Aug 16 14:10:37 2007
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux