Re: SNAT trouble: Linux box ignores incoming packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry admin:

I tried to read your rules .. but reading is some sort of "guessing" about what address spaces is linked with what interface.

What public interfaces is using the LAN (eth2 or eth3). eth1 is useless in your configuration?

The LAN is supossed to send the traffic via eth2 or eth3? What we can see with

ip a

ip r

?

Jorge Dávila.

On Thu, 16 Aug 2007 18:59:03 +0400
 admin <admin@xxxxxxxx> wrote:
I've got a rather bizarre configuration: Linux box has 4 ethernet
devices (eth0, eth1, eth2, and eth3). eth2 and eth3 are looking to
Internet, eth0 is LAN.

I've configured SNAT so that it should give Internet access to the
192.168.91.0/24 network. Outgoing packets are translated right, and
the external server sends a reply. However, the reply packet seems to
be killed by iptables or otherwise ignored by the box (wireshark
shows it, but the packet isn't going anywhere else). Having said that,
I should notice that SNAT for tcp port 4000 works fine (this one is
for an outgoing connection from the box to 192.168.91.254. I know this
string should be modified but this is not the main trouble for now).

IP forwarding is turned on, and iptables look
like this:

# Generated by iptables-save v1.3.7 on Thu Aug 16 14:10:37 2007
*nat
:PREROUTING ACCEPT [70:7232]
:POSTROUTING ACCEPT [1:73]
:OUTPUT ACCEPT [1:73]
-A POSTROUTING -p ip -s 192.168.92.0/255.255.255.0 -d ! 192.168.92.0/24 -j SNAT --to-source <REALIP> -A POSTROUTING -p ip -s 192.168.91.0/255.255.255.0 -d ! 192.168.91.0/24 -j LOG --log-prefix "SNAT " -A POSTROUTING -p ip -s 192.168.91.0/255.255.255.0 -d ! 192.168.91.0/24 -j SNAT --to-source <REALIP> -A POSTROUTING -p tcp -s ! 192.168.91.0/24 -d 192.168.91.0/24 --dport 4000 -j SNAT --to-source 192.168.91.223 -A PREROUTING -d <REALIP> -p tcp -m tcp --dport 4000 -j DNAT --to-destination 192.168.91.254 -A OUTPUT -d <REALIP> -p tcp -m tcp --dport 4000 -j DNAT --to-destination 192.168.91.254:4000
COMMIT
# Completed on Thu Aug 16 14:10:37 2007
# Generated by iptables-save v1.3.7 on Thu Aug 16 14:10:37 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7063:2716993]
:FWFORWARD - [0:0]
:FWINPUT - [0:0]
:INPUTDMZ - [0:0]
:INPUTINET - [0:0]
:INPUTETH2 - [0:0]
:INPUTETH3 - [0:0]
:INPUTLAN - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j FWINPUT -A FORWARD -j FWFORWARD -A OUTPUT -j ACCEPT
-A FWFORWARD -p tcp -d 192.168.91.254 --dport 4000 -j ACCEPT
-A FWFORWARD -i eth2 -j DROP -A FWFORWARD -i eth3 -j DROP -A FWFORWARD -p ip -d 192.168.92.0/255.255.255.0 -j DROP -A FWFORWARD -p ip -d 192.168.91.0/255.255.255.0 -j DROP -A FWFORWARD -j ACCEPT -A FWINPUT -i lo -j ACCEPT -A FWINPUT -p icmp -j ACCEPT -A FWINPUT -i eth0 -j INPUTLAN -A FWINPUT -i eth1 -j INPUTDMZ -A FWINPUT -i eth2 -j INPUTINET
-A FWINPUT -i eth3 -j INPUTINET
-A FWINPUT -j DROP -A INPUTDMZ -p ip -s ! 192.168.92.0/255.255.255.0 -j DROP -A INPUTDMZ -p ip -d 192.168.91.0/24 -j DROP -A INPUTDMZ -j ACCEPT -A INPUTINET -d 192.168.91.0/24 -j ACCEPT
-A INPUTINET -d <REALIP> -j INPUTETH2
-A INPUTINET -d <REALIP> -j INPUTETH3
-A INPUTINET -j DROP
-A INPUTETH2 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUTETH2 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUTETH2 -p tcp -m tcp --dport 110 -j ACCEPT -A INPUTETH2 -p udp -m udp --dport 53 -j ACCEPT -A INPUTETH2 -j DROP -A INPUTETH3 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUTETH3 -p udp -m udp --dport 53 -j ACCEPT -A INPUTETH3 -p tcp -m tcp --dport 4000 -j ACCEPT
-A INPUTETH3 -p tcp -m tcp --dport 6112 -j ACCEPT
-A INPUTETH3 -p tcp -m tcp --dport 6200 -j ACCEPT
-A INPUTETH3 -p tcp -m tcp --dport 6113 -j ACCEPT
-A INPUTETH3 -j DROP -A INPUTLAN -p tcp -m tcp --dport 25 -j ACCEPT -A INPUTLAN -p tcp -m tcp --dport 110 -j ACCEPT -A INPUTLAN -p tcp -m tcp --dport 3128 -j ACCEPT -A INPUTLAN -p ip -s 192.168.91.222 -j ACCEPT -A INPUTLAN -p ip -s 192.168.91.254 -j ACCEPT -A INPUTLAN -p ip -s 192.168.91.88 -j ACCEPT -A INPUTLAN -p ip -s 192.168.91.233 -j ACCEPT -A INPUTLAN -p ip -s 192.168.91.0/24 -d ! 192.168.92.0/24 -j ACCEPT -A INPUTLAN -j DROP COMMIT
# Completed on Thu Aug 16 14:10:37 2007




Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@xxxxxxxxxxxxxxxxxxxxxxx


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux