Swifty;
Thanks for the input. In truth I have done much of what you said. I had
most of the filtering and forwarding in the filter table as you described.
However, once we saw the problem we attempted to remove as much as we
possibly could from the table and slowly add it back to see where the issue
was.
We do in fact only preroute port 443 on the PREROUTING chain. I'm sorry
that I forgot to include that.
Do you see any issue that both of the public IP addresses are on the same
subnet?
You bring up a good point that I was also trying to understand (rather
unrelated to my problem). It seems that even though connection tracking
arguments (ESTABLISHED/RELATED) are allowed in the NAT table they don't
really affect the outcome as only the first packet is seen as you said. Is
that accurate? I had some ESTABLISHED/RELATED rules in my PREROUTING chain
before and they never saw packets. That must be the explanation.
-----Original Message-----
From: Gáspár Lajos
Sent: Friday, March 02, 2012 4:12 AM
To: Lesley Kimmel
Cc: netfilter@xxxxxxxxxxxxxxx
Subject: Re: Private IP getting past IPTables NAT
Hi,
2012-03-02 04:53 keltezéssel, Lesley Kimmel írta:
I apologize if this is a duplicate email. I have sent several times as I
was having issues with the spam filter.
All;
We have a Linux virtual server which we use as a NAT/Router (running
IPTables 1.2.11) to front-end a set of virtual machines on a private
(192.168.0.x) network. In this private network are two web servers and a
few other application servers. Our intent is to utilize two public IP
addresses on the NAT server to NAT to each back-end web server:
External Interfaces:
eth1 = abc.abc.abc.1 => 192.168.0.1 (webserver #1)
eth1:0 = abc.abc.abc.2 => 192.168.0.2 (webserver #2)
Internal Interface:
eth0 = 192.168.0.3
We had accomplished this with the following IPTables configuration
Table: nat
Chain PREROUTING (policy DROP)
Please do not filter in the nat table. It is used only for address
rewriting and therefore is sees only the first packet in a connection!!!
target prot in out source destination
DNAT tcp eth1 any anywhere abc.abc.abc.1
to:192.168.0.1
DNAT tcp eth1 any anywhere abc.abc.abc.2
to:192.168.0.2
If these are only webservers then use the --dport 80 option...
ACCEPT all eth0 any 192.168.0.0/24 anywhere #(to allow
all outgoing traffic)
Again! Do not filter in nat!
Chain POSTROUTING (policy DROP)
target prot in out source destination
SNAT all any eth1 192.168.0.1 anywhere to:abc.abc.abc.1
(You do not really need this here, because you have a redundant rule
(192.168.0.0/24 -> abc.abc.abc.1). But you can keep it :D )
SNAT all any eth1 192.168.0.2 anywhere to:abc.abc.abc.2
SNAT all any eth1 192.168.0.0/24 anywhere
to:abc.abc.abc.1 #SNAT all other traffic to ip #1
Again! Do not filter in nat!
Chain OUTPUT (policy ACCEPT)
Table: filter
Chain Input (policy ACCEPT)
target prot in out source destination
Set up here the enabled services... and use here the drop policy for any
non enabled service
iptables -t filter -A INPUT -j ACCEPT -i lo
iptables -t filter -A INPUT -j ACCEPT -m conntrack --state
ESTABLISHED,RELATED
Chain FORWARD (policy ACCEPT)
target prot in out source destination
Set up here the forwarded services... and drop policy again... be aware
that here you can filter the in_to_out and the out_to_in connections too..
iptables -t filter -A FORWARD -j ACCEPT -m conntrack --state
ESTABLISHED,RELATED
iptables -t filter -A FORWARD -j ACCEPT -i eth0 -s 192.168.0.0/24
iptables -t filter -A FORWARD -j ACCEPT -o eth0 -d 192.168.0.1 --dport 80
iptables -t filter -A FORWARD -j ACCEPT -o eth0 -d 192.168.0.2 --dport 80
Chain OUTPUT (policy ACCEPT)
target prot in out source destination
You can ignore this chain, but mainly this is the place for to filter
all outgoing connections...
iptables -t filter -A OUTPUT -j ACCEPT -o lo
Everything APPEARS to work correctly with this configuration. However,
several times a day network monitoring tools on the public side of the NAT
server see packets with source addresses from the private network (e.g.
192.168.0.4). In order to troubleshoot we minimized our configuration to
try to isolate the problem. We took out the NATing for the second IP:
Yes. It should work correctly... :-\
With this configuration the 'leaking' of the private IP addresses seems to
stop. However, we need to have the functionality of the second IP
address. Any insight into why the 'leak' is happening and how we can add
the second IP back in?
Also, I have monitored the traffic across the NAT box with tcpdump. The
majority of traffic is NAT'd as expected. Only occasionally do packets
'escape'. These packets have always been either FIN or RST packets.
tcpdump is a very interesting tool... it sees packets on the line even
before the iptables does...
AFAIK: RST and FIN packets are not considered as part of the
connection... so maybe they do not hit the nat table anyhow... but this
is very odd...
Two more things:
1. your iptables version is VERY VERY VERY old...
2. maybe there is a problem with your "virtual server" setup...
Swifty
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
