Destination NAT Onto the Same Network Problem

Destination NAT Onto the Same Network Problem

[Mark Ayad]

I have a problem with the following Firewall Script which works fine apart
from when I try to INTERNALLY connect to the webserver 192.168.0.3:80
using the public IP which if I'm right should be the same as $EXTIF. The
internal machine I'm launching the request from is actually the webserver
(but that shouldn't matter).

I know I'm missing a line from what I read in
http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-10
.html and I've tried nearly every combination I can think of except the one
that works that is.

So whats the missing line ?

$IPTABLES -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -j DROP

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j
DNAT --to-destination 192.168.0.3:80

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Best Regards

Mark

Re: Destination NAT Onto the Same Network Problem

[Antony Stone]

On Wednesday 10 July 2002 2:54 pm, Mark Ayad wrote:

> I have a problem with the following Firewall Script which works fine apart
> from when I try to INTERNALLY connect to the webserver 192.168.0.3:80
> using the public IP which if I'm right should be the same as $EXTIF. The
> internal machine I'm launching the request from is actually the webserver
> (but that shouldn't matter).
>
> I know I'm missing a line from what I read in
> http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-1
>0 .html and I've tried nearly every combination I can think of except the
> one that works that is.
>
> So whats the missing line ?
>
> $IPTABLES -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --syn -j DROP
>
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
>
> $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j
> DNAT --to-destination 192.168.0.3:80
>
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

This one looks a bit odd to me, even though I've written it myself, but I 
think it should do the trick:

$IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j MASQUERADE

If it doesn't, then just use the standard version:

$IPTABLES -t nat -A POSTROUTING -o $INTIF -s a.b.c.d/n -j MASQUERADE

where a.b.c.d/n is your internal network range.

 

Antony.

Re: Destination NAT Onto the Same Network Problem

[Tom Eastep]

--On Wednesday, July 10, 2002 15:22:33 +0100 Antony Stone 
<Antony@Soft-Solutions.co.uk> wrote:

>
> This one looks a bit odd to me, even though I've written it myself, but I
> think it should do the trick:
>
> $IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j MASQUERADE

"-i" can't be used in the POSTROUTING hook. Example:

[root@gateway root]# iptables -t nat -A POSTROUTING -i eth3 -o eth4 -j 
MASQUERADE
iptables v1.2.6a: Can't use -i with POSTROUTING

Try `iptables -h' or 'iptables --help' for more information.
[root@gateway root]#


>
> If it doesn't, then just use the standard version:
>
> $IPTABLES -t nat -A POSTROUTING -o $INTIF -s a.b.c.d/n -j MASQUERADE
>
> where a.b.c.d/n is your internal network range.

That's better -- since the internal interface usually has a static address, 
the following is preferable:

$IPTABLES -t nat -A POSTROUTING -o $INTIF -s a.b.c.d/n -j SNAT --to-source 
$INTIP

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Re: Destination NAT Onto the Same Network Problem

[Mark Ayad]

Nice try but no luck

$IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j

can't use -i in POSTROUTING

So I tried

$IPTABLES -t nat -A POSTROUTING -o $INTIF 192.168.0.0/24 -j MASQUERADE

No luck there although this time the rule is correct.

So I tried

$IPTABLES -t nat -A POSTROUTING -o $INTIF 192.168.0.3 -j MASQUERADE

...but no success.

I know this is a silly problem, since I could used the internal IP of the
web server, but I want to crack this to be sure the server can be reached
via the external address. At the moment I confirm this using a web
anonymiser.

Mark



----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Wednesday, July 10, 2002 4:22 PM
Subject: Re: Destination NAT Onto the Same Network Problem


> On Wednesday 10 July 2002 2:54 pm, Mark Ayad wrote:
>
> > I have a problem with the following Firewall Script which works fine
apart
> > from when I try to INTERNALLY connect to the webserver 192.168.0.3:80
> > using the public IP which if I'm right should be the same as $EXTIF. The
> > internal machine I'm launching the request from is actually the
webserver
> > (but that shouldn't matter).
> >
> > I know I'm missing a line from what I read in
> >
http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-1
> >0 .html and I've tried nearly every combination I can think of except the
> > one that works that is.
> >
> > So whats the missing line ?
> >
> > $IPTABLES -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
> > $IPTABLES -A INPUT -p tcp --syn -j DROP
> >
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
> > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> > $IPTABLES -A FORWARD -j LOG
> >
> > $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j
> > DNAT --to-destination 192.168.0.3:80
> >
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> This one looks a bit odd to me, even though I've written it myself, but I
> think it should do the trick:
>
> $IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j MASQUERADE
>
> If it doesn't, then just use the standard version:
>
> $IPTABLES -t nat -A POSTROUTING -o $INTIF -s a.b.c.d/n -j MASQUERADE
>
> where a.b.c.d/n is your internal network range.
>
>
>
> Antony.
>
>

Re: Destination NAT Onto the Same Network Problem

[Antony Stone]

On Wednesday 10 July 2002 3:38 pm, Tom Eastep wrote:

> <Antony@Soft-Solutions.co.uk> wrote:
> > This one looks a bit odd to me, even though I've written it myself, but I
> > think it should do the trick:
> >
> > $IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j MASQUERADE
>
> "-i" can't be used in the POSTROUTING hook.

Oh.   I knew you couldn't use -o in PREROUTING, because the routing hasn't 
been done yet, but I would have thought that POSTROUTING would remember where 
the packet came in from ?

Ho Hum.

> > $IPTABLES -t nat -A POSTROUTING -o $INTIF -s a.b.c.d/n -j MASQUERADE
> >
> > where a.b.c.d/n is your internal network range.
>
> That's better -- since the internal interface usually has a static address,
> the following is preferable:
>
> $IPTABLES -t nat -A POSTROUTING -o $INTIF -s a.b.c.d/n -j SNAT --to-source
> $INTIP

Yes, agreed.   SNAT is much more efficient than MASQUERADE, on each packet 
going through the machine.

By the way, since I made my last posting on this, I noticed that Mark's 
PREROUTING DNAT rule specified the input interface, which should be changed 
to match the IP address instead, to enable translation of packets which come 
in from the other interface as well:

$IPTABLES -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 80 -j DNAT --to 
192.168.0.3

where a.b.c.d is the ext IP of the firewall.

 

Antony.

Re: Destination NAT Onto the Same Network Problem

[Antony Stone]

On Wednesday 10 July 2002 3:51 pm, Mark Ayad wrote:

> Nice try but no luck
>
> $IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j
>
> can't use -i in POSTROUTING

Yup.   Tom just pointed that out to me :-)

> So I tried
>
> $IPTABLES -t nat -A POSTROUTING -o $INTIF 192.168.0.0/24 -j MASQUERADE
>
> No luck there although this time the rule is correct.

You should have a "-s" in there before the address ?

Anyway, I realised that your DNAT rule was specifying the input interface 
(which presumably is your external interface), so it won't do anything for 
packets coming in the other (internal) interface.   You need to change the 
DNAT rule so it specifies the target address instead:

$IPTABLES -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 80 -j DNAT --to 
192.168.0.3

where a.b.c.d is the ext IP of the firewall.

 

Antony.

RE: Destination NAT Onto the Same Network Problem

[Joe Patterson]

>
> > <Antony@Soft-Solutions.co.uk> wrote:
> > > This one looks a bit odd to me, even though I've written it
> myself, but I
> > > think it should do the trick:
> > >
> > > $IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j MASQUERADE
> >
> > "-i" can't be used in the POSTROUTING hook.
>
> Oh.   I knew you couldn't use -o in PREROUTING, because the
> routing hasn't
> been done yet, but I would have thought that POSTROUTING would
> remember where
> the packet came in from ?

Yeah, that's always bothered me too.  I'm sure there's a good reason, but it
doesn't make sense to me.

The way around it, of course, is to set a mark in mangle/PREROUTING on
the -i interface, then check the mark in nat/POSTROUTING.  Alternatively,
you can of course use -s $INTERNAL_NET

-Joe

Re: Destination NAT Onto the Same Network Problem

[Ray Leach]

Hi

For my internal lan trying to browse me web servers in the dmz this is
what I do:

$IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp --dport 80 -d
$IP_INET_WEB1 -j DNAT --to $IP_INT_WEB1

$IPTABLES=/sbin/iptables
$IFACE_INT=eth1
$IP_INET_WEB1=196.4.160.12	# internet address of web server
$IP_INT_WEB1=192.168.1.12	# internal ip of the web server

One other thing, you must put this rule before redirecting web traffic
to a transparent proxy.

Ray


On Wed, 2002-07-10 at 16:51, Mark Ayad wrote:
> Nice try but no luck
> 
> $IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j
> 
> can't use -i in POSTROUTING
> 
> So I tried
> 
> $IPTABLES -t nat -A POSTROUTING -o $INTIF 192.168.0.0/24 -j MASQUERADE
> 
> No luck there although this time the rule is correct.
> 
> So I tried
> 
> $IPTABLES -t nat -A POSTROUTING -o $INTIF 192.168.0.3 -j MASQUERADE
> 
> ...but no success.
> 
> I know this is a silly problem, since I could used the internal IP of the
> web server, but I want to crack this to be sure the server can be reached
> via the external address. At the moment I confirm this using a web
> anonymiser.
> 
> Mark
> 
> 
> 
> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: <netfilter@lists.samba.org>
> Sent: Wednesday, July 10, 2002 4:22 PM
> Subject: Re: Destination NAT Onto the Same Network Problem
> 
> 
> > On Wednesday 10 July 2002 2:54 pm, Mark Ayad wrote:
> >
> > > I have a problem with the following Firewall Script which works fine
> apart
> > > from when I try to INTERNALLY connect to the webserver 192.168.0.3:80
> > > using the public IP which if I'm right should be the same as $EXTIF. The
> > > internal machine I'm launching the request from is actually the
> webserver
> > > (but that shouldn't matter).
> > >
> > > I know I'm missing a line from what I read in
> > >
> http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-1
> > >0 .html and I've tried nearly every combination I can think of except the
> > > one that works that is.
> > >
> > > So whats the missing line ?
> > >
> > > $IPTABLES -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
> > > $IPTABLES -A INPUT -p tcp --syn -j DROP
> > >
> > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
> > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> > > $IPTABLES -A FORWARD -j LOG
> > >
> > > $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j
> > > DNAT --to-destination 192.168.0.3:80
> > >
> > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> >
> > This one looks a bit odd to me, even though I've written it myself, but I
> > think it should do the trick:
> >
> > $IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j MASQUERADE
> >
> > If it doesn't, then just use the standard version:
> >
> > $IPTABLES -t nat -A POSTROUTING -o $INTIF -s a.b.c.d/n -j MASQUERADE
> >
> > where a.b.c.d/n is your internal network range.
> >
> >
> >
> > Antony.
> >
> >
> 
> 

Re: Destination NAT Onto the Same Network Problem

[Mark Ayad]

Antony

I gave

$IPTABLES -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 80 -j DNAT --to
192.168.0.3

a whirl but no joy, although the onnection request tqkes muck longer to time
out ?

So we have

[198.168.0.3] make a request on [198.168.0.1] the gateway  which is MASQ to
[a.b.d.c]  the ext IP of the firewall. The DNS lookup returns [a.b.d.c]
which is Postrouted DNAT mapped to [198.168.0.3]

Am I right I thinking that the source address is that of the gateway
[198.168.0.1] , which is why I get no response ?

echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -j DROP

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j
DNAT --to-destination 192.168.0.3:80

$IPTABLES -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 80 -j DNAT --to
192.168.0.3

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

Where where a.b.c.d is the ext IP of the firewall.

Still won't connect from an IP request on 192.168.0.3 ?

It requires a rule simply to act as a loopback but first going by the
external ip to obtain the external dns IP which is a.b.c.d.

Re: Destination NAT Onto the Same Network Problem

[Antony Stone]

Mark; here is your ruleset, with my comments:

> $IPTABLES -P INPUT ACCEPT

With a default ACCEPT policy on INPUT, we can ignore any other rules in this 
chain unless they DROP or REJECT packets.

> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT

With a default ACCEPT policy on OUTPUT, we can ignore any other rules in this 
chain unless they DROP or REJECT packets.

> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP

We need FORWARDing rules to allow traffic.

> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
>
> $IPTABLES -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --syn -j DROP

These rules will prevent any TCP connection being made to the firewall except 
on port 80.   Seems good.   Anything not TCP will be allowed in by default.

> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG

Allow stuff from outside to inside, allow stuff from inside to outside, then 
LOG anything else (such as inside to inside..... :-) before default DROPping 
it.

Therefore you need to add a rule:

$IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT

> $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j
> DNAT --to-destination 192.168.0.3:80

Don't need the above rule any more - just use the one below instead:

> $IPTABLES -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 80 -j DNAT --to
> 192.168.0.3

This will send any TCP port 80 requests coming in to the firewall's ext IP 
address, on to 192.168.0.3, no matter which way they came in to the firewall.

> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Hide outbound packets behind the ext IP of the firewall.

You also need to add the SNAT rule for packets from your internal LAN to the 
internal webserver:

$IPTABLES -t nat -A POSTROUTING -o $INTIF -s 192.168.0.0/24 -j SNAT --to 
192.168.0.1

So, add the FORWARD rule and the POSTROUTING SNAT rule, remove the first 
PREROUTING rule, and tell us what happens :-)

 

Antony.

Re: Destination NAT Onto the Same Network Problem

[Antony Stone]

On Wednesday 10 July 2002 4:10 pm, Joe Patterson wrote:

> > > <Antony@Soft-Solutions.co.uk> wrote:

> > Oh.   I knew you couldn't use -o in PREROUTING, because the routing
> > hasn't been done yet, but I would have thought that POSTROUTING would
> > remember where the packet came in from ?
>
> Yeah, that's always bothered me too.  I'm sure there's a good reason, but
> it doesn't make sense to me.
>
> The way around it, of course, is to set a mark in mangle/PREROUTING on
> the -i interface, then check the mark in nat/POSTROUTING.  Alternatively,
> you can of course use -s $INTERNAL_NET

Using -s is easy enough for the internal network, but a bit bothersome for 
the external network (!), so I like the suggestion for marking packets in the 
mangle table and then checking the mark later on....

 

Antony.

Re: Destination NAT Onto the Same Network Problem

[Big Man]

here is what I do and it works fine.

iptables -t nat -A PREROUTING -d $EXT_IP  -p tcp --dport http -j
DNAT --to-destination $web_server_IP:80

iptables -t nat -A POSTROUTING -s $LAN_Subnet -d $web_server_IP -p
tcp --dport http -j SNAT --to $firewall_lan_IP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


hope this helps.


----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Wednesday, July 10, 2002 11:46 AM
Subject: Re: Destination NAT Onto the Same Network Problem


> On Wednesday 10 July 2002 4:10 pm, Joe Patterson wrote:
>
> > > > <Antony@Soft-Solutions.co.uk> wrote:
>
> > > Oh.   I knew you couldn't use -o in PREROUTING, because the routing
> > > hasn't been done yet, but I would have thought that POSTROUTING would
> > > remember where the packet came in from ?
> >
> > Yeah, that's always bothered me too.  I'm sure there's a good reason,
but
> > it doesn't make sense to me.
> >
> > The way around it, of course, is to set a mark in mangle/PREROUTING on
> > the -i interface, then check the mark in nat/POSTROUTING.
Alternatively,
> > you can of course use -s $INTERNAL_NET
>
> Using -s is easy enough for the internal network, but a bit bothersome for
> the external network (!), so I like the suggestion for marking packets in
the
> mangle table and then checking the mark later on....
>
>
>
> Antony.
>

RE: Destination NAT Onto the Same Network Problem

[Mark Ayad]

[-- Attachment #1: Type: text/plain, Size: 1606 bytes --]

Sorry everyone, that this is getting quite long ):

I gave

$IPTABLES -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 80 -j DNAT --to
192.168.0.3

a whirl but no joy, although the onnection request tqkes muck longer to time
out ?

So we have

[198.168.0.3] make a request on [198.168.0.1] the gateway  which is MASQ to
[a.b.d.c]  the ext IP of the firewall. The DNS lookup returns [a.b.d.c]
which is Postrouted DNAT mapped to [198.168.0.3]

Am I right I thinking that the source address is that of the gateway
[198.168.0.1] , which is why I get no response ?

echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -j DROP

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j
DNAT --to-destination 192.168.0.3:80

$IPTABLES -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 80 -j DNAT --to
192.168.0.3

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

Where where a.b.c.d is the ext IP of the firewall.

Still won't connect from an IP request on 192.168.0.3 ?

It requires a rule simply to act as a loopback but first going by the
external ip to obtain the external dns IP which is a.b.c.d.





[-- Attachment #2: Type: text/html, Size: 2143 bytes --]