understanding my MASQURADING and SNAT problem

understanding my MASQURADING and SNAT problem

[Aaron Gray]

I am trying to provide a gateway for firewalling Windows.

I have two ethernet ports :-

     enp4s0 which is external onto another router onto the internet on 
192.168.1.0/8 <http://192.168.1.0/8>
     enp5s5: which is my internal Windows network.

I have the following rule working :-

     iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 
<http://192.0.1.0/8> -o enp4s0 -j MASQUERADE

Why do we need the '! d 192.0.1.0/8 <http://192.0.1.0/8>' this doesn not 
seem to make any sense ?

I am trying to just allow ports 53 DNS and 443 HTTPS to be allow 
through, so I tried :-

     iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 
<http://192.0.1.0/8> -p tcp --dport 53 -o enp4s0 -j MASQUERADE
     iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 
<http://192.0.1.0/8> -p udp --dport 53 -o enp4s0 -j MASQUERADE
     iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 
<http://192.0.1.0/8> -p tcp --dport 533 -o enp4s0 -j MASQUERADE

But it is failing.

Hope I am doing something simple wrong !

--
Aaron Gray

Independent Open Source Software Engineer, Computer Language Researcher, 
Information Theorist, and amateur computer scientist.

Re: understanding my MASQURADING and SNAT problem

[zrm]

On 10/23/19 15:52, Aaron Gray wrote:
> I am trying to provide a gateway for firewalling Windows.
> 
> I have two ethernet ports :-
> 
>      enp4s0 which is external onto another router onto the internet on 
> 192.168.1.0/8 <http://192.168.1.0/8>
>      enp5s5: which is my internal Windows network.
> 
> I have the following rule working :-
> 
>      iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 
> <http://192.0.1.0/8> -o enp4s0 -j MASQUERADE
> 
> Why do we need the '! d 192.0.1.0/8 <http://192.0.1.0/8>' this doesn not 
> seem to make any sense ?

It's incorrect. At least the subnet mask is wrong, for 192.0.1.0 it 
would have to be no more than a /24, not a /8. Also, it's probably meant 
to be 192.168.1.0 rather than 192.0.1.0.

I imagine the intended purpose is to not translate the source address 
when the destination is on the local network, but that only works if 
you've configured the outside router to send packets for the inside 
subnet to the outside address of the inside gateway. And if that's the 
case you probably shouldn't have the inside gateway doing NAT at all and 
just let the outside gateway handle it to the internet. If it's not the 
case then you'll need to translate everything regardless of the 
destination, if you expect it to be able to receive a response.

> I am trying to just allow ports 53 DNS and 443 HTTPS to be allow 
> through, so I tried :-
> 
>      iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 
> <http://192.0.1.0/8> -p tcp --dport 53 -o enp4s0 -j MASQUERADE
>      iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 
> <http://192.0.1.0/8> -p udp --dport 53 -o enp4s0 -j MASQUERADE
>      iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 
> <http://192.0.1.0/8> -p tcp --dport 533 -o enp4s0 -j MASQUERADE
> 
> But it is failing.
> 
> Hope I am doing something simple wrong !

You don't use MASQUERADE or the nat chain for filtering. Try this:

iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i enp5s5 -p udp --dport 443 -j ACCEPT --comment 
"HTTP/3"
iptables -A FORWARD -i enp5s5 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i enp5s5 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i enp5s5 -j REJECT
iptables -P FORWARD DROP

Note however that blocking arbitrary _outgoing_ connections to other 
ports generally does more harm than good, because nearly all "bad" 
things today are either using very specific ports (e.g. SMTP) or (along 
with most things in general) are using TCP/443.

The primary result of blocking arbitrary outgoing ports by default is to 
inconvenience applications that have to make connections to peers with 
more than one computer behind the same IP address, which thereby need to 
use more than one port. They then either break or have to respond by 
falling back to typically slower/higher latency/more 
expensive/centralized relaying through an external server using TCP/443.

Instead you generally want to start here:

iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -j ACCEPT
iptables -P FORWARD DROP

And then reject the things you actually want to prohibit, e.g.:

iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no 
spamming"
iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no 
unencrypted HTTP"
iptables -A FORWARD -i enp5s5 -j ACCEPT
iptables -P FORWARD DROP

Re: understanding my MASQURADING and SNAT problem

[zrm]

> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp5s5 -j ACCEPT
> iptables -P FORWARD DROP
> 
> And then reject the things you actually want to prohibit, e.g.:
> 
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no 
> spamming"
> iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no 
> unencrypted HTTP"
> iptables -A FORWARD -i enp5s5 -j ACCEPT
> iptables -P FORWARD DROP
> 

That should've been this, using the internal interface rather than the 
external one:

iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -p tcp --dport 25 -j REJECT --comment "no 
spamming"
iptables -A FORWARD -i enp5s5 -p tcp --dport 80 -j REJECT --comment "no 
unencrypted HTTP"
iptables -A FORWARD -i enp5s5 -j ACCEPT
iptables -P FORWARD DROP

Note that this is a strong reason to rename your interfaces to something 
meaningful instead of using the ugly meaningless default names.

Re: understanding my MASQURADING and SNAT problem

[zrm]

On 10/23/19 20:58, Aaron Gray wrote:
> 
> Ah that explains it, I cannot believe I did that, yes it should have 
> been 192.168.1.0/8 <http://192.168.1.0/8> !
> 
> And that explains the ! too ?

It should probably be 192.168.1.0/24. The '!' means "not" -- i.e. don't 
translate things with that destination.

>     You don't use MASQUERADE or the nat chain for filtering. Try this:
> 
>     iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
>     iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>     iptables -A FORWARD -i enp5s5 -p tcp --dport 443 -j ACCEPT
>     iptables -A FORWARD -i enp5s5 -p udp --dport 443 -j ACCEPT --comment
>     "HTTP/3"
>     iptables -A FORWARD -i enp5s5 -p tcp --dport 53 -j ACCEPT
>     iptables -A FORWARD -i enp5s5 -p udp --dport 53 -j ACCEPT
>     iptables -A FORWARD -i enp5s5 -j REJECT
>     iptables -P FORWARD DROP
> 
> 
> This is exactly what I want to be prohibitive as I can first to start 
> off with, for windows instillation, No HTTP, or other ports, then I want 
> to use IPSET to only allow specific Microsoft IP's too. So all the 
> others go in the 'filter' chain by default ?

If you're going to do this then what you may also want to do is log 
anything you're blocking, e.g.:

iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i enp5s5 -p udp --dport 443 -j ACCEPT --comment 
"HTTP/3"
iptables -A FORWARD -i enp5s5 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i enp5s5 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i enp5s5 -j LOG --log-prefix "enp5s5 rejected:"
iptables -A FORWARD -i enp5s5 -j REJECT
iptables -P FORWARD DROP

Then check the logs on a regular basis and see what's there, because if 
anything shows up it means that something is wrong -- either you're 
blocking something you shouldn't be or you're blocking something you 
should be but then it shouldn't even be trying to do that and you may 
want to go remediate whatever is attempting to misbehave.

>     Note however that blocking arbitrary _outgoing_ connections to other
>     ports generally does more harm than good, because nearly all "bad"
>     things today are either using very specific ports (e.g. SMTP) or
>     (along with most things in general) are using TCP/443.
> 
>     The primary result of blocking arbitrary outgoing ports by default
>     is to inconvenience applications that have to make connections to
>     peers with more than one computer behind the same IP address, which
>     thereby need to use more than one port. They then either break or
>     have to respond by falling back to typically slower/higher
>     latency/more expensive/centralized relaying through an external
>     server using TCP/443.
> 
>     Instead you generally want to start here:
> 
>     iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
>     iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>     iptables -A FORWARD -i enp5s5 -j ACCEPT
>     iptables -P FORWARD DROP
> 
>     And then reject the things you actually want to prohibit, e.g.:
> 
>     iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
>     iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>     iptables -A FORWARD -i enp5s5 -p tcp --dport 25 -j REJECT --comment
>     "no spamming"
>     iptables -A FORWARD -i enp5s5 -p tcp --dport 80 -j REJECT --comment
>     "no unencrypted HTTP"
>     iptables -A FORWARD -i enp5s5 -j ACCEPT
>     iptables -P FORWARD DROP
> 
> 
> what about 137 and 139 I want them blocked.

Those would be incoming connections, right? The only ACCEPT rule 
matching packets coming in the external interface is the one with "-m 
state --state RELATED,ESTABLISHED", which doesn't match NEW connections, 
so they hit the default policy (-P FORWARD DROP).

Re: understanding my MASQURADING and SNAT problem

[Aaron Gray]

On Wednesday, 23 October 2019, zrm <zrm@trustiosity.com> wrote:
>
> On 10/23/19 15:52, Aaron Gray wrote:
>>
>> I am trying to provide a gateway for firewalling Windows.
>>
>> I have two ethernet ports :-
>>
>>      enp4s0 which is external onto another router onto the internet on 192.168.1.0/8 <http://192.168.1.0/8>
>>      enp5s5: which is my internal Windows network.
>>
>> I have the following rule working :-
>>
>>      iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 <http://192.0.1.0/8> -o enp4s0 -j MASQUERADE
>>
>> Why do we need the '! d 192.0.1.0/8 <http://192.0.1.0/8>' this doesn not seem to make any sense ?
>
>
> It's incorrect. At least the subnet mask is wrong, for 192.0.1.0 it would have to be no more than a /24, not a /8. Also, it's probably meant to be 192.168.1.0 rather than 192.0.1.0.


Ah that explains it, I cannot believe I did that, yes it should have
been 192.168.1.0/8 !

And that explains the ! too ?

>
>
> I imagine the intended purpose is to not translate the source address when the destination is on the local network, but that only works if you've configured the outside router to send packets for the inside subnet to the outside address of the inside gateway. And if that's the case you probably shouldn't have the inside gateway doing NAT at all and just let the outside gateway handle it to the internet. If it's not the case then you'll need to translate everything regardless of the destination, if you expect it to be able to receive a response.
>
>> I am trying to just allow ports 53 DNS and 443 HTTPS to be allow through, so I tried :-
>>
>>      iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 <http://192.0.1.0/8> -p tcp --dport 53 -o enp4s0 -j MASQUERADE
>>      iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 <http://192.0.1.0/8> -p udp --dport 53 -o enp4s0 -j MASQUERADE
>>      iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 <http://192.0.1.0/8> -p tcp --dport 533 -o enp4s0 -j MASQUERADE
>>
>> But it is failing.
>>
>> Hope I am doing something simple wrong !
>
>
> You don't use MASQUERADE or the nat chain for filtering. Try this:
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp5s5 -p tcp --dport 443 -j ACCEPT
> iptables -A FORWARD -i enp5s5 -p udp --dport 443 -j ACCEPT --comment "HTTP/3"
> iptables -A FORWARD -i enp5s5 -p tcp --dport 53 -j ACCEPT
> iptables -A FORWARD -i enp5s5 -p udp --dport 53 -j ACCEPT
> iptables -A FORWARD -i enp5s5 -j REJECT
> iptables -P FORWARD DROP


This is exactly what I want to be prohibitive as I can first to start
off with, for windows instillation, No HTTP, or other ports, then I
want to use IPSET to only allow specific Microsoft IP's too. So all
the others go in the 'filter' chain by default ?

>
>
> Note however that blocking arbitrary _outgoing_ connections to other ports generally does more harm than good, because nearly all "bad" things today are either using very specific ports (e.g. SMTP) or (along with most things in general) are using TCP/443.
>
> The primary result of blocking arbitrary outgoing ports by default is to inconvenience applications that have to make connections to peers with more than one computer behind the same IP address, which thereby need to use more than one port. They then either break or have to respond by falling back to typically slower/higher latency/more expensive/centralized relaying through an external server using TCP/443.
>
> Instead you generally want to start here:
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp5s5 -j ACCEPT
> iptables -P FORWARD DROP
>
> And then reject the things you actually want to prohibit, e.g.:
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no spamming"
> iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP"
> iptables -A FORWARD -i enp5s5 -j ACCEPT
> iptables -P FORWARD DROP


what about 137 and 139 I want them blocked.
I would rather be total, prohibative then allow what is needed as its needed.

nmap might be useful for testing

Re: understanding my MASQURADING and SNAT problem

[Aaron Gray]

On Wednesday, 23 October 2019, zrm <zrm@trustiosity.com> wrote:
>>
>> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
>> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>> iptables -A FORWARD -i enp5s5 -j ACCEPT
>> iptables -P FORWARD DROP
>>
>> And then reject the things you actually want to prohibit, e.g.:
>>
>> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
>> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>> iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no spamming"
>> iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP"
>> iptables -A FORWARD -i enp5s5 -j ACCEPT
>> iptables -P FORWARD DROP
>>
>
> That should've been this, using the internal interface rather than the external one:
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp5s5 -p tcp --dport 25 -j REJECT --comment "no spamming"
> iptables -A FORWARD -i enp5s5 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP"
> iptables -A FORWARD -i enp5s5 -j ACCEPT
> iptables -P FORWARD DROP


Okay I was confused about that.

>
> Note that this is a strong reason to rename your interfaces to something meaningful instead of using the ugly meaningless default names.


Yes I miss eth0 and eth1 !

Many thanks hopefully that clears everything up I suspected I had done
something stupid. And half suspected I needed to use the filter table.

Cheers,

Aaron

Re: understanding my MASQURADING and SNAT problem

[Aaron Gray]

On Fri, 25 Oct 2019 at 00:59, Aaron Gray <aaronngray.lists@gmail.com> wrote:
>
> On Wednesday, 23 October 2019, zrm <zrm@trustiosity.com> wrote:
> >>
> >> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> >> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> >> iptables -A FORWARD -i enp5s5 -j ACCEPT
> >> iptables -P FORWARD DROP
> >>
> >> And then reject the things you actually want to prohibit, e.g.:
> >>
> >> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> >> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> >> iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no spamming"
> >> iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP"
> >> iptables -A FORWARD -i enp5s5 -j ACCEPT
> >> iptables -P FORWARD DROP
> >>
> >
> > That should've been this, using the internal interface rather than the external one:
> >
> > iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> > iptables -A FORWARD -i enp5s5 -p tcp --dport 25 -j REJECT --comment "no spamming"
> > iptables -A FORWARD -i enp5s5 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP"
> > iptables -A FORWARD -i enp5s5 -j ACCEPT
> > iptables -P FORWARD DROP
>
>
> Okay I was confused about that.
>
> >
> > Note that this is a strong reason to rename your interfaces to something meaningful instead of using the ugly meaningless default names.
>
>
> Yes I miss eth0 and eth1 !
>
> Many thanks hopefully that clears everything up I suspected I had done
> something stupid. And half suspected I needed to use the filter table.

I did have everything working perfectly then it all stopped working
again and I cannot work out why.

I need to start from scratch again.

Aaron