* understanding my MASQURADING and SNAT problem
@ 2019-10-23 19:52 Aaron Gray
2019-10-23 20:46 ` zrm
0 siblings, 1 reply; 7+ messages in thread
From: Aaron Gray @ 2019-10-23 19:52 UTC (permalink / raw)
To: netfilter
I am trying to provide a gateway for firewalling Windows.
I have two ethernet ports :-
enp4s0 which is external onto another router onto the internet on
192.168.1.0/8 <http://192.168.1.0/8>
enp5s5: which is my internal Windows network.
I have the following rule working :-
iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8
<http://192.0.1.0/8> -o enp4s0 -j MASQUERADE
Why do we need the '! d 192.0.1.0/8 <http://192.0.1.0/8>' this doesn not
seem to make any sense ?
I am trying to just allow ports 53 DNS and 443 HTTPS to be allow
through, so I tried :-
iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8
<http://192.0.1.0/8> -p tcp --dport 53 -o enp4s0 -j MASQUERADE
iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8
<http://192.0.1.0/8> -p udp --dport 53 -o enp4s0 -j MASQUERADE
iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8
<http://192.0.1.0/8> -p tcp --dport 533 -o enp4s0 -j MASQUERADE
But it is failing.
Hope I am doing something simple wrong !
--
Aaron Gray
Independent Open Source Software Engineer, Computer Language Researcher,
Information Theorist, and amateur computer scientist.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: understanding my MASQURADING and SNAT problem
2019-10-23 19:52 understanding my MASQURADING and SNAT problem Aaron Gray
@ 2019-10-23 20:46 ` zrm
2019-10-23 21:38 ` zrm
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: zrm @ 2019-10-23 20:46 UTC (permalink / raw)
To: Aaron Gray, netfilter
On 10/23/19 15:52, Aaron Gray wrote:
> I am trying to provide a gateway for firewalling Windows.
>
> I have two ethernet ports :-
>
> enp4s0 which is external onto another router onto the internet on
> 192.168.1.0/8 <http://192.168.1.0/8>
> enp5s5: which is my internal Windows network.
>
> I have the following rule working :-
>
> iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8
> <http://192.0.1.0/8> -o enp4s0 -j MASQUERADE
>
> Why do we need the '! d 192.0.1.0/8 <http://192.0.1.0/8>' this doesn not
> seem to make any sense ?
It's incorrect. At least the subnet mask is wrong, for 192.0.1.0 it
would have to be no more than a /24, not a /8. Also, it's probably meant
to be 192.168.1.0 rather than 192.0.1.0.
I imagine the intended purpose is to not translate the source address
when the destination is on the local network, but that only works if
you've configured the outside router to send packets for the inside
subnet to the outside address of the inside gateway. And if that's the
case you probably shouldn't have the inside gateway doing NAT at all and
just let the outside gateway handle it to the internet. If it's not the
case then you'll need to translate everything regardless of the
destination, if you expect it to be able to receive a response.
> I am trying to just allow ports 53 DNS and 443 HTTPS to be allow
> through, so I tried :-
>
> iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8
> <http://192.0.1.0/8> -p tcp --dport 53 -o enp4s0 -j MASQUERADE
> iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8
> <http://192.0.1.0/8> -p udp --dport 53 -o enp4s0 -j MASQUERADE
> iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8
> <http://192.0.1.0/8> -p tcp --dport 533 -o enp4s0 -j MASQUERADE
>
> But it is failing.
>
> Hope I am doing something simple wrong !
You don't use MASQUERADE or the nat chain for filtering. Try this:
iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i enp5s5 -p udp --dport 443 -j ACCEPT --comment
"HTTP/3"
iptables -A FORWARD -i enp5s5 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i enp5s5 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i enp5s5 -j REJECT
iptables -P FORWARD DROP
Note however that blocking arbitrary _outgoing_ connections to other
ports generally does more harm than good, because nearly all "bad"
things today are either using very specific ports (e.g. SMTP) or (along
with most things in general) are using TCP/443.
The primary result of blocking arbitrary outgoing ports by default is to
inconvenience applications that have to make connections to peers with
more than one computer behind the same IP address, which thereby need to
use more than one port. They then either break or have to respond by
falling back to typically slower/higher latency/more
expensive/centralized relaying through an external server using TCP/443.
Instead you generally want to start here:
iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -j ACCEPT
iptables -P FORWARD DROP
And then reject the things you actually want to prohibit, e.g.:
iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no
spamming"
iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no
unencrypted HTTP"
iptables -A FORWARD -i enp5s5 -j ACCEPT
iptables -P FORWARD DROP
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: understanding my MASQURADING and SNAT problem
2019-10-23 20:46 ` zrm
@ 2019-10-23 21:38 ` zrm
[not found] ` <CANkmNDdnBB92niurKFGojdpUi8_wwLFooUWZmYQijMK5Vn1LvA@mail.gmail.com>
2019-10-24 23:58 ` Aaron Gray
2 siblings, 0 replies; 7+ messages in thread
From: zrm @ 2019-10-23 21:38 UTC (permalink / raw)
To: Aaron Gray, netfilter
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp5s5 -j ACCEPT
> iptables -P FORWARD DROP
>
> And then reject the things you actually want to prohibit, e.g.:
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no
> spamming"
> iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no
> unencrypted HTTP"
> iptables -A FORWARD -i enp5s5 -j ACCEPT
> iptables -P FORWARD DROP
>
That should've been this, using the internal interface rather than the
external one:
iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -p tcp --dport 25 -j REJECT --comment "no
spamming"
iptables -A FORWARD -i enp5s5 -p tcp --dport 80 -j REJECT --comment "no
unencrypted HTTP"
iptables -A FORWARD -i enp5s5 -j ACCEPT
iptables -P FORWARD DROP
Note that this is a strong reason to rename your interfaces to something
meaningful instead of using the ugly meaningless default names.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: understanding my MASQURADING and SNAT problem
[not found] ` <CANkmNDdnBB92niurKFGojdpUi8_wwLFooUWZmYQijMK5Vn1LvA@mail.gmail.com>
@ 2019-10-24 18:43 ` zrm
2019-10-24 23:59 ` Aaron Gray
0 siblings, 1 reply; 7+ messages in thread
From: zrm @ 2019-10-24 18:43 UTC (permalink / raw)
To: Aaron Gray; +Cc: netfilter
On 10/23/19 20:58, Aaron Gray wrote:
>
> Ah that explains it, I cannot believe I did that, yes it should have
> been 192.168.1.0/8 <http://192.168.1.0/8> !
>
> And that explains the ! too ?
It should probably be 192.168.1.0/24. The '!' means "not" -- i.e. don't
translate things with that destination.
> You don't use MASQUERADE or the nat chain for filtering. Try this:
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp5s5 -p tcp --dport 443 -j ACCEPT
> iptables -A FORWARD -i enp5s5 -p udp --dport 443 -j ACCEPT --comment
> "HTTP/3"
> iptables -A FORWARD -i enp5s5 -p tcp --dport 53 -j ACCEPT
> iptables -A FORWARD -i enp5s5 -p udp --dport 53 -j ACCEPT
> iptables -A FORWARD -i enp5s5 -j REJECT
> iptables -P FORWARD DROP
>
>
> This is exactly what I want to be prohibitive as I can first to start
> off with, for windows instillation, No HTTP, or other ports, then I want
> to use IPSET to only allow specific Microsoft IP's too. So all the
> others go in the 'filter' chain by default ?
If you're going to do this then what you may also want to do is log
anything you're blocking, e.g.:
iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i enp5s5 -p udp --dport 443 -j ACCEPT --comment
"HTTP/3"
iptables -A FORWARD -i enp5s5 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i enp5s5 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i enp5s5 -j LOG --log-prefix "enp5s5 rejected:"
iptables -A FORWARD -i enp5s5 -j REJECT
iptables -P FORWARD DROP
Then check the logs on a regular basis and see what's there, because if
anything shows up it means that something is wrong -- either you're
blocking something you shouldn't be or you're blocking something you
should be but then it shouldn't even be trying to do that and you may
want to go remediate whatever is attempting to misbehave.
> Note however that blocking arbitrary _outgoing_ connections to other
> ports generally does more harm than good, because nearly all "bad"
> things today are either using very specific ports (e.g. SMTP) or
> (along with most things in general) are using TCP/443.
>
> The primary result of blocking arbitrary outgoing ports by default
> is to inconvenience applications that have to make connections to
> peers with more than one computer behind the same IP address, which
> thereby need to use more than one port. They then either break or
> have to respond by falling back to typically slower/higher
> latency/more expensive/centralized relaying through an external
> server using TCP/443.
>
> Instead you generally want to start here:
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp5s5 -j ACCEPT
> iptables -P FORWARD DROP
>
> And then reject the things you actually want to prohibit, e.g.:
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp5s5 -p tcp --dport 25 -j REJECT --comment
> "no spamming"
> iptables -A FORWARD -i enp5s5 -p tcp --dport 80 -j REJECT --comment
> "no unencrypted HTTP"
> iptables -A FORWARD -i enp5s5 -j ACCEPT
> iptables -P FORWARD DROP
>
>
> what about 137 and 139 I want them blocked.
Those would be incoming connections, right? The only ACCEPT rule
matching packets coming in the external interface is the one with "-m
state --state RELATED,ESTABLISHED", which doesn't match NEW connections,
so they hit the default policy (-P FORWARD DROP).
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: understanding my MASQURADING and SNAT problem
2019-10-23 20:46 ` zrm
2019-10-23 21:38 ` zrm
[not found] ` <CANkmNDdnBB92niurKFGojdpUi8_wwLFooUWZmYQijMK5Vn1LvA@mail.gmail.com>
@ 2019-10-24 23:58 ` Aaron Gray
2 siblings, 0 replies; 7+ messages in thread
From: Aaron Gray @ 2019-10-24 23:58 UTC (permalink / raw)
To: zrm; +Cc: netfilter
On Wednesday, 23 October 2019, zrm <zrm@trustiosity.com> wrote:
>
> On 10/23/19 15:52, Aaron Gray wrote:
>>
>> I am trying to provide a gateway for firewalling Windows.
>>
>> I have two ethernet ports :-
>>
>> enp4s0 which is external onto another router onto the internet on 192.168.1.0/8 <http://192.168.1.0/8>
>> enp5s5: which is my internal Windows network.
>>
>> I have the following rule working :-
>>
>> iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 <http://192.0.1.0/8> -o enp4s0 -j MASQUERADE
>>
>> Why do we need the '! d 192.0.1.0/8 <http://192.0.1.0/8>' this doesn not seem to make any sense ?
>
>
> It's incorrect. At least the subnet mask is wrong, for 192.0.1.0 it would have to be no more than a /24, not a /8. Also, it's probably meant to be 192.168.1.0 rather than 192.0.1.0.
Ah that explains it, I cannot believe I did that, yes it should have
been 192.168.1.0/8 !
And that explains the ! too ?
>
>
> I imagine the intended purpose is to not translate the source address when the destination is on the local network, but that only works if you've configured the outside router to send packets for the inside subnet to the outside address of the inside gateway. And if that's the case you probably shouldn't have the inside gateway doing NAT at all and just let the outside gateway handle it to the internet. If it's not the case then you'll need to translate everything regardless of the destination, if you expect it to be able to receive a response.
>
>> I am trying to just allow ports 53 DNS and 443 HTTPS to be allow through, so I tried :-
>>
>> iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 <http://192.0.1.0/8> -p tcp --dport 53 -o enp4s0 -j MASQUERADE
>> iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 <http://192.0.1.0/8> -p udp --dport 53 -o enp4s0 -j MASQUERADE
>> iptables -t nat -A POSTROUTING ! -d 192.0.1.0/8 <http://192.0.1.0/8> -p tcp --dport 533 -o enp4s0 -j MASQUERADE
>>
>> But it is failing.
>>
>> Hope I am doing something simple wrong !
>
>
> You don't use MASQUERADE or the nat chain for filtering. Try this:
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp5s5 -p tcp --dport 443 -j ACCEPT
> iptables -A FORWARD -i enp5s5 -p udp --dport 443 -j ACCEPT --comment "HTTP/3"
> iptables -A FORWARD -i enp5s5 -p tcp --dport 53 -j ACCEPT
> iptables -A FORWARD -i enp5s5 -p udp --dport 53 -j ACCEPT
> iptables -A FORWARD -i enp5s5 -j REJECT
> iptables -P FORWARD DROP
This is exactly what I want to be prohibitive as I can first to start
off with, for windows instillation, No HTTP, or other ports, then I
want to use IPSET to only allow specific Microsoft IP's too. So all
the others go in the 'filter' chain by default ?
>
>
> Note however that blocking arbitrary _outgoing_ connections to other ports generally does more harm than good, because nearly all "bad" things today are either using very specific ports (e.g. SMTP) or (along with most things in general) are using TCP/443.
>
> The primary result of blocking arbitrary outgoing ports by default is to inconvenience applications that have to make connections to peers with more than one computer behind the same IP address, which thereby need to use more than one port. They then either break or have to respond by falling back to typically slower/higher latency/more expensive/centralized relaying through an external server using TCP/443.
>
> Instead you generally want to start here:
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp5s5 -j ACCEPT
> iptables -P FORWARD DROP
>
> And then reject the things you actually want to prohibit, e.g.:
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no spamming"
> iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP"
> iptables -A FORWARD -i enp5s5 -j ACCEPT
> iptables -P FORWARD DROP
what about 137 and 139 I want them blocked.
I would rather be total, prohibative then allow what is needed as its needed.
nmap might be useful for testing
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: understanding my MASQURADING and SNAT problem
2019-10-24 18:43 ` zrm
@ 2019-10-24 23:59 ` Aaron Gray
2019-10-25 0:17 ` Aaron Gray
0 siblings, 1 reply; 7+ messages in thread
From: Aaron Gray @ 2019-10-24 23:59 UTC (permalink / raw)
To: zrm; +Cc: netfilter
On Wednesday, 23 October 2019, zrm <zrm@trustiosity.com> wrote:
>>
>> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
>> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>> iptables -A FORWARD -i enp5s5 -j ACCEPT
>> iptables -P FORWARD DROP
>>
>> And then reject the things you actually want to prohibit, e.g.:
>>
>> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
>> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>> iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no spamming"
>> iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP"
>> iptables -A FORWARD -i enp5s5 -j ACCEPT
>> iptables -P FORWARD DROP
>>
>
> That should've been this, using the internal interface rather than the external one:
>
> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i enp5s5 -p tcp --dport 25 -j REJECT --comment "no spamming"
> iptables -A FORWARD -i enp5s5 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP"
> iptables -A FORWARD -i enp5s5 -j ACCEPT
> iptables -P FORWARD DROP
Okay I was confused about that.
>
> Note that this is a strong reason to rename your interfaces to something meaningful instead of using the ugly meaningless default names.
Yes I miss eth0 and eth1 !
Many thanks hopefully that clears everything up I suspected I had done
something stupid. And half suspected I needed to use the filter table.
Cheers,
Aaron
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: understanding my MASQURADING and SNAT problem
2019-10-24 23:59 ` Aaron Gray
@ 2019-10-25 0:17 ` Aaron Gray
0 siblings, 0 replies; 7+ messages in thread
From: Aaron Gray @ 2019-10-25 0:17 UTC (permalink / raw)
To: zrm; +Cc: netfilter
On Fri, 25 Oct 2019 at 00:59, Aaron Gray <aaronngray.lists@gmail.com> wrote:
>
> On Wednesday, 23 October 2019, zrm <zrm@trustiosity.com> wrote:
> >>
> >> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> >> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> >> iptables -A FORWARD -i enp5s5 -j ACCEPT
> >> iptables -P FORWARD DROP
> >>
> >> And then reject the things you actually want to prohibit, e.g.:
> >>
> >> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> >> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> >> iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no spamming"
> >> iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP"
> >> iptables -A FORWARD -i enp5s5 -j ACCEPT
> >> iptables -P FORWARD DROP
> >>
> >
> > That should've been this, using the internal interface rather than the external one:
> >
> > iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
> > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> > iptables -A FORWARD -i enp5s5 -p tcp --dport 25 -j REJECT --comment "no spamming"
> > iptables -A FORWARD -i enp5s5 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP"
> > iptables -A FORWARD -i enp5s5 -j ACCEPT
> > iptables -P FORWARD DROP
>
>
> Okay I was confused about that.
>
> >
> > Note that this is a strong reason to rename your interfaces to something meaningful instead of using the ugly meaningless default names.
>
>
> Yes I miss eth0 and eth1 !
>
> Many thanks hopefully that clears everything up I suspected I had done
> something stupid. And half suspected I needed to use the filter table.
I did have everything working perfectly then it all stopped working
again and I cannot work out why.
I need to start from scratch again.
Aaron
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-10-25 0:17 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-23 19:52 understanding my MASQURADING and SNAT problem Aaron Gray
2019-10-23 20:46 ` zrm
2019-10-23 21:38 ` zrm
[not found] ` <CANkmNDdnBB92niurKFGojdpUi8_wwLFooUWZmYQijMK5Vn1LvA@mail.gmail.com>
2019-10-24 18:43 ` zrm
2019-10-24 23:59 ` Aaron Gray
2019-10-25 0:17 ` Aaron Gray
2019-10-24 23:58 ` Aaron Gray
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.