iptables forward

gustavolinux · 10-06-2008, 12:52 PM

folks,

I'm trying to understand an iptables script, and found the following line, which I don fully understand...

iptables -A FORWARD -p icmp -i $IF_EXT -d $NET_INT -j ACCEPT

Here, we have a firewall with three legs. The interface mapping is:

internet
|
| IF_EXT
|
FW------> IF_DMZ
|
| IF_INT
|
internal network

the rule I had post above says that icmp packets that are forwarded from the internet to the internal network IPs (NET_INT=172.22.1.0/23) are accepted. My doubt is: how can an icmp packet be addressed to the internal network, containing the private IP address of the internal network, if the firewall performs NAT?

By the way, how NAT/PAT operates in the case of icmp packets if there is no 'port' to control requests/responses?

hope made my self clear...

thanx by the help...

win32sux · 10-06-2008, 01:28 PM

The rule implies that DNAT is being done on ICMP packets which hit the external interface.

Such a thing could have been done with a rule like this (example):

Code:

iptables -t nat -A PREROUTING -p ICMP -i $IF_EXT -j DNAT --to-destination 192.168.1.104

The $NET_INT variable sounds like it's meant to represent any IP address in your LAN's subnet, in which case it would match packets regardless of which LAN host IP is set by DNAT. In that case, the script could be made tighter by making sure the $NET_INT variable doesn't contain a subnet, but only a single IP (the one of the box you actually want to receive the ICMP packets).

gustavolinux · 10-06-2008, 02:21 PM

ok, could you help me with a couple of questions please?

NAT would only work to redirect icmp packets to only one host?

Iptables is able to map ICMP echo request and ICMP echo responses via NAT to an entire network with only one internet valid IP?

thanx in advance

win32sux · 10-06-2008, 02:42 PM

From man iptables:

Code:

       --to-destination [ipaddr][-ipaddr][:port-port]
              which can specify a single new destination IP address, an inclu‐
              sive range of IP addresses, and optionally, a port range  (which
              is  only valid if the rule also specifies -p tcp or -p udp).  If
              no port range is specified, then the destination port will never
              be  modified. If no IP address is specified then only the desti‐
              nation port will be modified.

              In Kernels up to 2.6.10 you  can  add  several  --to-destination
              options.  For those kernels, if you specify more than one desti‐
              nation address, either via an address range  or  multiple  --to-
              destination  options, a simple round-robin (one after another in
              cycle) load  balancing  takes  place  between  these  addresses.
              Later  Kernels  (>= 2.6.11-rc1) don’t have the ability to NAT to
              multiple ranges anymore.

That tells me you could make it so that the packet gets DNATed to a range of IPs, but I've never done that so I don't know. It's pretty easy for you to give it a shot and see for yourself whether it works or not. That said, if you want to be able to ping each IP in your LAN individually from the WAN, you can do it easily if you have enough public IPs on the WAN interface. You could, for example, make echo requests which arrive at 203.134.233.23 get DNATed to 192.168.1.123, and those that arrive at 203.134.233.24 get DNATed to 192.168.1.124, etc.

Code:

iptables -t nat -A PREROUTING -p ICMP -i $WAN_IFACE --icmp-type 8 \
-d 203.134.233.23 -j DNAT --to-destination 192.168.1.123

iptables -t nat -A PREROUTING -p ICMP -i $WAN_IFACE --icmp-type 8 \
-d 203.134.233.24 -j DNAT --to-destination 192.168.1.124

iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT

iptables -A FORWARD -p ICMP -i $WAN_IFACE -o $LAN_IFACE --icmp-type 8 \
-d 192.168.1.123 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p ICMP -i $WAN_IFACE -o $LAN_IFACE --icmp-type 8 \
-d 192.168.1.124 -m state --state NEW -j ACCEPT