LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 01-05-2010, 04:08 PM   #1
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Rep: Reputation: 15
Middleman machine using iptables


I have a machine that is like a firewall, I use iptables to route traffic through it, to the router. For ex

Host1 -> Middleman -> gateway -> Internet

Internet -> gateway -> middleman -> Host1

I have this working using these rules:

Code:
# 192.168.0.6 = host
# 192.168.0.8 = middleman

iptables -A PREROUTING -t nat -d 192.168.0.6/32 -j DNAT --to 192.168.0.8
iptables -A POSTROUTING -t nat -d 192.168.0.8/32 -j SNAT --to 192.168.0.6
On the middleman machine when I analyse the traffic using Wireshark, I can only see the outbound traffic, I don't see any traffic from gateway->host only host-gateway

The traffic must be passing through both ways because the host has Internet access.

How can I modify the iptables rules to see the traffic both ways?
 
Old 01-06-2010, 10:03 AM   #2
jpforte
LQ Newbie
 
Registered: Jun 2003
Location: Florida
Distribution: CentOS
Posts: 2

Rep: Reputation: 0
Two thoughts. Try using iftop, see what that reports.
I use firestarter for exactly the same kind of setup and see everything. It also adds so many more routing options without having to think about it.
 
Old 01-06-2010, 12:08 PM   #3
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by jpforte View Post
Two thoughts. Try using iftop, see what that reports.
I use firestarter for exactly the same kind of setup and see everything. It also adds so many more routing options without having to think about it.
Thanks, I have installed firestarter, but I don't see any option to route traffic, how have you done it?
 
Old 01-06-2010, 12:40 PM   #4
javaroast
Member
 
Registered: Apr 2005
Posts: 130

Rep: Reputation: 18
I think we would need more information to really be able to dig into this. To route traffic you really just need to set up the something like echo "1" > /proc/sys/net/ipv4/ip_forward. But, we need a clearer picture of your network like what is the gateways IP and a diagram of the network as far as connections. Is the host using the middleman as it's gateway? Is the Gateway on the same 192.168.0.x subnet?

At a quick glance it looks like you are attempting to do routing with DNAT and SNAT which shouldn't be necessary (depending on some of the missing info) and could be the cause of your issues with following traffic in wireshark.
 
Old 01-06-2010, 12:52 PM   #5
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by javaroast View Post
I think we would need more information to really be able to dig into this. To route traffic you really just need to set up the something like echo "1" > /proc/sys/net/ipv4/ip_forward. But, we need a clearer picture of your network like what is the gateways IP and a diagram of the network as far as connections. Is the host using the middleman as it's gateway? Is the Gateway on the same 192.168.0.x subnet?

At a quick glance it looks like you are attempting to do routing with DNAT and SNAT which shouldn't be necessary (depending on some of the missing info) and could be the cause of your issues with following traffic in wireshark.
I do use ipforward this way, the command I use before the iptables rules is:

echo "1" > /proc/sys/net/ipv4/ip_forward

About the network: Everything is on the same subnet (192.168.0.x) gateway is 192.168.0.1, there is just one host besides the middle man, and yes the middleman uses the normal gateway directly. The host however, sees the middleman as its gateway (not 192.168.0.1).

Last edited by the182guy; 01-06-2010 at 12:57 PM.
 
Old 01-06-2010, 01:20 PM   #6
javaroast
Member
 
Registered: Apr 2005
Posts: 130

Rep: Reputation: 18
Perfect. In that case I don't believe that you need to do the Natting as they are all on the same subnet anyway. Just make sure that iptables is set up to allow outgoing traffic coming from the 192.168.0.x subnet. In my own set up I use separate chains for traffic from the firewall itself and from traffic it is forwarding from the internal network.
 
Old 01-06-2010, 05:06 PM   #7
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Original Poster
Rep: Reputation: 15
Thanks for the replies. Do you have an idea of what the rule syntax will be for this? Is it PRE/POSTROUTING, INPUT, OUTPUT or FORWARD?
 
Old 01-06-2010, 07:56 PM   #8
javaroast
Member
 
Registered: Apr 2005
Posts: 130

Rep: Reputation: 18
You should be able to remove the PREROUTING and POSTROUTING all together. On my firewalls I use a separate chain for network traffic vs traffic originating or terminating at the firewall. The concept that needs to be understood is that routing is a separate thing from firewalling. Meaning that if you have forwarding set to 1 in ip_forward your middleman box will route the traffic even with the firewall turned off. IPTables doesn't do the routing for you.

Here is an example


$IPT -A FORWARD -i ethx -j OUT_NETWORK

$IPT -N OUT_NETWORK
$IPT -A OUT_NETWORK -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUT_NETWORK -m state --state NEW -p tcp --dport 80 -j ACCEPT # http

Without using the separate chains you would use OUTPUT
$IPT -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # http
 
Old 01-07-2010, 03:49 AM   #9
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Original Poster
Rep: Reputation: 15
Thanks javaroast, will those commands only route port 80? I was hoping to be able to route any port without having to specify the ones I needed.
 
Old 01-07-2010, 11:20 AM   #10
javaroast
Member
 
Registered: Apr 2005
Posts: 130

Rep: Reputation: 18
That will only allow port 80 through the firewall. To allow all traffic you'd need something like

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT or


Or alternatively if the gateway is already doing firewalling and there is no public (Internet IP's) on the the middleman you could turn off the firewall on the middleman entirely.

Last edited by javaroast; 01-07-2010 at 11:22 AM.
 
Old 01-07-2010, 03:47 PM   #11
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Original Poster
Rep: Reputation: 15
Ok, I have no firewall turned on and I have turned on ip_forward. I have not used any iptables rules. The host has full internet access through the middleman, but I have the same problem which is I can see outbound traffic, but I can't see inbound. When inbounc traffic occurs, Wireshark shows a 'ICMP REDIRECT' and does not let me see the contents.

After reading up a bit on ICMP Redirects, it looks like this is a message to the host telling it there is a more direct route to the real gateway. But this doesn't make sense because if that were true then I would not see the outgoing traffic.

Last edited by the182guy; 01-07-2010 at 04:11 PM.
 
Old 01-07-2010, 05:26 PM   #12
javaroast
Member
 
Registered: Apr 2005
Posts: 130

Rep: Reputation: 18
Are the gateway middleman and host all connected to a router by chance? If that is the case you would see exactly what you are describing. Seeing as they are all on the same subnet they can route directly.
 
Old 01-08-2010, 04:15 AM   #13
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by javaroast View Post
Are the gateway middleman and host all connected to a router by chance? If that is the case you would see exactly what you are describing. Seeing as they are all on the same subnet they can route directly.
Thanks for your help on this!

The gateway is the router. It's a Netgear DG834GT ADSL router. The host and middleman are connected to the router. The middleman sees the router as its gateway and the host sees the middleman as its gateway.
 
Old 01-08-2010, 10:42 AM   #14
javaroast
Member
 
Registered: Apr 2005
Posts: 130

Rep: Reputation: 18
In that case what you are seeing is exactly how routing works. The gateway takes the most direct path to the host which in this case is directly connected to the router
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Canonical removes middleman from Ubuntu management LXer Syndicated Linux News 0 08-05-2009 07:40 AM
What is the BEST way to make Debian my middleman joebpa Linux - Newbie 6 05-11-2009 01:23 AM
LXer: Ettercap Automates the Malicious Middleman LXer Syndicated Linux News 0 02-02-2008 01:10 AM
question about iptables (DMZ machine connect to other DMZ machine 's publuic IP) wingmak Linux - Security 1 01-20-2007 05:01 PM
Anyone using Middleman Flibble Linux - Software 0 06-16-2003 02:43 AM


All times are GMT -5. The time now is 02:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration