I have a linux iptables-based firewall (used firestarter) running on an Ubuntu 9.04. Kernel is 2.6.28. My ISP called me the other day to say that my internal IP addresses (10.5.0.x) are showing up outside the firewall on one of the downstream routers (probably the router on my roof providing wireless internet access to my rural house). I have forwarding and NAT configured using iptables and last night I logged into the roof antenna router (a MicroTik) and ran Torch (that lets you see the connections through the router) and sure enough, amid mostly entries showing my NAT ip address, I saw several ip addresses with internal addresses (10.5.0.5, 10.5.0.9, and 10.5.0.19, all, coincidently (?) MAC Pro laptops) in the list of connections. How is this possible? I thought by using NAT/Masquerade with iptables, that iptables would rewrite all packets so that only my external ip address (192.168.250.253) would appear. Can someone who understands this explain whether these internal addresses should ever appear outside my firewall/router (with NAT enabled)?

I have a rule:

-A POSTROUTING -o eth0 -j MASQUERADE

that I had believed would masquerade all addresses (and perform the NAT translation). In fact, I haven't changed anything on my firewall in a very long time (and the last kernel software update was in March, I believe).

I didn't do the bulk of the iptables rules myself, rather letting firestarter to the setup, for which I have NAT enabled. I get no errors on startup, which suggests that all the relevant modprobes for nat, masquerading, and forwarding are successful.

Any help would be appreciated. Thanks. -- Eric

I just did a little more sleuthing and noticed something interesting -- perhaps even relevant. I connected to the wireless router (on the roof of my house that connects over 900Mhz to an access point managed by my ISP) that should, as far as I know, only see my ISP-provided IP-address of my linux router (the one doing NAT) and examined all the connections over the ethernet interface (the one connected to my linux router). Almost all of the time, all connections (TCP, UDP, VPN) show correct source addresses of 192.168.250.253 (the ip address assigned by the wireless router on the roof to my linux router). However, every once in a while, I do see the internal ip address of my mac (10.5.0.19) show up. When I do, the destination tcp port is always 993 (imaps). Now I believe I have seen other protocols and ports in the past, but at least now, the only ones I can catch are tcp/993 (imaps). Does this suggest anything? Should I *ever* see internal ip addresses (e.g. 10.5.0.19) in the source address of packets on the external side of my NAT firewall (on the linux router)?

I checked all firewall rules that refer to port 993 and only see:

-A OUTBOUND -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTBOUND -p udp -m udp --dport 993 -j ACCEPT

(yes, I know the UDP rule for 993 is bogus, but firestarter creates udp/tcp rules for all allowed ports and doesn't let me specify only tcp).

The OUTBOUND chain is one created by firestarter and is the one where all the rules are created that go "out" over my external interface, whether they originated from my router or from FORWARD packets.

-A FORWARD -i eth1 -j OUTBOUND
-A OUTPUT -o eth0 -j OUTBOUND
-A OUTPUT -o eth1 -j OUTBOUND

I can provide the entire iptables rules if that would help. -- Eric

I may have spoken too soon. I disconnected my Juniper Networks VPN (running on the 10.5.0.19 laptop) and therefore ensured *all* traffic was being routed through the normal means (and not through the VPN), and I caught a few packets going over the external connection from 10.5.0.19 (visible on the outside) over tcp/80 (www). The destination address was 207.46.19.254 (wwwbaytest2.microsoft.com). Not sure what was making that connection -- I certainly didn't go there in a browser.

So it appears that the externally visible addresses are not simply from tcp/993.

Help! -- Eric

I managed to use wireshark to capture one bad packet. This one was from a non-MAC machine on my LAN (10.5.0.2). I've attached a PNG file of a the screenshot of the wireshark capture info. I was capturing on the 192.168.250.253 external interface, where, I believe, the firewall should have rewritten all the source address of packets to use this external interface address. -- Eric

Attached Images

S18OZ0~T.PNG (191.2 KB, 1 views)