LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-04-2010, 11:13 AM   #1
eswenson
LQ Newbie
 
Registered: Jun 2010
Posts: 4

Rep: Reputation: 0
NAT/Masquerade not working?


I have a linux iptables-based firewall (used firestarter) running on an Ubuntu 9.04. Kernel is 2.6.28. My ISP called me the other day to say that my internal IP addresses (10.5.0.x) are showing up outside the firewall on one of the downstream routers (probably the router on my roof providing wireless internet access to my rural house). I have forwarding and NAT configured using iptables and last night I logged into the roof antenna router (a MicroTik) and ran Torch (that lets you see the connections through the router) and sure enough, amid mostly entries showing my NAT ip address, I saw several ip addresses with internal addresses (10.5.0.5, 10.5.0.9, and 10.5.0.19, all, coincidently (?) MAC Pro laptops) in the list of connections. How is this possible? I thought by using NAT/Masquerade with iptables, that iptables would rewrite all packets so that only my external ip address (192.168.250.253) would appear. Can someone who understands this explain whether these internal addresses should ever appear outside my firewall/router (with NAT enabled)?

I have a rule:

-A POSTROUTING -o eth0 -j MASQUERADE

that I had believed would masquerade all addresses (and perform the NAT translation). In fact, I haven't changed anything on my firewall in a very long time (and the last kernel software update was in March, I believe).

I didn't do the bulk of the iptables rules myself, rather letting firestarter to the setup, for which I have NAT enabled. I get no errors on startup, which suggests that all the relevant modprobes for nat, masquerading, and forwarding are successful.

Any help would be appreciated. Thanks. -- Eric
 
Old 06-04-2010, 01:29 PM   #2
eswenson
LQ Newbie
 
Registered: Jun 2010
Posts: 4

Original Poster
Rep: Reputation: 0
I just did a little more sleuthing and noticed something interesting -- perhaps even relevant. I connected to the wireless router (on the roof of my house that connects over 900Mhz to an access point managed by my ISP) that should, as far as I know, only see my ISP-provided IP-address of my linux router (the one doing NAT) and examined all the connections over the ethernet interface (the one connected to my linux router). Almost all of the time, all connections (TCP, UDP, VPN) show correct source addresses of 192.168.250.253 (the ip address assigned by the wireless router on the roof to my linux router). However, every once in a while, I do see the internal ip address of my mac (10.5.0.19) show up. When I do, the destination tcp port is always 993 (imaps). Now I believe I have seen other protocols and ports in the past, but at least now, the only ones I can catch are tcp/993 (imaps). Does this suggest anything? Should I *ever* see internal ip addresses (e.g. 10.5.0.19) in the source address of packets on the external side of my NAT firewall (on the linux router)?

I checked all firewall rules that refer to port 993 and only see:

-A OUTBOUND -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTBOUND -p udp -m udp --dport 993 -j ACCEPT

(yes, I know the UDP rule for 993 is bogus, but firestarter creates udp/tcp rules for all allowed ports and doesn't let me specify only tcp).

The OUTBOUND chain is one created by firestarter and is the one where all the rules are created that go "out" over my external interface, whether they originated from my router or from FORWARD packets.

-A FORWARD -i eth1 -j OUTBOUND
-A OUTPUT -o eth0 -j OUTBOUND
-A OUTPUT -o eth1 -j OUTBOUND

I can provide the entire iptables rules if that would help. -- Eric
 
Old 06-04-2010, 01:39 PM   #3
eswenson
LQ Newbie
 
Registered: Jun 2010
Posts: 4

Original Poster
Rep: Reputation: 0
I may have spoken too soon. I disconnected my Juniper Networks VPN (running on the 10.5.0.19 laptop) and therefore ensured *all* traffic was being routed through the normal means (and not through the VPN), and I caught a few packets going over the external connection from 10.5.0.19 (visible on the outside) over tcp/80 (www). The destination address was 207.46.19.254 (wwwbaytest2.microsoft.com). Not sure what was making that connection -- I certainly didn't go there in a browser.

So it appears that the externally visible addresses are not simply from tcp/993.

Help! -- Eric
 
Old 06-04-2010, 02:08 PM   #4
eswenson
LQ Newbie
 
Registered: Jun 2010
Posts: 4

Original Poster
Rep: Reputation: 0
I managed to use wireshark to capture one bad packet. This one was from a non-MAC machine on my LAN (10.5.0.2). I've attached a PNG file of a the screenshot of the wireshark capture info. I was capturing on the 192.168.250.253 external interface, where, I believe, the firewall should have rewritten all the source address of packets to use this external interface address. -- Eric
Attached Images
File Type: png S18OZ0~T.PNG (191.2 KB, 1 views)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables masquerade nat portforwarding problem borborygmis Linux - Networking 5 08-14-2008 01:51 AM
NAT not working varun_saa Mandriva 11 12-29-2004 11:19 AM
nat/masquerade, connection tracking b0uncer Linux - Networking 2 07-20-2004 04:22 AM
nat not working! the_y_man Linux - Networking 4 03-13-2004 12:41 AM
iptables - true nat AND masquerade rebuke Linux - Security 3 11-11-2003 02:02 PM


All times are GMT -5. The time now is 08:09 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration