LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-04-2007, 12:40 PM   #1
cbettero
LQ Newbie
 
Registered: Mar 2007
Posts: 4

Rep: Reputation: 0
Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!


Hi,

i'm going mad in trying to understand this behaviour:

I have a linux box, with two lan's: eth0 (internal LAN) and eth1 (Internet). This box is configured as a firewall, using iptables (1.3.7). My kernel is 2.6.20.1.

I do SNAT for the lan clients to the Internet, and all is working fine; but I have big problems with DNAT: I have these lines:
....
.....
iptables -A PREROUTING -t nat -i eth1 -d $WANIP -p tcp --dport 80 -j DNAT --to 10.0.0.2:80
iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
.....
.....
iptables -A INPUT -i eth1 -j DROP-AND-LOG
.....

Ok, a simple and classical DNAT to an internal web server.

Now, the problem: the majority of packets get correctly in the PREROUTING chain and to my web server, but SOMETIMES the packets "miss" the prerouting and fall into the INPUT chain, getting logged and dropped ! I analyzed and noticed that they are all ACK packets, but they are correct in all aspects (IN=ETH1 DST=WANIP DPT=80); what can be the problem ?
 
Old 03-05-2007, 05:36 AM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
They are probably duplicate packets that the netfilter code says doesn't belong in the stream.

Do you have a state matching rule to allow ESTABLISHED,RELATED packets?
 
Old 03-05-2007, 06:55 AM   #3
cbettero
LQ Newbie
 
Registered: Mar 2007
Posts: 4

Original Poster
Rep: Reputation: 0
I have no state match specifications;
however i have tryed with and without --state NEW,ESTABLISHED,RELATED in the PREROUTING rule, but with the same strange effect.

The problem is with AJAX web sites hosted on the internal server; they lose packets and so the application doesn't work correctly... if i put the web server directly on the wan side, everything works ok...

bye
 
Old 03-05-2007, 08:09 AM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
The state rules live in the filter table, FORWARD, INPUT & OUTPUT chains..
They do nothing in the nat table..
 
Old 03-05-2007, 08:20 AM   #5
cbettero
LQ Newbie
 
Registered: Mar 2007
Posts: 4

Original Poster
Rep: Reputation: 0
Hi,

here is my iptables script:

# INPUT rules
echo -e "\nInput rules...\n"
iptables -A INPUT -p tcp --dport 137 -j DROP
iptables -A INPUT -p tcp --dport 138 -j DROP
iptables -A INPUT -p udp --dport 137 -j DROP
iptables -A INPUT -p udp --dport 138 -j DROP
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $GREEN_DEV -s $INTNET -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $GREEN_DEV -p tcp --dport 8082 -j ACCEPT

# coming-back ip packets; accept only if established-related
echo -e "\ncome back packets...\n"
iptables -A INPUT -i $RED_DEV -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -i $RED_DEV -p ICMP -j ACCEPT

#catch and block all-other traffic
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it-inp

echo -e "\nOUTPUT rules...\n"

# OUTPUT rules-- lo interface
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# internal IF to LAN - accept all

iptables -A OUTPUT -o $GREEN_DEV -s $EXTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $GREEN_DEV -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $GREEN_DEV -d $UNIVERSE -j ACCEPT

iptables -A OUTPUT -o $GREEN_DEV -s $INTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -o $RED_DEV -s $EXTIP -d $UNIVERSE -j ACCEPT

#catch all other rules...
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it-out

# PORT FORWARDING rules...
PORTFWIP="10.0.0.2"

# Forwarding HTTP...ADDRESS 1
iptables -A PREROUTING -t nat -i $RED_DEV -p tcp -d $RED_ADDRESS --dport 80 -j DNAT --to $PORTFWIP:80
iptables -A FORWARD -i $RED_DEV -o $GREEN_DEV -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# allow tun+ forwarding...
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

# Transparent proxy redirect

iptables -A PREROUTING -t nat -i $GREEN_DEV -p tcp ! -s 10.0.0.2 ! -d $GREEN_ADDRESS --dport 80 -j REDIRECT --to-port 8082

iptables -A PREROUTING -t nat -i $GREEN_DEV -p tcp ! -d $GREEN_ADDRESS --dport 110 -j REDIRECT --to-port 8110

iptables -A FORWARD -i $RED_DEV -p tcp --sport 22 -s 80.74.176.210 -j ACCEPT

#Now the FORWARD in-out rules --- ADDRESS 1
iptables -A FORWARD -i $RED_DEV -o $GREEN_DEV -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $GREEN_DEV -o $RED_DEV -m state --state ESTABLISHED,RELATED -j ACCEPT

# catch all other in log...
iptables -A FORWARD -j drop-and-log-it

# NAT: SourceNAT enabling...
iptables -t nat -A POSTROUTING -o $RED_DEV --source $INTNET -j SNAT --to-source $PUBLIC_ADDRESS
 
Old 03-05-2007, 08:31 AM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Once these rules are loaded, please do iptables-save and post that. (Sanitise any obvious ip numbers). This will list them in the order they are functioning, much easier to read..

What happened to the drop-and-log-it-out rules?
 
Old 03-05-2007, 09:50 AM   #7
cbettero
LQ Newbie
 
Registered: Mar 2007
Posts: 4

Original Poster
Rep: Reputation: 0
here it is :

eth0=LAN
eth1=WAN
MYWANIP = wan side IP

# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*raw
:PREROUTING ACCEPT [1995956:451770704]
:OUTPUT ACCEPT [1961924:1087077789]
COMMIT
# Completed on Mon Mar 5 17:48:28 2007
# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*nat
:PREROUTING ACCEPT [17802:1194035]
:POSTROUTING ACCEPT [10136:610868]
:OUTPUT ACCEPT [9850:595464]
-A PREROUTING -d $MYWANIP -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
-A PREROUTING -s ! 10.0.0.2 -d ! 10.0.0.5 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082
-A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth1 -j SNAT --to-source $MYWANIP
COMMIT
# Completed on Mon Mar 5 17:48:28 2007
# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*mangle
:PREROUTING ACCEPT [1995985:451773060]
:INPUT ACCEPT [1520898:334872020]
:FORWARD ACCEPT [475076:116900716]
:OUTPUT ACCEPT [1961957:1087081769]
:POSTROUTING ACCEPT [2425267:1203332050]
COMMIT
# Completed on Mon Mar 5 17:48:28 2007
# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [9:2940]
:drop-and-log-it - [0:0]
:drop-and-log-it-inp - [0:0]
:drop-and-log-it-out - [0:0]
-A INPUT -p tcp -m tcp --dport 137 -j DROP
-A INPUT -p tcp -m tcp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j drop-and-log-it-inp
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 222 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 20 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5900 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 995 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5060 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3478 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 5060 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 3478 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 123 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 8888 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 2095 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 137 -j DROP
-A FORWARD -p tcp -m tcp --dport 138 -j DROP
-A FORWARD -p tcp -m tcp --dport 139 -j DROP
-A FORWARD -p tcp -m tcp --dport 445 -j DROP
-A FORWARD -j drop-and-log-it
-A FORWARD -j drop-and-log-it
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s $MYWANIP -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -s 10.0.0.5 -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.255.255.0 -o eth1 -j drop-and-log-it-out
-A OUTPUT -s $MYWANIP -o eth1 -j ACCEPT
-A OUTPUT -j drop-and-log-it-out
-A drop-and-log-it -j LOG --log-prefix "FORWARD CHAIN-> "
-A drop-and-log-it -j DROP
-A drop-and-log-it-inp -j LOG --log-prefix "INPUT CHAIN-> "
-A drop-and-log-it-inp -j DROP
-A drop-and-log-it-out -j LOG --log-prefix "OUTPUT CHAIN-> "
-A drop-and-log-it-out -j DROP
COMMIT
# Completed on Mon Mar 5 17:48:28 2007

Last edited by cbettero; 03-05-2007 at 10:22 AM.
 
Old 03-09-2007, 02:37 PM   #8
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
First suggestion is to change the POLICYs on the filter table to ACCEPT.
You have DROP rules to catch everything that's not ACCEPTed.

Second is to avoid making rules more specific than needed..
eg you have 2 rules in the FORWARD table where 1 will do for RELATED,ESTABLISHED.
Remove the -i & -o interface specs..

A PREROUTING -s ! 10.0.0.2 -d ! 10.0.0.5 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082
This rule does nothing. Anything coming in on eth0 will be from 10.0.0.0/24 , and anything between two pcs on the same physical segment will be done via ARP, not via the firewall.
tun traffic will come in on interface tun1

Try zeroing the iptables counters and do iptables-save -c
The rules will then show how many packets have passed down each rule.
Rules with zero packets need to be looked at to see if they need to exist, and DROPped packet counters need to be looked at to see if they are in the correct place, not too early or late in the ruleset sequence.

I usually refer people to this tutorial to get a grounding in the necessary rules/syntax.
 
  


Reply

Tags
dnat, prerouting


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange Behaviour! joshuarowley LQ Suggestions & Feedback 1 12-08-2005 03:36 PM
I can't input root pass word . akihandyman Mandriva 3 03-18-2004 12:00 PM
iptables & dnat how to pass original src ip/domain info sdbaroni Linux - Networking 2 08-26-2003 04:31 PM
Strange problem about iptables DNAT. zufeng Linux - Networking 1 06-28-2003 11:09 AM
DNAT and prerouting is my only problem closer8888 Linux - Networking 0 02-17-2003 10:46 PM


All times are GMT -5. The time now is 06:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration