[SOLVED] Help me figure out if these rules are necessary

yzT! · 09-25-2014, 05:50 AM

Network A - Firewall - WebServer (Network B)

I have theses rules:

Code:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 86 -j DNAT --to 192.168.1.56:80

iptables -A FORWARD -s 192.168.1.56 -o eth1 -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.1.56 -i eth1 -p tcp --dport 80 -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.1.56 -o eth1 -j MASQUERADE

At the bottom of the script, there are rules logging INPUT, OUTPUT and FORWARD, before dropping the packets, and I'm seeing like if I needed to open the port 86 on the firewall itself.

Code:

Sep 25 11:44:01 firewall kernel: INPUT-Drop: IN=eth1 OUT= MAC=... SRC=10.140.1.5 DST=10.140.1.9 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=45454 DF PROTO=TCP SPT=60490 DPT=86 WINDOW=453 RES=0x00 ACK FIN URGP=0

But there are no service listening on port 86. That port is just used to access the web server which is in a VM.

As I cannot test this, because it's a production environment and I need make sure most is going to work before enabling the new configuration, what do you think about that dropped traffic? Is it relevant? I have never seen a packet intended for NAT end up on INPUT.

yzT! · 09-26-2014, 03:23 AM

I end up quickly adding the drop and checking the application, and it was working so I don't know why the traffic is reaching the end if it's going through PREROUTING

jomen · 09-27-2014, 02:32 PM

What you see in the second line of output you posted is the log entry, notifying you of a dropped packet.
It was dropped because it did not match the first rule. It came in through eth1 from 10.140.1.5 (local?) and tried to reach the web-interface of the VM, while the first rule only covers eth0.
It did not go anywhere, as it was dropped.

That is what I see.

yzT! · 09-29-2014, 01:24 AM

sorry, that was a mistype. The first rule is eth1