Prerouting with DROP as the default rule

loureed4 · 08-09-2011, 02:44 PM

Hi ! ,

I´d like to ask a question related to IPTables, because I´ve tried to find the solution in google, making a research, but I´m kind of new in IPTables and I don´t know what I´m doing wrong.

I read about how IPtables works better with a DROP default rule, denying all the traffic and then, you have to allow the traffic you want to. I have seen many websites with examples of iptables scripts, but mostly with ACCEPT as the default rule for INPUT, OUTPUT AND FORWARD.

My script is made with DROP, and it works except for the prerouting rules:

I made three of them so people from the WAN could access to a HTTPS Server, a SMTP Server and a Terminal Server , so , 443, 25 and 3389 must be opoened.

the rules are like this one:

iptables -t nat PREROUTING -i eth2 -p tcp --dport 25 -j DNAT --to 192.168.93.4:25

eth2 is the interface attached to the internet.

When I try Wireshark, I see how incoming packets are trying to access but only the SYN Packets appear.

I´m nearly sure I need another rule to make the traffic from the port 25 TCP out from my LAN to the WAN, but I tried that to with an output rule and even with a forward rule, but noone of them worked.

Thanks in advance !!

acid_kewpie · 08-10-2011, 08:13 AM

ok, so it sounds like you are hitting the default DROP, you don't say you've done anything to prevent that happening... Note that PREROUTING happens BEFORE FORWARD, so it's how the traffic looks after the DNAT, not before.

loureed4 · 08-10-2011, 09:08 AM

Thanks Acid for your early reply.
I´m new on this, I used to work with ISA 2006 , Microsoft.

I quote your reply:

"ok, so it sounds like you are hitting the default DROP, you don't say you've done anything to prevent that happening... Note that PREROUTING happens BEFORE FORWARD, so it's how the traffic looks after the DNAT, not before"

Do you mean i have to put the Prerouting senteces before the Forward ones ? . I´m a newbie in this matters , sorry if I ask silly things !

I have to learn a lot about Prerouting, Postrouting, Forward... and it seems not that difficult but, for some reason I´m not seeing, I can´t reach my internal servers from the WAN. Your reply is difficult for me, but even though I´ll re-read it as many times as necessary in order to understand it.

Could I paste here my script ? It´s long but I would shorten so that I could have assistance because as I said, all or nearly all the example I see have the ACCEPT rule by defualt, instead DROP, don´t know why because in ISA Server 2004 and 2006 has the Deny policy as the defult one, and it should be like that I think.

Thanks again in advance !

acid_kewpie · 08-10-2011, 09:11 AM

this diagram is very useful, clarifies the flow a lot. http://wiki.ubuntu.org.cn/images/f/f0/Iptables.gif

raevin · 08-10-2011, 09:38 AM

Quote:

Originally Posted by acid_kewpie

this diagram is very useful, clarifies the flow a lot. http://wiki.ubuntu.org.cn/images/f/f0/Iptables.gif

Going off of what acid said, I don't think you really need a NAT table set up here, I could be wrong...I had to set up a NAT table due to the port re-routing I had going on. However, and I ran into this issue myself, you have to also look at the FILTER table as well.

Running iptables -nvL, what does it say? If the policy is DROP then that's where your issue is right there.

Also, if you're unsure of something, something I found quite useful is logging at the end of a chain: iptables -t <table name> -j LOG --log-prefix "<table name> DROP: "

Replacing <table name> with the name of the table you're setting up.

After that, run a test and monitor syslog (dmesg | tail usually suffices).

HasC · 08-10-2011, 10:04 AM

Perhaps this could help:

First, I assume you're using DROP default policy for all your chains

Code:

# iptables -P DROP INPUT
# iptables -P DROP OUTPUT
# iptables -P DROP FORWARD

If that's the case you should:

Write DNAT rules so WAN can reach your internal services, as you already did
Write rules to allow FORWARDing of packets, between WAN and LAN, to/from your internal services. You should allow forwarding in both ways.
Write a rule to allow your internal servers to reach the WAN, maybe some MASQUERADE rules will suffice, but that's your choice.

Something like this, could do:

Code:

# iptables -t nat -I PREROUTING -i eth2 -p tcp --dport 25 -j DNAT --to 192.168.93.4:25
# iptables -I FORWARDING -i $WAN_IF -o $LAN_IF --dport 25 -j ACCEPT
# iptables -I FORWARDING -i $LAN_IF -o $WAN_IF --sport 25 -j ACCEPT
# iptables -t nat -I POSTROUTING -p all -s 192.168.93.4 -o $WAN_IF -j MASQUERADE

Just an example, surely these rules need to be tighten up a bit more.

loureed4 · 08-10-2011, 03:02 PM

Hi, Thanks a lot for your replies,

I followed the HasC´s advices because, for some reason, I only saw that one in my email as a reply, but I will follow the other advices because even though it worked , I don´t know why, I mean:

I just put these four lines you told me:

# iptables -t nat -I PREROUTING -i eth2 -p tcp --dport 25 -j DNAT --to 192.168.93.4:25
# iptables -I FORWARDING -i eth2-o eth1 --dport 25 -j ACCEPT (eth2 = interface WAN)
# iptables -I FORWARDING -i eth1 -o eth2 --sport 25 -j ACCEPT
# iptables -t nat -I POSTROUTING -p all -s 192.168.93.4 -o eht2 -j MASQUERADE

Well, actually the first one was already in the script, but I had a line in my script to do NAT , this one:

iptables -t NAT -A POSTROUTING -s 192.168.93.0/24 -o eth2 -j MASQUERADE

Then, I supposed I didn´t need any other rule with Masquerade because as far as I know what masquerade does is just hide local IP´s to turn them into the Public IP of the router.

Another thing I can´t understand due to my lack of knowledge on Iptables, is why the rule you told me to add is:

iptables -I FORWARD -i eth2 ..... I focus on the parameter "-I" . But this is my fault because I hadn´t read that much about parameters in IPTables, I just took a lot of examples and I studied them to understand IPtables, but I clearly must study much about this still.

It worked but I don´t know exactly why, hehe, I hate that, so I´ll see why it worked.

It seemed a good link this one http://wiki.ubuntu.org.cn/images/f/f0/Iptables.gif , so, I´ll check it out because things are not clear enoguh for me about IPTables, though there are quite a few examples on the net.

Thanks a lot for your time, all of you (sorry for my English, I hope to be understood, cause I´m Spanish ! )

raevin · 08-10-2011, 03:06 PM

Quote:

Originally Posted by loureed4

Hi, Thanks a lot for your replies,

I followed the HasC´s advices because, for some reason, I only saw that one in my email as a reply, but I will follow the other advices because even though it worked , I don´t know why, I mean:

I just put these three lines you told me:

# iptables -t nat -I PREROUTING -i eth2 -p tcp --dport 25 -j DNAT --to 192.168.93.4:25
# iptables -I FORWARDING -i eth2-o eth1 --dport 25 -j ACCEPT (eth2 = interface WAN)
# iptables -I FORWARDING -i eth1 -o eth2 --sport 25 -j ACCEPT
# iptables -t nat -I POSTROUTING -p all -s 192.168.93.4 -o $WAN_IF -j MASQUERADE

Well, actually the first one was already in the script, but I had a line in my script to do NAT , this one:

iptables -t NAT -A POSTROUTING -s 192.168.93.0/24 -o eth2 -j MASQUERADE

I have yet to understand the MASQUERADE job option, but the two FORWARDING rules are there for this:

If you have traffic coming in on port 25, it will redirect the traffic from eth2 to eth1, and if it's leaving on port 25, it'll redirect from eth1 to eth2. Basically mail traffic coming in from the Intranet will be sent out to the world via the WAN interface, and vice-versa.

I believe this is how to interpret the rules, anyways.

loureed4 · 08-11-2011, 01:19 AM

Hi, Thanks again for the reply,

I´ve just made some test:

1.- I took off the line "iptables -t nat -I POSTROUTING -p all -s 192.168.93.4 -o $WAN_IF -j MASQUERADE" and it works perfectly without it. I think this is because I already have the line "iptables -t NAT -A POSTROUTING -s 192.168.93.0/24 -o eth2 -j MASQUERADE" , which I think makes all the computers in my LAN hidding their local IP and showing the Public IP of the router, as I said in my previous post.

2.- I took off the line " iptables -I FORWARDING -i eth2-o eth1 --dport 25 -j ACCEPT (eth2 = interface WAN)" but it didn´t work. I thought it would work because with the Prerouting rule the incoming traffic would reach the destination (the smtp server) and then, I would only need a rule to forward the traffic to the WAN, but it seems it´s not like that.

In short, the masquerade option is not necessary, this is good to know in order to understand IPTables but I can´t understand why I need the second line.

Thanks for your time !!

By the way, the "masquerade" line HasC suggested was like this:
# iptables -t nat -I POSTROUTING -p all -s 192.168.93.4 -o $WAN_IF -j MASQUERADE

And mine was just the same but with an "-A" parameter before the key word "POSTROUTING"

Do you know why it is like that? Does it make any difference?

Thanks once more !

acid_kewpie · 08-11-2011, 02:08 AM

if you read the iptables manpage, A means Append (at the end), I means Insert (at the given location or at the start if no location given)

HasC · 08-11-2011, 07:44 AM

Quote:

Originally Posted by loureed4

Hi, Thanks a lot for your replies,

I followed the HasC´s advices because, for some reason, I only saw that one in my email as a reply, but I will follow the other advices because even though it worked , I don´t know why

Quote:

Originally Posted by HasC

If that's the case you should:

Write DNAT rules so WAN can reach your internal services, as you already did
Write rules to allow FORWARDing of packets, between WAN and LAN, to/from your internal services. You should allow forwarding in both ways.
Write a rule to allow your internal servers to reach the WAN, maybe some MASQUERADE rules will suffice, but that's your choice.

Thought my explanations were clear enough

Well, another quick-and-dirty try: when using DROP policy, *everything* gets DROPped, except the packets that you explicitly accept.
So you must write the rules to:

DNAT from WAN to internal server - you already did that
ACCEPT forwarding from WAN to internal server
ACCEPT forwarding from internal server to WAN
Let the internal server access the Internet - that's the reason of the MASQUERADE rule. You could use a SNAT rule, too.

loureed4 · 08-11-2011, 08:35 AM

Thanks for your reply.

HasC, your reply was clear but not enough for me, due, as I said, to my lack of experience in IPTables , I appreciate quit much your time !

By the way, this last reply of yours clarifies many things to me, it´s a very good "guideline" .

I knew with the DROP Polocy as the default, everything is dropped, and that´s how I like it, but on the internet there are a lot of examles with the ACCEPT policy as the default, which seems to me a very bad thing, because when I worked with ISA Server 2006, the default was too "drop it everything except the traffic I tell you to accept" , that´s much better in my opinion.

Very very useful this last post of yours, I mean it, thanks again !!

acid_kewpie · 08-11-2011, 09:11 AM

well one reason to do this (or rather, not care what the policy is) is that you can't log on the default policy, so you explicitly put a drop rule at the bottom with a log before it for clarity.

raevin · 08-11-2011, 09:13 AM

Quote:

Originally Posted by acid_kewpie

well one reason to do this (or rather, not care what the policy is) is that you can't log on the default policy, so you explicitly put a drop rule at the bottom with a log before it for clarity.

What do you mean you can't log on the default policy? Not trying to wrong you or anything, I just thought that this was the purpose of the LOG job. o.o

acid_kewpie · 08-11-2011, 09:23 AM

well yes, (and tbh I'm slightly thinking of Cisco ASA policy...) but you get a lot more clarity being able to see the LOG and then the DROP at the bottom of the less. Much less risk of ambiguity.