LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-05-2016, 04:27 PM   #1
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Rep: Reputation: 103Reputation: 103
configure FORWARD with nat securely


Hi,

I'm trying to understand how the forward chain works in iptables relative to nat. Namely, I'm interested in the stateful connections with nat.

Can this be done exactly? Basically my question is, what's the most secure way of configuring the FORWARD chain if you use SNAT/DNAT.
Let's say I'm using snat and the LAN is 10.0.0.0/24 (eth0) and the public ip is 1.2.3.4(eth1).

This wouldn't work:
Quote:
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -i eth0 -o eth1 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -i eth1 -o eth0 -d 10.0.0.0/24 -j ACCEPT
I suppose it's normal for the second rule not to work, because by the time the packet reaches the FORWARD chain, the ip has already been translated to the server's public ip (1.2.3.4). But changing the rule to -s 1.2.3.4 doesn't seem right, because it's the server's own ip, right?

So my question stands, what would be the most secure way of doing it? Or should I just make do with -i eth0 -o eth1 and -i eth1 -o eth0, without any stateful rules?

Before pointing me to the iptables man pages and other tutorials, I'd appreciate it if you actually tried to answer my question, as I'm pretty certain you can't easily find it in tutorials (which I constantly read).

Last edited by vincix; 05-05-2016 at 04:28 PM.
 
Old 05-06-2016, 11:37 AM   #2
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 509

Rep: Reputation: 203Reputation: 203Reputation: 203
Hi there,

Quote:
Originally Posted by vincix View Post
I suppose it's normal for the second rule not to work, because by the time the packet reaches the FORWARD chain, the ip has already been translated to the server's public ip (1.2.3.4). But changing the rule to -s 1.2.3.4 doesn't seem right, because it's the server's own ip, right?
For SNAT, the address translation is done POSTROUTING, so the source (in rule 2) and destination (in rule 3) is still 10.0.0.0/24 when FORWARD rules are processed.

If you want to SNAT from the LAN to the internet, your first 2 rules should be OK, assuming you have and have IP forwarding enabled, and a NAT rule along the lines of:

Code:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Your 3rd rule should not be necessary - it allows NEW incoming connections from the internet to your LAN, most likely not what you want?

Last edited by cliffordw; 05-06-2016 at 11:38 AM.
 
Old 05-06-2016, 03:18 PM   #3
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Original Poster
Rep: Reputation: 103Reputation: 103
I must have made a mistake before writing this post. I also have a DNAT for Windows Remote Desktop, that's what the third rule is for. I must have mixed up the interfaces or the source/destination ip addresses. Now it works just fine. And I restricted it even more:
Quote:
iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate NEW -d 10.0.0.0/24 -p tcp --dport 3389 -j ACCEPT
Seems to be working just fine I thought things were happening differently in the FORWARD chain, but everything looks as expected.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Please Guide. How to NAT and Port forward? manalisharmabe Linux - Server 1 03-05-2012 10:57 AM
[SOLVED] nat forward openvpn qwertyjjj Linux - Newbie 8 01-08-2010 05:51 AM
How do I forward specific network traffic securely to another host? silverblimp Linux - Server 3 04-20-2009 06:48 AM
Forward Applications Securely Over Internet? iXneonXi Linux - Security 1 03-08-2007 04:14 AM
Iptables FORWARD or NAT. problem. aronnok Linux - Networking 0 01-30-2005 05:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration