Dual homed firewall ( iptables ) and problems on iproute2.

Pigi_102 · 05-16-2018, 12:18 PM

Hi all.
I have a linux firewall ( Slackware + iptables ) and recently I have added a new ISP to my schema:
ing

Code:

   ISP1                      ISP2
   ----- (router1)           ---- (router 2)
     |                         |
eth0 |( 192.168.126.0/24 )     | eth0.30 ( 192.168.126.0/24 )
     |                         |
   +-----------------------------+  eth1
   |            firewall         |------- DMZ ( 80.204.59.224/27 ) 
   +-----------------------------+
                   |
                   | eth2
                   |
              Internal net ( 192.168.1.0/24 )

My default gateway is toward ISP1.
Both ISPs nat my public address in a 1-to-1 way:
ISP1 XX.XX.XX.XX => 192.168.127.1
ISP2 YY.YY.YY.YY => 192.168.126.200

My server in DMZ to reach is 80.204.59.234 ( this is a fake IP ) and I need to reach it on port 4445 ( this is a fake port )

In DMZ I have some servers that need to be reached either via ISP1 than ISP2.
The last thing that should be told is that I need to get to servers in DMZ and or internal net via DNAT.
Packet get to my firewall via NAT, as told, so I need to adress them to my servers via another DNAT.

The default routing ,DNATting and firewalling works ( it was before adding the new ISP ), so I would not spend words on it to avoid confusion.

I cannot get, thought, the new routing,DNATting and firewalling working.

I have used the following for the source routing to connect directly to firewall via ISP2:

Code:

echo "200     custom" > /etc/iproute2/rt_tables
ip rule add from 192.168.126.200 lookup custom
ip route add default via 192.168.126.1 dev eth0.30 table custom

and after that I'm able to connect to the firewall via ISP2.

My idea was to use the mark feature on iproute/iptables, but every configuration I've made so far don't work ( which obviously means that I have not understood how it should work ).
The first thing I did was to ( try to ) mark the packet:

Code:

iptables -I PREROUTING 1 -i eth0.30 -t mangle -j MARK --set-mark 1

and the the rule to DNAT and authorize:

Code:

iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0 -d 192.168.126.200  --dport 4445 -i eth0.30 -j DNAT --to 80.204.59.234
iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 80.204.59.234 -i eth0.30 -o eth1 --dport 4445 -j ACCEPT

If I try a telnet from an internet host ( ZZ.ZZ.ZZ.ZZ in the example ) I can see ( via tcpdump ) the packet that get in trough the eth0.30 interface, I can see the packet out from the eth1 correctly natted, I can see the reply coming in the eth1 interface but the it get lost.
Well, not completely lost, as I an see it out from the eth0 interface, routed via default gateway ( ISP1 ) but, being that the packet has been converted again to it's original Ip address it don't get to any place:

on eth0.30 I see the SYN part:

Code:

root@firewall# tcpdump -n -i eth0.30 port 4445 
19:00:13.903849 IP ZZ.ZZ.ZZ.ZZ.44448 > 192.168.126.200.4445: Flags [S], seq 199405570, win 29200, options [mss 1412,sackOK,TS val 220344269 ecr 0,nop,wscale 7], length 0
19:00:14.942689 IP ZZ.ZZ.ZZ.ZZ.44448 > 192.168.126.200.4445: Flags [S], seq 199405570, win 29200, options [mss 1412,sackOK,TS val 220345310 ecr 0,nop,wscale 7], length 0
19:00:16.990401 IP ZZ.ZZ.ZZ.ZZ.44448 > 192.168.126.200.4445: Flags [S], seq 199405570, win 29200, options [mss 1412,sackOK,TS val 220347358 ecr 0,nop,wscale 7], length 0
19:00:21.022685 IP ZZ.ZZ.ZZ.ZZ.44448 > 192.168.126.200.4445: Flags [S], seq 199405570, win 29200, options [mss 1412,sackOK,TS val 220351390 ecr 0,nop,wscale 7], length 0

on eth1 I see the ( DNATted ) SYN and SYN-ACK:

Code:

19:00:13.903959 IP ZZ.ZZ.ZZ.ZZ.44448 > 80.204.59.234.4445: Flags [S], seq 199405570, win 29200, options [mss 1412,sackOK,TS val 220344269 ecr 0,nop,wscale 7], length 0
19:00:13.904262 IP 80.204.59.234.4445 > ZZ.ZZ.ZZ.ZZ.44448: Flags [S.], seq 285326337, ack 199405571, win 50400, options [nop,nop,TS val 356376773 ecr 220344269,mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
19:00:14.942739 IP ZZ.ZZ.ZZ.ZZ.44448 > 80.204.59.234.4445: Flags [S], seq 199405570, win 29200, options [mss 1412,sackOK,TS val 220345310 ecr 0,nop,wscale 7], length 0
19:00:14.942912 IP 80.204.59.234.4445 > ZZ.ZZ.ZZ.ZZ.44448: Flags [.], ack 1, win 50400, options [nop,nop,TS val 356376877 ecr 220344269], length 0
19:00:16.990454 IP ZZ.ZZ.ZZ.ZZ.44448 > 80.204.59.234.4445: Flags [S], seq 199405570, win 29200, options [mss 1412,sackOK,TS val 220347358 ecr 0,nop,wscale 7], length 0
19:00:16.990701 IP 80.204.59.234.4445 > ZZ.ZZ.ZZ.ZZ.44448: Flags [.], ack 1, win 50400, options [nop,nop,TS val 356377082 ecr 220344269], length 0
19:00:17.277036 IP 80.204.59.234.4445 > ZZ.ZZ.ZZ.ZZ.44448: Flags [S.], seq 285326337, ack 199405571, win 50400, options [nop,nop,TS val 356377111 ecr 220344269,mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
19:00:21.022738 IP ZZ.ZZ.ZZ.ZZ.44448 > 80.204.59.234.4445: Flags [S], seq 199405570, win 29200, options [mss 1412,sackOK,TS val 220351390 ecr 0,nop,wscale 7], length 0
19:00:21.023021 IP 80.204.59.234.4445 > ZZ.ZZ.ZZ.ZZ.44448: Flags [.], ack 1, win 50400, options [nop,nop,TS val 356377485 ecr 220344269], length 0
19:00:24.036434 IP 80.204.59.234.4445 > ZZ.ZZ.ZZ.ZZ.44448: Flags [S.], seq 285326337, ack 199405571, win 50400, options [nop,nop,TS val 356377787 ecr 220344269,mss 1460,nop,wscale 0,nop,nop,sackOK], length 0

and finally on eth0 ( which is the wrong output interface )

Code:

19:00:13.904317 IP 192.168.126.200.4445 > ZZ.ZZ.ZZ.ZZ.44448: Flags [S.], seq 285326337, ack 199405571, win 50400, options [nop,nop,TS val 356376773 ecr 220344269,mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
19:00:14.942963 IP 192.168.126.200.4445 > ZZ.ZZ.ZZ.ZZ.44448: Flags [.], ack 1, win 50400, options [nop,nop,TS val 356376877 ecr 220344269], length 0
19:00:16.990751 IP 192.168.126.200.4445 > ZZ.ZZ.ZZ.ZZ.44448: Flags [.], ack 1, win 50400, options [nop,nop,TS val 356377082 ecr 220344269], length 0
19:00:17.277084 IP 192.168.126.200.4445 > ZZ.ZZ.ZZ.ZZ.44448: Flags [S.], seq 285326337, ack 199405571, win 50400, options [nop,nop,TS val 356377111 ecr 220344269,mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
19:00:21.023063 IP 192.168.126.200.4445 > ZZ.ZZ.ZZ.ZZ.44448: Flags [.], ack 1, win 50400, options [nop,nop,TS val 356377485 ecr 220344269], length 0
19:00:24.036484 IP 192.168.126.200.4445 > ZZ.ZZ.ZZ.ZZ.44448: Flags [S.], seq 285326337, ack 199405571, win 50400, options [nop,nop,TS val 356377787 ecr 220344269,mss 1460,nop,wscale 0,nop,nop,sackOK], length 0

Obviuosly, being that the return packet is for the 192.168.126.200 on the 192.168.127 lan it don't get natted from ISP ( which nat 1-to-1 the 192.168.127.1 IPs to my XX.XX.XX.XX public interfacce ) so they get lost.

I have then tried to add a new rule in iproute2 way:

Code:

echo "199     fwmarked" > /etc/iproute2/rt_tables
ip rule add fwmark 1 lookup fwmarked
ip route add table fwmarked default via 192.168.126.1

that in my understanding should work with the iptables -t mangle stuff but the behavior is really strange.
I get the packet DNATted and routed on the eth0.30 interface.
I annot see this via tcpdump as I have not an iptables rule that allow the forward on the same interface, but I have a log rule for this:

Code:

/usr/sbin/iptables -A FORWARD -p tcp  -m multiport  -s 0.0.0.0/0 -d 80.204.59.234 -i eth0.30 --dport 4445 -j LOG --log-level debug --log-prefix "FORWARD.30"

and in the log I see:

Code:

[3564642.502199] FORWARD 30 IN=eth0.30 OUT=eth0.30 MAC=XY:16:76:6b:7c:YX:a4:91:XY:3b:19:ZX:08:00:45:XZ:00:3c SRC=ZZ.ZZ.ZZ.ZZ DST=80.204.59.234 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=7100 DF PROTO=TCP SPT=44890 DPT=4445 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1

and you can see that IN and OUT points to eth0.30 so the packet get natted ( the destination is correct after the DNAT ).

Can you eventually share a bit of light on this problem ?

Thanks in advance and please apologize for my english, as is not my native langauge

Pierluigi