How to configure Netfilter with multiple NICs

Myrion · 08-21-2007, 08:37 PM

Hello,

I am new to these forums. Also, I'd like to thank you in advance for taking the time to help me solve this rather complex issue that's been plaguing my linux router for days.

First, let me explain the setup: The router is a FC7 box with 3 NICs. One NIC (eth1) is the gateway for my internal network (192.168.0.0/23), and the other two NICs (eth0 & eth2) are assigned static IPs to the outside world.

Now I'll explain what I'm attempting to do: What I've been attempting to do, unsuccessfully, is have eth0 serve as the listening interface for BIND (to answer DNS queries from both the LAN and the WAN), and I want all traffic coming from the internal network (eth1) to exit through eth2. In addition, I want the outside work to be able to access some servers inside the LAN through eth2. But again, eth0 is only to be used to send and receive DNS related info. via port 53. (The general idea is that I'm piggy-backing a nameserver onto my router). When the outside world queries my name server for my domain, it will point them to the static IP address assigned to eth2.

After spending countless hours trying to get this working via IPTABLES, the only outcome I get (through MASQUERADING) is *all* data can either go out eth0 or eth2, but not both. Even if I setup two different masquerade rules (although I may be doing it incorrectly in a forwarding or prerouting area).

What I ask of you experienced folk: Could you please provide me with a simple IPTABLE layout for the main objectives I'm trying to accomplish here? I can fill in all the specifics for forwarding traffic to the correct LAN servers, etc. But a simply skeleton/template would be ever-so generous, and unbelievably helpful.

Incase it is helpful, I've posted my current IPTABLES script below. I went ahead and removed all directives that would have forwarded traffic through eth2 since I couldn't get it to work. Instead, I just have everything going out through eth0 until I can get one of your kind experts to help me with eth2.

Code:

#!/bin/sh

# other definitions
IFext="eth0"
IFint="eth1"
IFext2="eth2"
lannet="192.168.0.0/23"

# continue only if we're (pre-)configuring the external interface
if [ "${1}" != "ifcfg-${IFext}" ]; then
    exit 0
fi

logger -t iptables Setting default policies
# chain policies
# drop everything and open stuff as necessary
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

logger -t iptables Flushing tables
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X
/sbin/iptables -Z

logger -t iptables Creating user tables + rules
# create DUMP table
/sbin/iptables -N DUMP
/sbin/iptables -F DUMP
# limited logs
/sbin/iptables -A DUMP -p icmp -m limit --limit 1/m --limit-burst 5 -j LOG --log-level 6 --log-prefix "IPT ICMPDUMP: "
/sbin/iptables -A DUMP -p tcp -m limit --limit 1/m --limit-burst 5 -j LOG --log-level 6 --log-prefix "IPT TCPDUMP: "
/sbin/iptables -A DUMP -p udp -m limit --limit 6/h --limit-burst 5 -j LOG --log-level 6 --log-prefix "IPT UDPDUMP: "

/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A DUMP -j DROP

# Stateful table
/sbin/iptables -N STATEFUL
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! ${IFext} -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP

# SSH protection table
/sbin/iptables -N SSH
/sbin/iptables -F SSH
/sbin/iptables -A SSH -i ! ${IFext} -j RETURN
/sbin/iptables -A SSH -m recent --name SSH --set --rsource
/sbin/iptables -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN
/sbin/iptables -A SSH -j DUMP

# SYN protection table
/sbin/iptables -N SYN-FLOOD
/sbin/iptables -F SYN-FLOOD
/sbin/iptables -A SYN-FLOOD -m limit --limit 1/s --limit-burst 8 -j RETURN
/sbin/iptables -A SYN-FLOOD -j DROP

/sbin/iptables -A INPUT -p tcp -i ${IFext} --syn -j SYN-FLOOD
/sbin/iptables -A INPUT -p tcp -i ${IFext} ! --syn -m state --state NEW -j DROP

# watch out for fragments
/sbin/iptables -A INPUT -i ${IFext} -f -j LOG --log-prefix "IPT FRAGMENTS: "
/sbin/iptables -A INPUT -i ${IFext} -f -j DROP

logger -t iptables Setting input/output rules
# allow loopback in
/sbin/iptables -A INPUT -i lo -j ACCEPT
# allow loopback and LAN out
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -s ${lannet} -j ACCEPT

logger -t iptables Preventing reserved addresses
# drop reserved addresses incoming as per IANA listing
/sbin/iptables -A INPUT -i ${IFext} -s 0.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 1.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 2.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 5.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 7.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 10.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 23.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 27.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 31.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 36.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 39.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 41.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 42.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 58.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 59.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 60.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 127.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 169.254.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 172.16.0.0/12 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 192.168.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 197.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 224.0.0.0/3 -j DUMP
/sbin/iptables -A INPUT -i ${IFext} -s 240.0.0.0/8 -j DUMP

logger -t iptables Setting ICMP rules
# allow certain inbound ICMP types (on *any* interface)
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

logger -t iptables Setting TCP/UDP rules
# opened ports
/sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -m state --state NEW -j SSH
/sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -j ACCEPT
/sbin/iptables -A INPUT -i ${IFext} -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i ${IFext} -p udp --dport 53 -j ACCEPT

logger -t iptables Turning on NAT
# masquerade from internal network
/sbin/iptables -t nat -A POSTROUTING -s ${lannet} -o ${IFext} -j MASQUERADE

logger -t iptables Setting port forwarding
server1="192.168.1.111"

# override stateful table
/sbin/iptables -A FORWARD -i ${IFext} -o ${IFint} -j ACCEPT

# server1 ports
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 46959:46965 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 46959:46965 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 80 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 80 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 443 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 443 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 25 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 25 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 143 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 143 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 1980 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 1980 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 993 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 993 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 1981 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 1981 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i ${IFext} --dport 3784 -j DNAT --to ${server1}
/sbin/iptables -A FORWARD -s ${server1} -p tcp --dport 3784 -j ACCEPT

logger -t iptables Finish up
# push everything else to state table
/sbin/iptables -A INPUT -j STATEFUL
/sbin/iptables -A FORWARD -j STATEFUL
/sbin/iptables -A OUTPUT -j STATEFUL

Again, thank you very much for your help

--myrion

Myrion · 08-22-2007, 11:36 AM

daily bump -- hoping for someone to know how to resolve this

jeenam · 08-22-2007, 01:49 PM

First off, you're only forwarding from eth0 to eth1:

# override stateful table
/sbin/iptables -A FORWARD -i ${IFext} -o ${IFint} -j ACCEPT

You stated that traffic coming in through eth2 should be allowed to contact internal hosts, so change the line to:

/sbin/iptables -A FORWARD -i ${IFext2} -o ${IFint} -j ACCEPT

The MASQUERADE function is an ugly little hack. Use SNAT.

e.g. /sbin/iptables -t nat -A POSTROUTING -s ${lannet} -o ${IFext2} -j SNAT --to-source ${ip_of_eth2}

Permit forwarding of traffic only on port 53 (DNS) to go from the internal hosts to eth0:

/sbin/iptables -A FORWARD -i ${IFint} -s ${lannet) -d ${ip_of_eth0} --destination-port 53 -j ACCEPT

Traffic back from eth0 to the internal hosts should get through via the -m state --state ESTABLISHED...etc. rule. If not, add an explicit rule to allow response of dns queries ( /sbin/iptables -A FORWARD -s ${ip_of_eth0} -d ${lannet} --destination-port 53 -j ACCEPT )

AND LASTLY

The machines default gateway is probably via eth0. You'll have to configure policy routing to specify routes for the data. Anything coming from ${lannet} not bound for tcp port 53 should use the ip of eth2 for a gateway. Anything coming in on eth0 that wasn't forwarded in from eth1 should use eth0 as a gateway, etc. Hopefully you get the picture.

I'm not very familiar with policy routing but this should get you going: http://www.policyrouting.org/PolicyR...NLINE/TOC.html

Myrion · 08-22-2007, 02:17 PM

Your reply was very helpful! I'll apply those changes and take a look at setting up the gateway properly. You would not believe how frustrating this has been!

Thanks again!