iptables woes

quadfour · 10-03-2005, 10:15 PM

I am trying to do something I though would be easy with iptables, but proving to be difficult. The problem is that the PREROUTING chain in the nat table seems to either not be catching packets or is ignoring them...

I have a network setup as follows:

Gatway - eth0:192.168.0.2 eth0:1 10.1.1.2 ppp0: x.x.x.x
DSL modem - 192.168.0.1
ATA - 10.1.1.1
other PCs - 192.168.0.*

I have the following hand written firewall script on the gateway:
-----------------------
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
iptables -N mine
iptables -F mine
iptables -F mine

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -t nat -o ppp0 -s 172.16.0.0/24 -d 0/0 -j MASQUERADE
iptables -A POSTROUTING -t nat -o ppp0 -s 10.1.1.0/24 -d 0/0 -j MASQUERADE
iptables -A POSTROUTING -t nat -o ppp0 -s 192.168.0.0/24 -d 0/0 -j MASQUERADE

iptables -A FORWARD -s 172.16.0.0/24 -d 0/0 -j ACCEPT
iptables -A FORWARD -s 10.1.1.0/24 -d 0/0 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 0/0 -j ACCEPT
iptables -A FORWARD -i ppp0 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -p icmp -j mine
iptables -A INPUT -p tcp -m multiport --dports 80,25,443,22,20,21 -j mine
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j mine
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j mine

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p icmp -j mine
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j mine
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED,RELATED -j mine

iptables -A mine -i ppp0 -j ACCEPT
iptables -A mine -o ppp0 -j ACCEPT
iptables -A INPUT -i ppp0 -j DROP
iptables -A OUTPUT -o ppp0 -j DROP
iptables -A FORWARD -j DROP
----------------------

The firewall may not be 'proper' but it seems to work. I also have a bunch of rules on the POSTROUTING chain in the nat table for QOS which is working well. Now, the ATA on 10.1.1.1 is trying to connect to a machine on the net on port 123. tcpdump shows the source as 10.1.1.1.1026 and destination x.x.x.x.123.

I am trying to do DNAT, altering the destination of those packets. I have tried a rule as follows without success:

iptables -A PREROUTING -t nat -p udp --dport 123 -s 10.1.1.1/32 -j DNAT --to x.x.x.x:123

Since that didn't work, I decided to log all packets caught with the same rule, which was nil. Then I used the following rule:

iptables -A PREROUTING -t nat -j LOG

I was trying to work out if iptables was even seeing the packet. That rule above shows maybe 1 packet a minute on the gateway where traffic is constantly flying around between machines and ppp0 on the gateway.

So, I don't understand how iptables works with relation to what I want to do, and I don't know why the line above doesn't log all packets.

Im probably doing something really retardedly stupid, but please tell me!

fotoguy · 10-04-2005, 04:18 AM

I'm not that good with iptables myself but I think why it's not working is you haven't set the default INPUT OUTPUT and FORWARD policies, since you haven't done that then default policy is to accept, so it will be forwarding your packets first before it gets to the rules defined in your script, thats probably why it seems to be working well but cannot get it to postroute

Here's my script i'm working on, you can check it out it may help

http://www.linuxclan.com/downloads/l...ty/rc.firewall

quadfour · 10-04-2005, 04:59 AM

I've now got the default policies in there with a few other lines as follows:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# input
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -d 0/0 -j ACCEPT
#output
iptables -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 0/0 -j ACCEPT

Still no change, doing an iptables -A PREROUTING -t nat -J LOG shows a few stray packets only, nothing from 10.1.1.1

fotoguy · 10-04-2005, 07:46 AM

When your routing traffic betweem two interfaces you only need to use the FORWARD chains, INPUT and OUTPUT chains are only for connections to the router itself. Maybe have the rules like this:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Load the module for nat table state

/sbin/modprobe ipt_state

# aLLOW CONNECTION FROM THE INTERNAL NETWORK TO CONNECT TO THE ROUTER

iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT

# Allow all internal traffic out to the internet

iptables -A FORWARD -o ppp0 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow only related or established connections from the internet back into internal network

iptables -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# To mask all your internal machines to the external ip address that has been assigned
# to the external interface. uncomment which one applies.
#
# If your external ip address is assigned by DHCP server use this

#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# If your ip address is statically assigned use this (replace 111.111.111.111 with your real ip address)

#iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source 111.111.111.111

I'm just have trouble understanding your setup, is your firewall connected to your adsl modem which connects to your ISP? How many network cards are in your firewall?

Another option is there are some very good scripts out there that may save you a lot of headaches.

quadfour · 10-04-2005, 08:24 AM

Thanks for the reply but this does not really answer the question. The problem I have right now is seeing packets going through the PREROUTING chain in the nat table. For an example, I can see packets going through the router with the FORWARD chain in the filter table with the following:

iptables -A FORWARD -j LOG

Yet I cannot see those same packets with this:

iptables -A PREROUTING -t nat -j LOG

I don't understand how or why that is since according to everything, the packets go through the PREROUTING chain before the FORWARD chain. Can iptables be ignoring them for another reason perhaps?

fotoguy · 10-04-2005, 06:07 PM

Quote:

Originally posted by quadfour

I don't understand how or why that is since according to everything, the packets go through the PREROUTING chain before the FORWARD chain. Can iptables be ignoring them for another reason perhaps?

I wonder if you may need to set the default policy for prerouting to accept

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

Sorry i'm not much help

quadfour · 10-04-2005, 10:33 PM

As I said in the first post, it was probably me being retarded, and this is the case. What I've learned....

1) The PREROUTING chain is used for the first packet of the connection, not the others, and it can only change the first.
2) It takes time for a connection to be removed from the system's memory and for it to be thought of as a new connection.

Its all good now

Thanks for your help, and I am using the suggestion of default policies.

fotoguy · 10-04-2005, 11:19 PM

Glad to hear it's all sorted now