LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-02-2015, 10:58 AM   #1
andwhat03
LQ Newbie
 
Registered: Sep 2015
Posts: 7

Rep: Reputation: Disabled
NAT routing out the wrong interface


I setup an inline IPS with NAT + Bridged interfaces and have a routing issue where the clients are routing out to the internet via the management interface and not via the bridged interface.

note: The mgmt interface and the NAT'd bridge are on the same subnet.

If i disable the mgmt interface and reboot the box it routes correctly and all it good.

Can someone please checkout my setup and configs and show me how to get outbound internet traffic to use the bridge by default, and not the mgmt interface? Also if you see a config that is a security concern or could be improved upon please do tell.

I'm sure my issue is conceptual, or lack of that is.

Due to poor understanding of network theory, i've been putzing around with:
Code:
Use a different subnet for  (br1)
Add another route table for (br1)
Add another default route rule for br1 with higher prio than (em1)
Here are the facts:

Expected flow:
Code:
WAN (br0) traffic is forwared to a bridged LAN interface (br1), which is running SURICATA in IPS mode.
Clients return the outbound traffic to the same interface (br1) for inspection and then out the gateway (br0).
Clients will also communicate with em1 which is for dhcp/ssh/...
DHCP:
Code:
subnet 192.168.0.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.254;
option domain-name-servers xxx.xxx.xxx.xxx;
}
IP addresses:
Code:
192.168.0.254/24 = GATEWAY INT.
192.168.0.252/24 = MGMT INT.
WAN.WAN.WAN.199 = WAN INT.
NICs:
Code:
WAN link connected to if/P1
LAN link is connected to if/P2
LAN link is connected to if/P3

P1 is bridged on BR0 -- wan
P2 is bridged on BR1 -- lan
P3 is the MGMT interface -- lan

BR0 MASQUERADE's to BR1
iptables:
Code:
*filter
-A FORWARD -i br1 -j ACCEPT

*nat
-A POSTROUTING -o br0 -j MASQUERADE

*mangle
-A PREROUTING -i br1 -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0
route table:
Code:
ip route
default via WAN.WAN.WAN.1 dev br0 
WAN.WAN.WAN.0/22 dev br0  proto kernel  scope link  src WAN.WAN.WAN.199 
192.168.0.0/24 dev em1  proto kernel  scope link  src 192.168.0.252 
192.168.0.0/24 dev br1  proto kernel  scope link  src 192.168.0.254

ip rule
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default
Here's the interface conf:
Code:
auto p255p1 p255p2 br0 br1
iface p255p1 inet manual

iface br0 inet dhcp
  bridge_ports p255p1

iface p255p2 inet manual

iface br1 inet static
  bridge_ports p255p2
  address 192.168.0.254
  netmask 255.255.255.0

auto em1
iface em1 inet static
  address 192.168.0.252
  netmask 255.255.255.0
Client route table:
Code:
[peter@localhost ~]$ route 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.254   0.0.0.0         UG    1024   0        0 wlp3s0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 wlp3s0
Client test
Code:
[localhost ~]$ traceroute google.com
traceroute to google.com (216.58.219.206), 30 hops max, 60 byte packets
 1  u1 (192.168.0.252)  0.841 ms  1.092 ms  1.179 ms
WAN address has been censored.

Last edited by andwhat03; 10-02-2015 at 11:26 AM.
 
Old 10-02-2015, 03:05 PM   #2
andwhat03
LQ Newbie
 
Registered: Sep 2015
Posts: 7

Original Poster
Rep: Reputation: Disabled
I think this guy might have the answer, i'm just confused on how to implement this.
 
Old 10-02-2015, 06:43 PM   #3
markdueck
LQ Newbie
 
Registered: Oct 2006
Location: Belize, Central America
Distribution: CentOS
Posts: 4

Rep: Reputation: 0
You have 2 interfaces with the same IP range. How will the system know where to route what to? This would be the first thing I would change. At networking layer 3 the system will not know which interface each packet needs to go to. Once it's at layer 2, it knows which mac address is on which interface, but to have that mapping at layer 3 I'm not sure if that's possible.
 
Old 10-02-2015, 11:11 PM   #4
andwhat03
LQ Newbie
 
Registered: Sep 2015
Posts: 7

Original Poster
Rep: Reputation: Disabled
Thanks a bunch for taking the time to understand my issue.

I do assume too much. So by giving the clients a gateway address doesn't mean it will use that interface to get out. I guess its purpose is to point the clients in the right direction.

Then if this is the case if I change the IP/subnet of the gateway how will the clients see the gateway. Or is the right approach is to have the client hit the box via the mgmt interface and use iptables to forward specific ports through the gateway. Seems like too much admin overhead.
 
Old 10-15-2015, 03:17 AM   #5
andwhat03
LQ Newbie
 
Registered: Sep 2015
Posts: 7

Original Poster
Rep: Reputation: Disabled
I got NAT working without any fancy routing, just not the way i want it, but it's working. Only two nics in play here, one for the LAN and one for the WAN, i originally wanted 2 nics for the LAN.

I'm still using a bridge which is not necessary, or is it? should i remove it?

I got this setup info from here

Working config.
NIC
Code:
# The loopback network interface
auto lo
iface lo inet loopback

# The primary / management network interface
auto em1
iface em1 inet static
  address 192.168.0.252
  netmask 255.255.255.0
  dns-nameservers #.#.#.#
  post-up for i in rx rxvlan tx tso sg gso gro txvlan; do ethtool -K em1 $i off; done
#########################################################################
# br0 Bridged interfaces for masquerade setup
# p255p1 goes to the modem/WAN 
 
iface p255p1 inet manual
  post-up echo 1 > /proc/sys/net/ipv6/conf/p255p1/disable_ipv6
  post-up for i in tx tso gro rxvlan txvlan; do ethtool -K p255p1 $i off; done

auto br0
iface br0 inet dhcp
  bridge_ports p255p1
  pre-up ip link set p255p1 promisc on arp off up
  post-down ip link set p255p1 promisc off down
  post-up echo 1 > /proc/sys/net/ipv6/conf/br0/disable_ipv6
  post-up for i in tx tso gro txvlan; do ethtool -K br0 $i off; done
  post-up iptables-restore < /etc/iptables.rules
FIREWALL
Code:
# Generated by iptables-save v1.4.21 on Fri Oct  9 08:43:03 2015
*raw
:PREROUTING ACCEPT [5982:3582480]
:OUTPUT ACCEPT [302:42984]
COMMIT

*nat
:PREROUTING ACCEPT [140:9187]
:INPUT ACCEPT [3:617]
:OUTPUT ACCEPT [5:268]
:POSTROUTING ACCEPT [3:164]
-A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
COMMIT

*filter
:INPUT DROP [2:116]
:FORWARD DROP [5:301]
:OUTPUT ACCEPT [6:308]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j NFQUEUE --queue-balance 0:3
-A INPUT -s 192.168.0.0/24 -m comment --comment "ACCESS FROM LAN" -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j NFQUEUE --queue-balance 0:3
-A INPUT -p udp -m udp --sport 53 -j NFQUEUE --queue-balance 0:3
-A INPUT -p tcp -m tcp -m multiport --sports 80,443 -j NFQUEUE --queue-balance 0:3
-A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j NFQUEUE --queue-balance 0:3
-A INPUT -p tcp -m tcp -m multiport --sports 20,21 -j NFQUEUE --queue-balance 0:3
-A INPUT -p tcp -m tcp -m multiport --dports 20,21 -j NFQUEUE --queue-balance 0:3
-A INPUT -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j NFQUEUE --queue-balance 0:3
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j NFQUEUE --queue-balance 0:3
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -f -j DROP
-A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j NFQUEUE --queue-balance 0:3
-A FORWARD -p tcp -m tcp --dport 53 -j NFQUEUE --queue-balance 0:3
-A FORWARD -p tcp -m tcp --sport 53 -j NFQUEUE --queue-balance 0:3
-A FORWARD -p udp -m udp --sport 53 -j NFQUEUE --queue-balance 0:3
-A FORWARD -p udp -m udp --dport 53 -j NFQUEUE --queue-balance 0:3
-A FORWARD -p tcp -m tcp -m multiport --sports 80,443 -j NFQUEUE --queue-balance 0:3
-A FORWARD -p tcp -m tcp -m multiport --dports 80,443 -j NFQUEUE --queue-balance 0:3
-A FORWARD -p tcp -m tcp -m multiport --sports 20,21 -j NFQUEUE --queue-balance 0:3
-A FORWARD -p tcp -m tcp -m multiport --dports 20,21 -j NFQUEUE --queue-balance 0:3
-A FORWARD -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j NFQUEUE --queue-balance 0:3
-A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j NFQUEUE --queue-balance 0:3
-A OUTPUT -d 192.168.0.0/24 -m comment --comment "ACCESS FROM LAN" -j ACCEPT
COMMIT
 
Old 10-15-2015, 04:12 AM   #6
andwhat03
LQ Newbie
 
Registered: Sep 2015
Posts: 7

Original Poster
Rep: Reputation: Disabled
Opening up BT

This is how i opened up torrent for one machine.

W.W.W.W = wan address

-A PREROUTING -d W.W.W.W -i br0 -p tcp -m tcp -m multiport --dports 6881:6999 -m comment --comment TORRENT -j DNAT --to-destination 192.168.0.15
-A POSTROUTING -s 192.168.0.15/32 -o br0 -p tcp -m tcp -m multiport --sports 6881:6999 -m comment --comment TORRENT -j SNAT --to-source W.W.W.W
-A POSTROUTING -s 192.168.0.15/32 -o br0 -p tcp -m tcp -m multiport --dports 6881:6999 -m comment --comment TORRENT -j SNAT --to-source W.W.W.W
-A FORWARD -s 192.168.0.15/32 -j NFQUEUE --queue-balance 0:3
-A FORWARD -d 192.168.0.15/32 -j NFQUEUE --queue-balance 0:3

Last edited by andwhat03; 10-15-2015 at 07:18 AM.
 
  


Reply

Tags
iptable, nat, routing, sniffer, suricata


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
NFS routing out wrong Interface jkaidor Linux - Networking 2 01-29-2013 08:00 AM
Help with multiple interface routing/NAT camealy Linux - Networking 6 08-10-2005 08:35 AM
Two-way NAT routing MPowers Linux - Networking 3 06-24-2005 03:24 PM
real routing under nat routing nothingmuch Linux - Networking 4 10-27-2003 03:11 PM
Routing and nat Morning_Star Linux - Networking 5 02-11-2003 11:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration