LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   IPTables Undesired NATing (https://www.linuxquestions.org/questions/linux-security-4/iptables-undesired-nating-342927/)

Wraezor 07-13-2005 05:44 PM
IPTables Undesired NATing
 
Hello all,

I've got two network segments which I'm trying to separate with an iptables router / packet filter. This is my first real exposure to iptables (though lots of experience with other networking & firewall products), so the syntax and concepts are still a bit grey. If it matters, I'm using iptables-1.2.11-3.1.FC3.

The problem I'm experiencing is, iptables seems to be NATing traffic, when I want it to just forward/route.

INTERNET====NET1====IPTABLES====NET2

Example Interfaces (not actually addresses):
NET2 Device: 10.0.1.2/24
IPTables - NET2 Inteface: 10.0.1.1/24
IPTables - NET1 Inteface: 10.0.0.200/24

For example:
10.0.1.2 tries to get to the Internet...and does, however all traffic beyond 10.0.1.x is seen with a source address of 10.0.1.1. Despite that, pretty much all connectivity is working (in both directions). It seems as though it will hide the 'source' IP from the 'destination' network, but not vice versa. If I ping 10.0.1.2 from 10.0.0.x, I'll get replies, and the sniffer shows up the correct source, however if 10.0.1.2 generates traffic to 10.0.0.x, it will show up as 10.0.1.1. I just want to see all addresses on both sides. I don't even have a nat table, so I don't understand why it's doing it.

I'll post my ip-tables config, with the substituted IP addresses.
eth0 = NET1
eth1 = NET2

Any assistance you can provide would be most appreciated. Thanks in advance.
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOG_DROP - [0:0]
:OPEN_ICMP - [0:0]

## Accept Existing Connections
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## Accept DHCP & ICMP Inbound to NET2
-A FORWARD -i eth0 -o eth1 -p udp -d 10.0.1.0/24 -m udp --dport 67:68 -j ACCEPT
-A FORWARD -d 10.0.1.0/24 -p icmp -j OPEN_ICMP

## Accept other protocols outbound from NET2
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 25 -j ACCEPT
[SNIPPED OTHER IDENTICAL RULES FOR DIFFERENT PORTS]
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT

## Log & Drop All Other Traffic
-A FORWARD -j LOG_DROP


## Allow Loopback Traffic
-A INPUT -d 127.0.0.1 -j ACCEPT

## SSH into IPTables server
-A INPUT -d 10.0.0.200/32 -p tcp -m tcp --dport 22 -j ACCEPT

## Ping both interfaces of IPTables server.
-A INPUT -d 10.0.0.200/32 -p icmp -j OPEN_ICMP
-A INPUT -d 10.0.1.1/32 -p icmp -j OPEN_ICMP

## Log & Drop All Other Traffic
-A INPUT  -j LOG_DROP

## Allow all traffic outbound (assuming it is clean already).
-A OUTPUT -p tcp -j ACCEPT
-A OUTPUT -p udp -j ACCEPT

## Log and drop all other packets.
-A LOG_DROP -j LOG
-A LOG_DROP -j DROP

-A OPEN_ICMP -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
-A OPEN_ICMP -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A OPEN_ICMP -p icmp -m icmp --icmp-type source-quench -j ACCEPT
-A OPEN_ICMP -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
COMMIT


*mangle
:PREROUTING ACCEPT [444:43563]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT

Capt_Caveman 07-13-2005 06:51 PM
It doesn't look like you have any rules that would SNAT or Masquerade. Are you sure you don't have any rules in the NAT table? Check "iptables -t nat -L" to be sure.

Wraezor 07-14-2005 09:19 AM
SOLVED
 
That was the problem...thanks.

I checked it and found this:
Code:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target    prot opt source              destination

Chain POSTROUTING (policy ACCEPT)
target    prot opt source              destination
SNAT      all  --  anywhere            anywhere            to:10.0.0.200
SNAT      all  --  anywhere            anywhere            to:10.0.1.1

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
So I issued the following command and it fixed it:
Code:
iptables -t nat --flush
I wrongly thought that 'iptables-restore' would wipe out any existing configuration, even on tables and chains that it didn't specify. Now I know.

Thanks again.

Michael Johnson 07-15-2005 05:09 AM
I beleive you should also do an "iptables-save" to save your current configuration. If you reboot for any reason your old configuration will more than likely be read in and you may be back where you started.
The "iptables-restore" actually reads the previously saved tables. That is why restoring would not have worked.


All times are GMT -5. The time now is 03:21 AM.