LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-13-2005, 05:44 PM   #1
Wraezor
LQ Newbie
 
Registered: Apr 2005
Distribution: FC 2/3/4 & RHES 3/4
Posts: 15

Rep: Reputation: 0
IPTables Undesired NATing


Hello all,

I've got two network segments which I'm trying to separate with an iptables router / packet filter. This is my first real exposure to iptables (though lots of experience with other networking & firewall products), so the syntax and concepts are still a bit grey. If it matters, I'm using iptables-1.2.11-3.1.FC3.

The problem I'm experiencing is, iptables seems to be NATing traffic, when I want it to just forward/route.

INTERNET====NET1====IPTABLES====NET2

Example Interfaces (not actually addresses):
NET2 Device: 10.0.1.2/24
IPTables - NET2 Inteface: 10.0.1.1/24
IPTables - NET1 Inteface: 10.0.0.200/24

For example:
10.0.1.2 tries to get to the Internet...and does, however all traffic beyond 10.0.1.x is seen with a source address of 10.0.1.1. Despite that, pretty much all connectivity is working (in both directions). It seems as though it will hide the 'source' IP from the 'destination' network, but not vice versa. If I ping 10.0.1.2 from 10.0.0.x, I'll get replies, and the sniffer shows up the correct source, however if 10.0.1.2 generates traffic to 10.0.0.x, it will show up as 10.0.1.1. I just want to see all addresses on both sides. I don't even have a nat table, so I don't understand why it's doing it.

I'll post my ip-tables config, with the substituted IP addresses.
eth0 = NET1
eth1 = NET2

Any assistance you can provide would be most appreciated. Thanks in advance.
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOG_DROP - [0:0]
:OPEN_ICMP - [0:0]

## Accept Existing Connections
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## Accept DHCP & ICMP Inbound to NET2
-A FORWARD -i eth0 -o eth1 -p udp -d 10.0.1.0/24 -m udp --dport 67:68 -j ACCEPT
-A FORWARD -d 10.0.1.0/24 -p icmp -j OPEN_ICMP

## Accept other protocols outbound from NET2
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 25 -j ACCEPT
[SNIPPED OTHER IDENTICAL RULES FOR DIFFERENT PORTS]
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT

## Log & Drop All Other Traffic
-A FORWARD -j LOG_DROP


## Allow Loopback Traffic
-A INPUT -d 127.0.0.1 -j ACCEPT

## SSH into IPTables server
-A INPUT -d 10.0.0.200/32 -p tcp -m tcp --dport 22 -j ACCEPT

## Ping both interfaces of IPTables server.
-A INPUT -d 10.0.0.200/32 -p icmp -j OPEN_ICMP
-A INPUT -d 10.0.1.1/32 -p icmp -j OPEN_ICMP

## Log & Drop All Other Traffic
-A INPUT  -j LOG_DROP

## Allow all traffic outbound (assuming it is clean already).
-A OUTPUT -p tcp -j ACCEPT
-A OUTPUT -p udp -j ACCEPT

## Log and drop all other packets.
-A LOG_DROP -j LOG
-A LOG_DROP -j DROP

-A OPEN_ICMP -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
-A OPEN_ICMP -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A OPEN_ICMP -p icmp -m icmp --icmp-type source-quench -j ACCEPT
-A OPEN_ICMP -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
COMMIT


*mangle
:PREROUTING ACCEPT [444:43563]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
 
Old 07-13-2005, 06:51 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
It doesn't look like you have any rules that would SNAT or Masquerade. Are you sure you don't have any rules in the NAT table? Check "iptables -t nat -L" to be sure.
 
Old 07-14-2005, 09:19 AM   #3
Wraezor
LQ Newbie
 
Registered: Apr 2005
Distribution: FC 2/3/4 & RHES 3/4
Posts: 15

Original Poster
Rep: Reputation: 0
SOLVED

That was the problem...thanks.

I checked it and found this:
Code:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  anywhere             anywhere            to:10.0.0.200
SNAT       all  --  anywhere             anywhere            to:10.0.1.1

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
So I issued the following command and it fixed it:
Code:
iptables -t nat --flush
I wrongly thought that 'iptables-restore' would wipe out any existing configuration, even on tables and chains that it didn't specify. Now I know.

Thanks again.
 
Old 07-15-2005, 05:09 AM   #4
Michael Johnson
Member
 
Registered: Jul 2005
Location: Wagga Wagga, Australia
Posts: 262

Rep: Reputation: 30
I beleive you should also do an "iptables-save" to save your current configuration. If you reboot for any reason your old configuration will more than likely be read in and you may be back where you started.
The "iptables-restore" actually reads the previously saved tables. That is why restoring would not have worked.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with NATing gpagedar Linux - Networking 5 01-28-2006 08:04 PM
Required IPTables restart after each boot for NATing?? Nickj Linux - Networking 4 10-13-2005 03:16 AM
iptables twice nating beno123 Linux - Networking 0 07-27-2005 02:41 AM
IP range nating problem szekelyz Linux - Networking 2 09-03-2003 06:29 PM
Nating ... suvajit Linux - Networking 3 05-15-2003 07:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration