Hello all,
I've got two network segments which I'm trying to separate with an iptables router / packet filter. This is my first real exposure to iptables (though lots of experience with other networking & firewall products), so the syntax and concepts are still a bit grey. If it matters, I'm using iptables-1.2.11-3.1.FC3.
The problem I'm experiencing is, iptables seems to be NATing traffic, when I want it to just forward/route.
INTERNET====NET1====IPTABLES====NET2
Example Interfaces (not actually addresses):
NET2 Device: 10.0.1.2/24
IPTables - NET2 Inteface: 10.0.1.1/24
IPTables - NET1 Inteface: 10.0.0.200/24
For example:
10.0.1.2 tries to get to the Internet...and does, however all traffic beyond 10.0.1.x is seen with a source address of 10.0.1.1. Despite that, pretty much all connectivity is working (in both directions). It seems as though it will hide the 'source' IP from the 'destination' network, but not vice versa. If I ping 10.0.1.2 from 10.0.0.x, I'll get replies, and the sniffer shows up the correct source, however if 10.0.1.2 generates traffic to 10.0.0.x, it will show up as 10.0.1.1. I just want to see all addresses on both sides. I don't even have a nat table, so I don't understand why it's doing it.
I'll post my ip-tables config, with the substituted IP addresses.
eth0 = NET1
eth1 = NET2
Any assistance you can provide would be most appreciated. Thanks in advance.
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOG_DROP - [0:0]
:OPEN_ICMP - [0:0]
## Accept Existing Connections
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
## Accept DHCP & ICMP Inbound to NET2
-A FORWARD -i eth0 -o eth1 -p udp -d 10.0.1.0/24 -m udp --dport 67:68 -j ACCEPT
-A FORWARD -d 10.0.1.0/24 -p icmp -j OPEN_ICMP
## Accept other protocols outbound from NET2
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 25 -j ACCEPT
[SNIPPED OTHER IDENTICAL RULES FOR DIFFERENT PORTS]
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT
## Log & Drop All Other Traffic
-A FORWARD -j LOG_DROP
## Allow Loopback Traffic
-A INPUT -d 127.0.0.1 -j ACCEPT
## SSH into IPTables server
-A INPUT -d 10.0.0.200/32 -p tcp -m tcp --dport 22 -j ACCEPT
## Ping both interfaces of IPTables server.
-A INPUT -d 10.0.0.200/32 -p icmp -j OPEN_ICMP
-A INPUT -d 10.0.1.1/32 -p icmp -j OPEN_ICMP
## Log & Drop All Other Traffic
-A INPUT -j LOG_DROP
## Allow all traffic outbound (assuming it is clean already).
-A OUTPUT -p tcp -j ACCEPT
-A OUTPUT -p udp -j ACCEPT
## Log and drop all other packets.
-A LOG_DROP -j LOG
-A LOG_DROP -j DROP
-A OPEN_ICMP -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
-A OPEN_ICMP -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A OPEN_ICMP -p icmp -m icmp --icmp-type source-quench -j ACCEPT
-A OPEN_ICMP -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [444:43563]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT