Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
08-16-2010, 05:04 AM
|
#1
|
Member
Registered: Jul 2005
Posts: 73
Rep:
|
NAT'ing a subnet for Internet access with IP tables
Hi all,
I have a debian box running as a gateway between my office network, the Internet and a remote subnet via a VPN. I have the office network and the remote subnet talking fine. The remote network is an Amazon VPC which means that for any machines in it to access the Internet, you have to NAT the traffic at my debian box. Internet requests hit the box but seem to get lost. I think it's a fairly simple solution but I'm knowledge of IP tables is limited (trying to learn).
Office subnet: 10.121.10.0/24
Remote Amazon subnet: 101.121.12.0/24
Office gateway: 10.121.10.2
Current IP tables setup:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and not those coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
Routing table on the debian box:
Destination Gateway Genmask Flags Metric Ref Use Iface
169.254.254.0 0.0.0.0 255.255.255.252 U 0 0 0 eth1
169.254.254.4 0.0.0.0 255.255.255.252 U 0 0 0 eth1
213.121.253.YYY 0.0.0.0 255.255.255.248 U 0 0 0 eth1
10.121.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.121.12.0 169.254.254.1 255.255.255.0 UG 100 0 0 eth1
0.0.0.0 213.121.253.XXX 0.0.0.0 UG 0 0 0 eth1
The 169.254.254.x addresses are the IPSec tunnels for the VPN. The gateway at Amazon is set up as it should be.
Many thanks
Paul.
|
|
|
08-16-2010, 06:32 AM
|
#2
|
Senior Member
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Rep:
|
Quote:
# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
Routing table on the debian box:
Destination Gateway Genmask Flags Metric Ref Use Iface
169.254.254.0 0.0.0.0 255.255.255.252 U 0 0 0 eth1
169.254.254.4 0.0.0.0 255.255.255.252 U 0 0 0 eth1
213.121.253.YYY 0.0.0.0 255.255.255.248 U 0 0 0 eth1
10.121.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.121.12.0 169.254.254.1 255.255.255.0 UG 100 0 0 eth1
0.0.0.0 213.121.253.XXX 0.0.0.0 UG 0 0 0 eth1
The 169.254.254.x addresses are the IPSec tunnels for the VPN. The gateway at Amazon is set up as it should be.
Many thanks
Paul.
|
Looks like you are explicitly rejecting the traffic from the VPC from going to the internet, since it has to come in via eth1 and go out via eth1
|
|
|
08-16-2010, 07:10 AM
|
#3
|
Member
Registered: Jul 2005
Posts: 73
Original Poster
Rep:
|
I see, so can I keep that rule but have a condition to accept only traffic from the VPC on eth1?
|
|
|
08-16-2010, 09:38 PM
|
#4
|
Senior Member
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Rep:
|
Yes you can add a rule before that accepting VPC traffic, you'll probably need one for source and one for destination
|
|
|
08-17-2010, 04:46 AM
|
#5
|
Member
Registered: Jul 2005
Posts: 73
Original Poster
Rep:
|
Would you be able to help me with that rule? Like I said, my IPtables isn't all that good.
I've actually modified my script to look like this, but the Internet still doesn't work from the Amazon instance:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
#iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and not those coming from the outside
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Don't forward from the outside to the inside.
#iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# Enable routing.
#echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 10.121.12.0/24 -j ACCEPT
iptables -A INPUT -s 169.254.254.2/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.1/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.6/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.5/30 -j ACCEPT
iptables -A INPUT -s 10.121.10.0/24 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.121.12.0/24 -j ACCEPT
iptables -A FORWARD -s 169.254.254.2/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.1/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.6/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.5/30 -j ACCEPT
iptables -A FORWARD -s 10.121.10.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
Last edited by rookiepaul; 08-17-2010 at 05:17 AM.
|
|
|
08-17-2010, 06:53 AM
|
#6
|
Senior Member
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Rep:
|
probably just need to add a
iptables -A FORWARD -d 169.254.254.0/29 -j ACCEPT
that'd cover stuff going back to your ipsec addresses and if your not masq'ing the 10. address at the amazon or at the output of the vpn then you'll also need a
iptables -A FORWARD -d 10.121.12.0/24 -j ACCEPT
|
|
|
08-17-2010, 08:22 AM
|
#7
|
Member
Registered: Jul 2005
Posts: 73
Original Poster
Rep:
|
I have added both those commands and it hasn't made a difference. Is one of the other rules conflicting?
|
|
|
08-17-2010, 08:42 PM
|
#8
|
Senior Member
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Rep:
|
I'd take out the DROP rule and see if it works, could be you need to put in some snat or masquerading to get it to work
|
|
|
08-18-2010, 04:35 AM
|
#9
|
Member
Registered: Jul 2005
Posts: 73
Original Poster
Rep:
|
Losing the DROP rule didn't make any difference.
|
|
|
08-18-2010, 06:57 AM
|
#10
|
Senior Member
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Rep:
|
That masquerade is too encompassing. try something like
iptables -t nat -A POSTROUTING -o eth1 -s 10.121.12.0/24 -j MASQUERADE
and if you need your local nat'd as well
iptables -t nat -A POSTROUTING -o eth1 -s 10.121.10.0/24 -j MASQUERADE
you might want to run tcpdump on eth1 and see what packets are coming in and going out that are from the vpc
|
|
|
08-19-2010, 05:19 AM
|
#11
|
Member
Registered: Jul 2005
Posts: 73
Original Poster
Rep:
|
With those lines added to my script and pinging google from the VPC:
(debian-gateway):tcpdump -i eth1 dst 173.1.94.37.104
12:18:29.179639 IP zoovpcdc01.office.test.com > 173.194.37.104: ICMP echo request, id 512, seq 45320, length 40
12:18:34.408099 IP zoovpcdc01.office.test.com > 173.194.37.104: ICMP echo request, id 512, seq 45576, length 40
12:18:39.906902 IP zoovpcdc01.office.test.com > 173.194.37.104: ICMP echo request, id 512, seq 45832, length 40
12:18:45.412497 IP zoovpcdc01.office.test.com > 173.194.37.104: ICMP echo request, id 512, seq 46088, length 40
And then I get request timeouts on the VPC machine (zoovpcdc01).
Last edited by rookiepaul; 08-19-2010 at 06:14 AM.
|
|
|
08-19-2010, 07:31 AM
|
#12
|
Senior Member
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Rep:
|
can you change that dst to host and also use -n so it stays in ip form? I'm interested in seeing if you are getting packets coming back. Doesn't seem like it's being masq'd though, i'd have expected to see two packets, one incoming and one outgoing only difference being ip change
|
|
|
08-19-2010, 08:20 AM
|
#13
|
Member
Registered: Jul 2005
Posts: 73
Original Poster
Rep:
|
15:22:33.255690 IP 10.121.12.4 > 173.194.37.104: ICMP echo request, id 512, seq 777, length 40
15:22:38.726264 IP 10.121.12.4 > 173.194.37.104: ICMP echo request, id 512, seq 1033, length 40
15:22:44.227303 IP 10.121.12.4 > 173.194.37.104: ICMP echo request, id 512, seq 1289, length 40
15:22:49.729765 IP 10.121.12.4 > 173.194.37.104: ICMP echo request, id 512, seq 1545, length 40
Then times out.
|
|
|
08-20-2010, 09:42 AM
|
#14
|
Senior Member
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Rep:
|
That is not what I expected, we should see it twice at least if not 4 times, since the outbound packet is coming in and going out the same interface, and the reply would do the same. Do you have any iproute2 stuff setup like tables or rules that would alter the routing? might want to do a tcpdump on eth0 and see if the traffic is getting mis-directed out that interface.
|
|
|
08-20-2010, 09:54 AM
|
#15
|
Senior Member
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Rep:
|
I think I understand part of my misconception. The ipsec stuff should have its own interface I believe
if you do an ifconfig -a do you see an ipsec0 (or something like that)
So it might be we just need to adjust your routes. Can you currently get to your vpc from your internal stuff?
|
|
|
All times are GMT -5. The time now is 01:30 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|