NAT'ing a subnet for Internet access with IP tables

rookiepaul · 08-31-2010, 06:19 AM

All internal hosts can get to the VPC. But the VPC can only get to certain hosts on the office network. It's really strange. Example, my instance in the VPC can ping and file share with the secondary domain controller in the office, but not the primary. I have confirmed it is not a firewall issue. Packets are hitting the debian gateway but getting lost when destined for the primary domain controller and other hosts.

ifconfig -a only shows my physical and loopback interfaces. The Aliases for the ipsec tunnels were created using the following commands:

ip a a 169.254.254.1/30 dev eth1
ip a a 169.254.254.6/30 dev eth1

And I have to re-enter these commands every time I restart the box.

Here is what my iptables are looking like now and still don't seem to work:

Code:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

#---------------#
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 10.121.10.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 10.121.12.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 169.254.254.0/30 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 169.254.254.4/30 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j LOG --log-prefix ' **DROPPED PACKETS INPUT** ' --log-level 4
iptables -A INPUT -j DROP
iptables -A FORWARD -s 10.121.10.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.121.12.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 169.254.254.0/30 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 169.254.254.4/30 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -s 10.121.12.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -s 10.121.10.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -s 169.254.254.0/30 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -s 169.254.254.4/30 -j MASQUERADE
iptables -A FORWARD -j LOG --log-prefix ' **DROPPED PACKETS FORWARD** ' --log-level 4
iptables -A FORWARD -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward

When I added the 0.0.0.0/0 -m state rules for INPUT and FORWARD I'm able to access Windows update from the VPC instance! But nothing else. I can download updates for Windows even, but can't navigate away from it to other parts of the Microsoft site or other sites. Really weird.

What is going on?!

estabroo · 09-01-2010, 07:35 AM

I wonder if because of the way ipsec is working the packets are considered locally generated. Try putting in a nat rule in nat OUTPUT section

iptables -t nat -A OUTPUT -o eth1 -s 10.121.12.0/24 -j MASQUERADE

rookiepaul · 09-06-2010, 10:49 AM

When I add that to my rule set I get an invalid argument mate.

estabroo · 09-06-2010, 05:47 PM

sorry about that, I forgot that snat/masquerade aren't valid in the OUTPUT table.

Well next thing to try would be to switch to snat, maybe maquerade is picking the wrong outbound ip

iptables -t nat -A POSTROUTING -o eth1 -s 10.121.12.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -s 10.121.10.0/24 -j MASQUERADE

switch those to

iptables -t nat -A POSTROUTING -o eth1 -s 10.121.12.0/24 -j SNAT --to-source 213.121.253.nnn
iptables -t nat -A POSTROUTING -o eth1 -s 10.121.12.0/24 -j SNAT --to-source 213.121.253.nnn

where nnn is the last octect of that ip that's assigned on eth1