LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-16-2010, 06:04 AM   #1
rookiepaul
Member
 
Registered: Jul 2005
Posts: 73

Rep: Reputation: 15
NAT'ing a subnet for Internet access with IP tables


Hi all,

I have a debian box running as a gateway between my office network, the Internet and a remote subnet via a VPN. I have the office network and the remote subnet talking fine. The remote network is an Amazon VPC which means that for any machines in it to access the Internet, you have to NAT the traffic at my debian box. Internet requests hit the box but seem to get lost. I think it's a fairly simple solution but I'm knowledge of IP tables is limited (trying to learn).

Office subnet: 10.121.10.0/24
Remote Amazon subnet: 101.121.12.0/24
Office gateway: 10.121.10.2

Current IP tables setup:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and not those coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

Routing table on the debian box:

Destination Gateway Genmask Flags Metric Ref Use Iface
169.254.254.0 0.0.0.0 255.255.255.252 U 0 0 0 eth1
169.254.254.4 0.0.0.0 255.255.255.252 U 0 0 0 eth1
213.121.253.YYY 0.0.0.0 255.255.255.248 U 0 0 0 eth1
10.121.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.121.12.0 169.254.254.1 255.255.255.0 UG 100 0 0 eth1
0.0.0.0 213.121.253.XXX 0.0.0.0 UG 0 0 0 eth1


The 169.254.254.x addresses are the IPSec tunnels for the VPN. The gateway at Amazon is set up as it should be.

Many thanks

Paul.
 
Old 08-16-2010, 07:32 AM   #2
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Blog Entries: 2

Rep: Reputation: 124Reputation: 124
Quote:

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

Routing table on the debian box:

Destination Gateway Genmask Flags Metric Ref Use Iface
169.254.254.0 0.0.0.0 255.255.255.252 U 0 0 0 eth1
169.254.254.4 0.0.0.0 255.255.255.252 U 0 0 0 eth1
213.121.253.YYY 0.0.0.0 255.255.255.248 U 0 0 0 eth1
10.121.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.121.12.0 169.254.254.1 255.255.255.0 UG 100 0 0 eth1
0.0.0.0 213.121.253.XXX 0.0.0.0 UG 0 0 0 eth1


The 169.254.254.x addresses are the IPSec tunnels for the VPN. The gateway at Amazon is set up as it should be.

Many thanks

Paul.

Looks like you are explicitly rejecting the traffic from the VPC from going to the internet, since it has to come in via eth1 and go out via eth1
 
Old 08-16-2010, 08:10 AM   #3
rookiepaul
Member
 
Registered: Jul 2005
Posts: 73

Original Poster
Rep: Reputation: 15
I see, so can I keep that rule but have a condition to accept only traffic from the VPC on eth1?
 
Old 08-16-2010, 10:38 PM   #4
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Blog Entries: 2

Rep: Reputation: 124Reputation: 124
Yes you can add a rule before that accepting VPC traffic, you'll probably need one for source and one for destination
 
Old 08-17-2010, 05:46 AM   #5
rookiepaul
Member
 
Registered: Jul 2005
Posts: 73

Original Poster
Rep: Reputation: 15
Would you be able to help me with that rule? Like I said, my IPtables isn't all that good.

I've actually modified my script to look like this, but the Internet still doesn't work from the Amazon instance:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
#iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and not those coming from the outside
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
#iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
#echo 1 > /proc/sys/net/ipv4/ip_forward



#---------------#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -s 10.121.12.0/24 -j ACCEPT
iptables -A INPUT -s 169.254.254.2/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.1/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.6/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.5/30 -j ACCEPT
iptables -A INPUT -s 10.121.10.0/24 -j ACCEPT

iptables -A INPUT -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.121.12.0/24 -j ACCEPT
iptables -A FORWARD -s 169.254.254.2/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.1/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.6/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.5/30 -j ACCEPT
iptables -A FORWARD -s 10.121.10.0/24 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward

Last edited by rookiepaul; 08-17-2010 at 06:17 AM.
 
Old 08-17-2010, 07:53 AM   #6
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Blog Entries: 2

Rep: Reputation: 124Reputation: 124
probably just need to add a

iptables -A FORWARD -d 169.254.254.0/29 -j ACCEPT

that'd cover stuff going back to your ipsec addresses and if your not masq'ing the 10. address at the amazon or at the output of the vpn then you'll also need a

iptables -A FORWARD -d 10.121.12.0/24 -j ACCEPT
 
Old 08-17-2010, 09:22 AM   #7
rookiepaul
Member
 
Registered: Jul 2005
Posts: 73

Original Poster
Rep: Reputation: 15
I have added both those commands and it hasn't made a difference. Is one of the other rules conflicting?
 
Old 08-17-2010, 09:42 PM   #8
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Blog Entries: 2

Rep: Reputation: 124Reputation: 124
I'd take out the DROP rule and see if it works, could be you need to put in some snat or masquerading to get it to work
 
Old 08-18-2010, 05:35 AM   #9
rookiepaul
Member
 
Registered: Jul 2005
Posts: 73

Original Poster
Rep: Reputation: 15
Losing the DROP rule didn't make any difference.
 
Old 08-18-2010, 07:57 AM   #10
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Blog Entries: 2

Rep: Reputation: 124Reputation: 124
That masquerade is too encompassing. try something like

iptables -t nat -A POSTROUTING -o eth1 -s 10.121.12.0/24 -j MASQUERADE

and if you need your local nat'd as well

iptables -t nat -A POSTROUTING -o eth1 -s 10.121.10.0/24 -j MASQUERADE


you might want to run tcpdump on eth1 and see what packets are coming in and going out that are from the vpc
 
Old 08-19-2010, 06:19 AM   #11
rookiepaul
Member
 
Registered: Jul 2005
Posts: 73

Original Poster
Rep: Reputation: 15
With those lines added to my script and pinging google from the VPC:

(debian-gateway):tcpdump -i eth1 dst 173.1.94.37.104
12:18:29.179639 IP zoovpcdc01.office.test.com > 173.194.37.104: ICMP echo request, id 512, seq 45320, length 40
12:18:34.408099 IP zoovpcdc01.office.test.com > 173.194.37.104: ICMP echo request, id 512, seq 45576, length 40
12:18:39.906902 IP zoovpcdc01.office.test.com > 173.194.37.104: ICMP echo request, id 512, seq 45832, length 40
12:18:45.412497 IP zoovpcdc01.office.test.com > 173.194.37.104: ICMP echo request, id 512, seq 46088, length 40

And then I get request timeouts on the VPC machine (zoovpcdc01).

Last edited by rookiepaul; 08-19-2010 at 07:14 AM.
 
Old 08-19-2010, 08:31 AM   #12
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Blog Entries: 2

Rep: Reputation: 124Reputation: 124
can you change that dst to host and also use -n so it stays in ip form? I'm interested in seeing if you are getting packets coming back. Doesn't seem like it's being masq'd though, i'd have expected to see two packets, one incoming and one outgoing only difference being ip change
 
Old 08-19-2010, 09:20 AM   #13
rookiepaul
Member
 
Registered: Jul 2005
Posts: 73

Original Poster
Rep: Reputation: 15
15:22:33.255690 IP 10.121.12.4 > 173.194.37.104: ICMP echo request, id 512, seq 777, length 40
15:22:38.726264 IP 10.121.12.4 > 173.194.37.104: ICMP echo request, id 512, seq 1033, length 40
15:22:44.227303 IP 10.121.12.4 > 173.194.37.104: ICMP echo request, id 512, seq 1289, length 40
15:22:49.729765 IP 10.121.12.4 > 173.194.37.104: ICMP echo request, id 512, seq 1545, length 40

Then times out.
 
Old 08-20-2010, 10:42 AM   #14
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Blog Entries: 2

Rep: Reputation: 124Reputation: 124
That is not what I expected, we should see it twice at least if not 4 times, since the outbound packet is coming in and going out the same interface, and the reply would do the same. Do you have any iproute2 stuff setup like tables or rules that would alter the routing? might want to do a tcpdump on eth0 and see if the traffic is getting mis-directed out that interface.
 
Old 08-20-2010, 10:54 AM   #15
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,127
Blog Entries: 2

Rep: Reputation: 124Reputation: 124
I think I understand part of my misconception. The ipsec stuff should have its own interface I believe
if you do an ifconfig -a do you see an ipsec0 (or something like that)

So it might be we just need to adjust your routes. Can you currently get to your vpc from your internal stuff?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
access in different subnet packets Linux - Networking 3 11-16-2009 07:15 AM
sendmail access file ip subnet slackamp Linux - Server 0 06-14-2007 11:09 AM
Cannot access internet from one subnet sleroux Linux - Networking 7 03-09-2005 01:33 AM
An easy way to view MS Access tables? Jefficus Linux - General 1 12-09-2003 12:20 PM
Can't access ssh or httpd from outside subnet vortech Linux - Networking 1 10-03-2002 05:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration