| View previous topic :: View next topic |
| Author |
Message |
Proteus
Guru
Joined: 14 Jul 2002
Posts: 346
Location: Hamburg, Germany
|
 Posted: Tue Jan 14, 2003 12:55 am Post subject: iptables SNAT problem |
 |
|
Hi!
I try to use Gentoo as a router. Everything works fine with this rule (there are more, but they are not important for this)
| Quote: | | $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.50 |
But if I change this to
| Quote: | | $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.50-192.168.0.60 |
it stops working! The documentation on the netfilter HP says it should work but it does not. Can anyone help me? Does anyone know more than what is listed here: http://www.iptables.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.1
_________________
Greetings,
Proteus |
|
| Back to top |
|
 |
delta407
Bodhisattva
Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL
|
| Posted: Tue Jan 14, 2003 1:09 am Post subject: |
|
|
| Proteus wrote: | | Does anyone know more than what is listed here: |
`man iptables` does.
| Code: | SNAT
This target is only valid in the nat table, in the POSTROUTING chain.
It specifies that the source address of the packet should be modified
(and all future packets in this connection will also be mangled), and
rules should cease being examined. It takes one type of option:
--to-source ipaddr[-ipaddr][:port-port]
which can specify a single new source IP address, an inclusive
range of IP addresses, and optionally, a port range (which is
only valid if the rule also specifies -p tcp or -p udp). If no
port range is specified, then source ports below 512 will be
mapped to other ports below 512: those between 512 and 1023
inclusive will be mapped to ports below 1024, and other ports
will be mapped to 1024 or above. Where possible, no port alter-
ation will occur.
You can add several --to-source options. If you specify more
than one source address, either via an address range or multiple
--to-source options, a simple round-robin (one after another in
cycle) takes place between these adresses. |
_________________
I don't believe in witty sigs. |
|
| Back to top |
|
|
Proteus
Guru
Joined: 14 Jul 2002
Posts: 346
Location: Hamburg, Germany
|
| Posted: Tue Jan 14, 2003 1:21 am Post subject: |
|
|
I tried that one before as well...
I did not mention it because I saw that definition on a third party site before and thought it might be a typo.
| Quote: | | $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.50-192.168.0.60 |
This has the same effect - disabling Internet access....
Maybe my complete firewall script may help (I am new at this and looked everywhere to put this together):
| Quote: |
#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/var/lib/iptables/iptables-save
IPTABLESRESTORE=/var/lib/iptables/iptables-restore
FIREWALL=/etc/firewall.rules
DNS1=194.25.0.68
DNS2=194.25.0.60
# eth0
IIP=192.168.1.1
IINTERFACE=eth0
LOCAL_NETWORK=192.168.1.0/24
# eth1
OIP=192.168.0.50
OINTERFACE=eth1
#SERVICES="http smtp"
SERVICES="ssh http"
opts="${opts} showstatus panic save restore showoptions rules"
depend() {
need net
}
rules() {
stop
ebegin "Setting /proc options."
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
/bin/echo "0" > /proc/sys/net/ipv4/tcp_timestamps
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies
einfo "Enabling IP-forwarding"
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
einfo "Reducing DoS'ing ability by reducing timeouts"
/bin/echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
/bin/echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
/bin/echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
/bin/echo "0" > /proc/sys/net/ipv4/tcp_sack
einfo "Setting Firewall rules"
einfo "Setting default rule to drop"
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
einfo "Adding myfilter chain"
#myfilter chain:
#this chain contains rules common to our FORWARD and INPUT chains, all in one place.
#first, we create a new "myfilter" chain;
#then, we add a rule to accept ESTABLISHED and RELATED connections from anywhere;
#then, we add a rule to accept NEW connections coming in from anywhere but our untrusted eth1 interface;
#then, we add a rule to log any incoming INVALID packets;
#then, we add a rule to reject any incoming tcp connection with tcp-reset for fast, stealthy disconnect;
#then, we add a rule to reject any not-yet-handled connections with icmp-port-unreachable.
#everything else falls off the end of this chain and goes back to the next rule (if any) in the
#parent INPUT or FORWARD chain.
$IPTABLES -N myfilter
$IPTABLES -A myfilter -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A myfilter -m state --state NEW -i ! eth1 -j ACCEPT
$IPTABLES -A myfilter -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning
$IPTABLES -A myfilter -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A myfilter -j REJECT --reject-with icmp-port-unreachable
einfo "Setting rules for SAMBA-Broadcast-Blocking"
#SMB-Traffic
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 137 -j DROP
$IPTABLES -A SMB -p tcp --dport 138 -j DROP
$IPTABLES -A SMB -p tcp --dport 139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 137 -j DROP
$IPTABLES -A SMB -p udp --dport 138 -j DROP
$IPTABLES -A SMB -p udp --dport 139 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP
$IPTABLES -A SMB -p tcp --sport 137 -j DROP
$IPTABLES -A SMB -p tcp --sport 138 -j DROP
$IPTABLES -A SMB -p tcp --sport 139 -j DROP
$IPTABLES -A SMB -p tcp --sport 445 -j DROP
$IPTABLES -A SMB -p udp --sport 137 -j DROP
$IPTABLES -A SMB -p udp --sport 138 -j DROP
$IPTABLES -A SMB -p udp --sport 139 -j DROP
$IPTABLES -A SMB -p udp --sport 445 -j DROP
#INPUT chain:
#first, we loop through our SERVICES variable and add a rule for each public service on our firewall;
#then, we add a rule to log any pings to our firewall box from the Internet (max 1/minute);
#then, we add a rule to accept up to 2 pings per second to our firewall box from the Internet;
#then, we direct any traffic that doesn't match these rules to our standard myfilter chain.
#everything else falls off the end of this chain and gets a default policy of DENY.
local x
for x in $SERVICES
do
$IPTABLES -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done
$IPTABLES -A INPUT -p icmp -i eth1 --icmp-type echo-request -m limit --limit 1/minute -j LOG --log-prefix "PING:" --log-level notice
$IPTABLES -A INPUT -p icmp -i eth1 --icmp-type echo-request -m limit --limit 2/second -j ACCEPT
$IPTABLES -A INPUT -j myfilter
$IPTABLES -A INPUT -j SMB
#FORWARD chain:
#simply forward all FORWARD traffic to our myfilter chain.
#if any traffic were to make it through the myfilter chain, it would fall off the end of the FORWARD
#chain and get a default policy of DENY.
$IPTABLES -A FORWARD -j myfilter
$IPTABLES -A FORWARD -j SMB
#Set up SNAT
$IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.50
einfo "Firewall active!"
eend $?
}
start() {
ebegin "Starting firewall"
if [ -e "${FIREWALL}" ]; then
restore
else
einfo "${FIREWALL} does not exists. Using default rules."
rules
fi
eend $?
}
stop() {
ebegin "Stopping firewall"
$IPTABLES -F INPUT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F PREROUTING
$IPTABLES -F myfilter
$IPTABLES -X myfilter
$IPTABLES -F SMB
$IPTABLES -X SMB
eend $?
}
showstatus() {
ebegin "Status"
$IPTABLES -L -n -v --line-numbers
einfo "NAT status"
$IPTABLES -L -n -v --line-numbers -t nat
eend $?
}
panic() {
ebegin "Setting panic rules"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
eend $?
}
save() {
ebegin "Saving Firewall rules"
$IPTABLESSAVE > $FIREWALL
eend $?
}
restore() {
ebegin "Restoring Firewall rules"
$IPTABLESRESTORE < $FIREWALL
eend $?
}
restart() {
svc_stop; svc_start
}
showoptions() {
echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"
echo "start) will restore setting if exists else force rules"
echo "stop) delete all rules and set all to accept"
echo "rules) force settings of new rules"
echo "save) will store settings in ${FIREWALL}"
echo "restore) will restore settings from ${FIREWALL}"
echo "showstatus) Shows the status"
}
|
Also, when I start this I get an error that does not seem to stop things but is also unexplainable to me:
| Quote: | /etc/init.d/firewall start
* Starting firewall...
* /etc/firewall.rules does not exists. Using default rules.
* Stopping firewall...
iptables: No chain/target/match by that name
iptables: Table does not exist (do you need to insmod?)
iptables: No chain/target/match by that name
iptables: Table does not exist (do you need to insmod?) [ !! ]
* Setting /proc options....
* Enabling IP-forwarding
* Reducing DoS'ing ability by reducing timeouts
* Setting Firewall rules
* Setting default rule to drop
* Adding myfilter chain
* Setting rules for SAMBA-Broadcast-Blocking
* Firewall active! |
I am really sorry for posting so much but I do not know what else I can do....
_________________
Greetings,
Proteus |
|
| Back to top |
|
|
AngelKnight
Tux's lil' helper
Joined: 14 Jan 2003
Posts: 127
|
| Posted: Tue Jan 14, 2003 3:27 am Post subject: SNAT altering multiple source IP addresses |
|
|
Hi. One thing to check, since you didn't mention it, and since you said that it works out with the 1 IP but not with the 11, is to make sure that you machine is actually able to respond to pings on the other 10 IPs.
SNAT won't work unless the network stack of the machine doing the SNAT is actually responding to traffic on all the SNAT IP addresses. Check to see that you have alias interfaces off of your eth1.
This may not be the only problem, but without the machine listening on all the IP addresses 192.168.0.50 - 192.168.0.60, things won't work. |
|
| Back to top |
|
|
Proteus
Guru
Joined: 14 Jul 2002
Posts: 346
Location: Hamburg, Germany
|
| Posted: Tue Jan 14, 2003 2:05 pm Post subject: |
|
|
Hey!
I never knew that I have to do smething like aliasing...
Question now: How do I do it?
_________________
Greetings,
Proteus |
|
| Back to top |
|
|
jukka
Apprentice
Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland
|
| Posted: Wed Jan 15, 2003 1:32 am Post subject: |
|
|
| Proteus wrote: | | How do I do it? |
edit 'alias_ethN="..."' in /etc/conf.d/net |
|
| Back to top |
|
|
Proteus
Guru
Joined: 14 Jul 2002
Posts: 346
Location: Hamburg, Germany
|
| Posted: Wed Jan 15, 2003 2:20 pm Post subject: |
|
|
Thanks a lot! It now works without any problems!
Thanks everyone for your help!
_________________
Greetings,
Proteus |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
