Mailing List Archive: SNAT trouble: Linux box ignores incoming packets

I've got a rather bizarre configuration: Linux box has 4 ethernet
devices (eth0, eth1, eth2, and eth3). eth2 and eth3 are looking to
Internet, eth0 is LAN.

I've configured SNAT so that it should give Internet access to the
192.168.91.0/24 network. Outgoing packets are translated right, and
the external server sends a reply. However, the reply packet seems to
be killed by iptables or otherwise ignored by the box (wireshark
shows it, but the packet isn't going anywhere else). Having said that,
I should notice that SNAT for tcp port 4000 works fine (this one is
for an outgoing connection from the box to 192.168.91.254. I know this
string should be modified but this is not the main trouble for now).

IP forwarding is turned on, and iptables look
like this:

# Generated by iptables-save v1.3.7 on Thu Aug 16 14:10:37 2007
*nat
:PREROUTING ACCEPT [70:7232]
:POSTROUTING ACCEPT [1:73]
:OUTPUT ACCEPT [1:73]
-A POSTROUTING -p ip -s 192.168.92.0/255.255.255.0 -d ! 192.168.92.0/24 -j SNAT --to-source <REALIP>
-A POSTROUTING -p ip -s 192.168.91.0/255.255.255.0 -d ! 192.168.91.0/24 -j LOG --log-prefix "SNAT "
-A POSTROUTING -p ip -s 192.168.91.0/255.255.255.0 -d ! 192.168.91.0/24 -j SNAT --to-source <REALIP>
-A POSTROUTING -p tcp -s ! 192.168.91.0/24 -d 192.168.91.0/24 --dport 4000 -j SNAT --to-source 192.168.91.223
-A PREROUTING -d <REALIP> -p tcp -m tcp --dport 4000 -j DNAT --to-destination 192.168.91.254
-A OUTPUT -d <REALIP> -p tcp -m tcp --dport 4000 -j DNAT --to-destination 192.168.91.254:4000
COMMIT
# Completed on Thu Aug 16 14:10:37 2007
# Generated by iptables-save v1.3.7 on Thu Aug 16 14:10:37 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7063:2716993]
:FWFORWARD - [0:0]
:FWINPUT - [0:0]
:INPUTDMZ - [0:0]
:INPUTINET - [0:0]
:INPUTETH2 - [0:0]
:INPUTETH3 - [0:0]
:INPUTLAN - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j FWINPUT
-A FORWARD -j FWFORWARD
-A OUTPUT -j ACCEPT
-A FWFORWARD -p tcp -d 192.168.91.254 --dport 4000 -j ACCEPT
-A FWFORWARD -i eth2 -j DROP
-A FWFORWARD -i eth3 -j DROP
-A FWFORWARD -p ip -d 192.168.92.0/255.255.255.0 -j DROP
-A FWFORWARD -p ip -d 192.168.91.0/255.255.255.0 -j DROP
-A FWFORWARD -j ACCEPT
-A FWINPUT -i lo -j ACCEPT
-A FWINPUT -p icmp -j ACCEPT
-A FWINPUT -i eth0 -j INPUTLAN
-A FWINPUT -i eth1 -j INPUTDMZ
-A FWINPUT -i eth2 -j INPUTINET
-A FWINPUT -i eth3 -j INPUTINET
-A FWINPUT -j DROP
-A INPUTDMZ -p ip -s ! 192.168.92.0/255.255.255.0 -j DROP
-A INPUTDMZ -p ip -d 192.168.91.0/24 -j DROP
-A INPUTDMZ -j ACCEPT
-A INPUTINET -d 192.168.91.0/24 -j ACCEPT
-A INPUTINET -d <REALIP> -j INPUTETH2
-A INPUTINET -d <REALIP> -j INPUTETH3
-A INPUTINET -j DROP
-A INPUTETH2 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUTETH2 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUTETH2 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUTETH2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUTETH2 -j DROP
-A INPUTETH3 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUTETH3 -p udp -m udp --dport 53 -j ACCEPT
-A INPUTETH3 -p tcp -m tcp --dport 4000 -j ACCEPT
-A INPUTETH3 -p tcp -m tcp --dport 6112 -j ACCEPT
-A INPUTETH3 -p tcp -m tcp --dport 6200 -j ACCEPT
-A INPUTETH3 -p tcp -m tcp --dport 6113 -j ACCEPT
-A INPUTETH3 -j DROP
-A INPUTLAN -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUTLAN -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUTLAN -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUTLAN -p ip -s 192.168.91.222 -j ACCEPT
-A INPUTLAN -p ip -s 192.168.91.254 -j ACCEPT
-A INPUTLAN -p ip -s 192.168.91.88 -j ACCEPT
-A INPUTLAN -p ip -s 192.168.91.233 -j ACCEPT
-A INPUTLAN -p ip -s 192.168.91.0/24 -d ! 192.168.92.0/24 -j ACCEPT
-A INPUTLAN -j DROP
COMMIT
# Completed on Thu Aug 16 14:10:37 2007

Sorry admin:

I tried to read your rules .. but reading is some sort of "guessing" about
what address spaces is linked with what interface.

What public interfaces is using the LAN (eth2 or eth3). eth1 is useless in
your configuration?

The LAN is supossed to send the traffic via eth2 or eth3? What we can see
with

ip a

ip r

?

Jorge Dávila.

On Thu, 16 Aug 2007 18:59:03 +0400
admin <admin@tsvrn.ru> wrote:
> I've got a rather bizarre configuration: Linux box has 4 ethernet
> devices (eth0, eth1, eth2, and eth3). eth2 and eth3 are looking to
> Internet, eth0 is LAN.
>
> I've configured SNAT so that it should give Internet access to the
> 192.168.91.0/24 network. Outgoing packets are translated right, and
> the external server sends a reply. However, the reply packet seems to
> be killed by iptables or otherwise ignored by the box (wireshark
> shows it, but the packet isn't going anywhere else). Having said that,
> I should notice that SNAT for tcp port 4000 works fine (this one is
> for an outgoing connection from the box to 192.168.91.254. I know this
> string should be modified but this is not the main trouble for now).
>
> IP forwarding is turned on, and iptables look
> like this:
>
> # Generated by iptables-save v1.3.7 on Thu Aug 16 14:10:37 2007
> *nat
> :PREROUTING ACCEPT [70:7232]
> :POSTROUTING ACCEPT [1:73]
> :OUTPUT ACCEPT [1:73]
> -A POSTROUTING -p ip -s 192.168.92.0/255.255.255.0 -d ! 192.168.92.0/24 -j
>SNAT --to-source <REALIP>
> -A POSTROUTING -p ip -s 192.168.91.0/255.255.255.0 -d ! 192.168.91.0/24 -j
>LOG --log-prefix "SNAT "
> -A POSTROUTING -p ip -s 192.168.91.0/255.255.255.0 -d ! 192.168.91.0/24 -j
>SNAT --to-source <REALIP>
> -A POSTROUTING -p tcp -s ! 192.168.91.0/24 -d 192.168.91.0/24 --dport 4000
>-j SNAT --to-source 192.168.91.223
> -A PREROUTING -d <REALIP> -p tcp -m tcp --dport 4000 -j DNAT
>--to-destination 192.168.91.254
> -A OUTPUT -d <REALIP> -p tcp -m tcp --dport 4000 -j DNAT --to-destination
>192.168.91.254:4000
> COMMIT
> # Completed on Thu Aug 16 14:10:37 2007
> # Generated by iptables-save v1.3.7 on Thu Aug 16 14:10:37 2007
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [7063:2716993]
> :FWFORWARD - [0:0]
> :FWINPUT - [0:0]
> :INPUTDMZ - [0:0]
> :INPUTINET - [0:0]
> :INPUTETH2 - [0:0]
> :INPUTETH3 - [0:0]
> :INPUTLAN - [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -j FWINPUT
> -A FORWARD -j FWFORWARD
> -A OUTPUT -j ACCEPT
> -A FWFORWARD -p tcp -d 192.168.91.254 --dport 4000 -j ACCEPT
> -A FWFORWARD -i eth2 -j DROP
> -A FWFORWARD -i eth3 -j DROP
> -A FWFORWARD -p ip -d 192.168.92.0/255.255.255.0 -j DROP
> -A FWFORWARD -p ip -d 192.168.91.0/255.255.255.0 -j DROP
> -A FWFORWARD -j ACCEPT
> -A FWINPUT -i lo -j ACCEPT
> -A FWINPUT -p icmp -j ACCEPT
> -A FWINPUT -i eth0 -j INPUTLAN
> -A FWINPUT -i eth1 -j INPUTDMZ
> -A FWINPUT -i eth2 -j INPUTINET
> -A FWINPUT -i eth3 -j INPUTINET
> -A FWINPUT -j DROP
> -A INPUTDMZ -p ip -s ! 192.168.92.0/255.255.255.0 -j DROP
> -A INPUTDMZ -p ip -d 192.168.91.0/24 -j DROP
> -A INPUTDMZ -j ACCEPT
> -A INPUTINET -d 192.168.91.0/24 -j ACCEPT
> -A INPUTINET -d <REALIP> -j INPUTETH2
> -A INPUTINET -d <REALIP> -j INPUTETH3
> -A INPUTINET -j DROP
> -A INPUTETH2 -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUTETH2 -p tcp -m tcp --dport 25 -j ACCEPT
> -A INPUTETH2 -p tcp -m tcp --dport 110 -j ACCEPT
> -A INPUTETH2 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUTETH2 -j DROP
> -A INPUTETH3 -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUTETH3 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUTETH3 -p tcp -m tcp --dport 4000 -j ACCEPT
> -A INPUTETH3 -p tcp -m tcp --dport 6112 -j ACCEPT
> -A INPUTETH3 -p tcp -m tcp --dport 6200 -j ACCEPT
> -A INPUTETH3 -p tcp -m tcp --dport 6113 -j ACCEPT
> -A INPUTETH3 -j DROP
> -A INPUTLAN -p tcp -m tcp --dport 25 -j ACCEPT
> -A INPUTLAN -p tcp -m tcp --dport 110 -j ACCEPT
> -A INPUTLAN -p tcp -m tcp --dport 3128 -j ACCEPT
> -A INPUTLAN -p ip -s 192.168.91.222 -j ACCEPT
> -A INPUTLAN -p ip -s 192.168.91.254 -j ACCEPT
> -A INPUTLAN -p ip -s 192.168.91.88 -j ACCEPT
> -A INPUTLAN -p ip -s 192.168.91.233 -j ACCEPT
> -A INPUTLAN -p ip -s 192.168.91.0/24 -d ! 192.168.92.0/24 -j ACCEPT
> -A INPUTLAN -j DROP
> COMMIT
> # Completed on Thu Aug 16 14:10:37 2007
>
>
>

Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com