Force route to local?

Gerd Knops gerti-netfilter at bitart.com
Sat Feb 19 19:33:09 CET 2005 

Hello all,

I have been trying to solve this problem for many hours now and can't.  
I hope someone here might be able to give me some insight...

The situation: Debian sarge, 2.6.8 kernel.

Firewall machine with 2 ethernet interfaces. On the 'inside' interface  
a LAN, SNAT. On the 'outside' interface two WANs (INET1 and INET2  
below) with a few static IPs on each, 2 gateways (2 ISPs).

I use some minor iproute2 magic to make sure the systems responds  
correctly to requests coming from either ISP by choosing the gateway  
for outbound packets based on the source address.

Everything works fine except one detail: The systems on the LAN can not  
connect to the firewall system by using one of the 2 'external' IPs of  
the firewall system. I tried everything I could think of. The most  
obvious solution to me seemed to be to assign the 2 external addresses  
as aliases to the internal interface (tried both via  
/etc/network/interfaces and ip addr add), but that doesn't seem to  
work. The packets come in to the 'inside' interface, and no responses.  
I logged all dropped/rejected pacjets on the firewall, these packets do  
not show. So I guess it is a routing problem.

How do I force the packets with a certain IP address to be handled as  
local?

(BTW If you are wondering why: There are a bunch of web sites hosted on  
the firewall system. I could just add them all to the internal name  
server and return the local address. But I shouldn't have to...)

I'd be really grateful for any pointers, I am at my wits end. My  
configuration is listed below.

Gerd

######################################################################## 
###
# Routing
######################################################################## 
###
#
# One table per ISP/gateway
#
$IP route add to default via $INET1_GATEWAY table 1
$IP route add to default via $INET2_GATEWAY table 2

#
# Rules: Make sure local packets stay local
#
$IP rule add to ${INET1_IP}/$INET1_PREFIX table main priority 4200
$IP rule add to ${INET2_IP}/$INET2_PREFIX table main priority 4202
#
# Then route remaining packets to the apropiate gateway
#
$IP rule add from $INET1_IP table 1 priority 4240
$IP rule add from $INET2_IP table 2 priority 4242

#
# And set the default route
#
$IP route delete default
$IP route add to default via $INET1_GATEWAY
$IP route flush cache


######################################################################## 
###
# Firewall
######################################################################## 
###
# Default policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# new tables
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

# bad_tcp_packets
#
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j LOG --log-prefix "New xxx:"
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG  
\
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# allowed
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j  
ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

# tcp_packets
# HTTPD
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed

# udp_packets
# Nameserver
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT

# icmp_packets
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# INPUT chain
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s ${LAN_IP}/${LAN_PREFIX} -j  
ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET1_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET2_IP -j ACCEPT

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

$IPTABLES -A INPUT -p ALL -d $INET1_IP -m state --state  
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET2_IP -m state --state  
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -j LOG --log-level DEBUG --log-prefix "IPT INPUT  
packet died: "

# FORWARD chain
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j LOG --log-level DEBUG --log-prefix "IPT FORWARD  
packet died: "

# OUTPUT chain
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET1_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET2_IP -j ACCEPT
$IPTABLES -A OUTPUT -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT  
packet died: "

# Clear nat rules, add new rule
$IPTABLES -t nat -F
$IPTABLES -t nat -A POSTROUTING -s ${LAN_IP}/${LAN_PREFIX} -o  
$INET_IFACE \
-j SNAT --to-source $MAIN_IP

# /proc set up
#
echo "1" > /proc/sys/net/ipv4/ip_forward

More information about the netfilter mailing list