NAT to client - repost / reply

varun_saa at vsnl.net varun_saa at vsnl.net
Sat Apr 30 04:08:11 CEST 2005


On Thu, Apr 28, 2005 at 11:22:21AM +0500, varun_saa at vsnl.net wrote:

>> Hello,
>>      My server is om Mandrake 10.1
>> eth0 is WAN with static IP connected to 512K DSL.
>> eth1 is LAN - 192.168.0.0/24.
>> 
>> I have the iptables rules :
>> 
>> # Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
>> *nat
>> :OUTPUT ACCEPT [0:0]
>> :PREROUTING ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> -A POSTROUTING -o eth0 -j MASQUERADE


so you MASQ all outbound traffic

Well should I or not. I am not sure
I have a static IP and my subnets are

192.168.0.0/24

192.168.21.0/24

Is it possible to reflect them in my masq rule ?

Thanks

Varun

>> COMMIT
>> # Completed on Tue Apr 26 14:50:01 2005
>> # Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
>> *mangle
>> :PREROUTING ACCEPT [707:100355]
>> :INPUT ACCEPT [704:99811]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [541:74129]
>> :POSTROUTING ACCEPT [611:85191]
>> COMMIT
>> # Completed on Tue Apr 26 14:50:01 2005
>> # Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
>> *filter
>> :FORWARD ACCEPT [0:0]
>> :INPUT DROP [0:0]
>> :OUTPUT ACCEPT [0:0]


the policies of FORWARD and OUTPUT are set to ACCEPT.


>> -A INPUT -j ACCEPT


and hey--so is INPUT.  no further rule in INPUT will ever be matched as
you just accepted all packets.


>> -A INPUT -s 127.0.0.1 -j ACCEPT


normally written as "-A INPUT -i lo -j ACCEPT"


>> -A INPUT -p tcp -m tcp -i eth1 --dport 3128 --sport 80 -j ACCEPT


the source port of traffic destined to a squid proxy is not 80, it's
1024:65535...why do i *constantly* see this in rules sets?


>> -A INPUT -p udp -m udp -i eth1 --dport 3128 --sport 80 -j ACCEPT


and it's tcp only, not udp.


>> -A INPUT -s 62.0.0.0/255.0.0.0 -i eth0 -j REJECT
>> -A INPUT -p tcp -m tcp -s 217.81.0.0/255.255.0.0 -i eth0 -j REJECT
>> -A INPUT -i eth0 -j DROP
>> -A INPUT -p tcp -m tcp -i eth1 --sport 80 -j DROP
>> -A INPUT -m state -i eth1 --state ESTABLISHED,RELATED -j ACCEPT


again--all of those are completely irrelevant.  good thing too--since
you're not allowing any ESTABLISHED,RELATED to come back through eth0,
which i guess is pretty secure, but it'd be less hassle to just power
off the firewall and cancel your ISP service.


>> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A FORWARD -p tcp -i eth1 -o eth0 --dport 25 --sport 1024: -j ACCEPT  --syn 
>> -A FORWARD -p tcp -i eth1 -o eth0 --dport 110 --sport 1024: -j ACCEPT  --syn 
>> -A FORWARD -p tcp -i eth1 -o eth0 --dport 1863 --sport 1024: -j ACCEPT  --syn 
>> -A FORWARD -p tcp -i eth1 -o eth0 --dport 5050 --sport 1024: -j ACCEPT  --syn 


those all look pretty good; but remember, you set the policy of FORWARD
to ACCEPT, so any packets not matching the above rules will make it
through anyways.


>> -A OUTPUT -p udp --dport 53 --sport 1024: -j ACCEPT
>> -A OUTPUT -p tcp -m owner -o eth0 --dport 80 --sport 1024: --uid-owner squid -j ACCEPT  --syn 


nice work there.  oh, and since the policy of OUTPUT is ACCEPT, all
other output traffic is allowed out anyways.


>> I would like to bypass squid proxy and do 
>> a NAT for a client - 192.168.0.253.


i can't see how that would possibly be dropped anyways, but:

  -A FORWARD -i eth1 -o eth0 -p tcp --syn -s 192.168.0.253 \
     --sport 1024: --dport 80 -j ACCEPT

you'd probably also need to allow DNS resolution for that client as well
(unless you have an internal DNS server):

  -A FORWARD -i eth1 -o eth0 -p udp -s 192.168.0.253 \
     --sport 1024: --dport 53 -j ACCEPT


you already have the necessary MASQ rule.

-j


I will tackle your anwser one step at a time

Varun




More information about the netfilter mailing list