[Nottingham] some iptables magic required
Michael
perl at tecspy.com
Thu Dec 30 14:39:28 GMT 2004
Richard Morris wrote:
> In my firewall script I use the following to get the ip addresses, it
> works for me on NTL.
<snip>
Thanks Richard,
That's one fine script, but (call me stubborn!) I'd prefer to do this
with the knowledge held by the existing script and use the interfaces
alone if possible.
I found a good reference to this particular problem in a personal log of
a Lawrence Poon...
http://www2.hkedcity.net/citizen_files/aa/dw/lp209229/public_html/
The remainder of this message is selected quotes from that log. I'm
still digesting the information and it'll take some time for me to come
up with the rules. I can't believe how sparse the information is on what
would appear to be a common requirement. I could, however, be searching
for all the wrong words!
Regards,
Michael.
18 Sept 2001 Why a NATed client fails to access a web server behind an
iptables firewall ? (1)
This question has puzzled me for a long time. Today, I finally found the
answers.
When a NATed client requests the web traffic by typing www.myschool.edu,
the domain name is resolved into the external ip of the firewall.Then
the connection is redirected to the web server by the PREROUTING rule.
The web server receives SYN from the firewall and understands the packet
is from the NATed client. So the web server sends the SYN/ACK packet
directly to the NATed client as they are in the same subnet. Since
firewall fails to send an icmp redirect to the NATed client and inform
him the route has changed , and the NATed client receives the SYN/ACK
packet from the web server which it is different as expected from the
firewall (with different sequence numbers). The NATed client resets the
connection. So the connection fails to establish from the web server to
the NATed client.
19 Sept 2001 Why a NATed client fails to access a web server behind an
iptables firewall ? (2)
iptables -A POSTROUTING -t nat -o \
$INSIDE_DEVICE -p tcp -s $INSIDE_NETWORK \
-d $WEB_SERVER --dport 80 -j SNAT --to \
$INSIDE_IP
Why do we need such a rule ? What does it do to the packet ? When a
NATed client requests the web traffic by typing www.myscool.edu,the
domain name is resolved into the external ip of the firewall. If the
www.myschool.edu is a host and not the firewall itself, the packet will
be routed to the host. Now the packet is sent back to the firewall. Even
thought the packet is nated and the source ip is changed, however,
because it is through the POSTROUTING rule,the firewall still sees the
source ip of the packet is from the local LAN.That is , the source ip is
changed after the routing. Any other hosts from the Internet, if the
packet is directed to them , will see the packet is from the external ip
of the firewall. When the firewall receives the packet from the external
interface, the packet is forwarded to the internal web server because of
the PREROUTING rule. The web server sees a packet is from the LAN
client. So the web server tries to return a packet the the client. In
doing so , the packet is sent back to the client by bypassing the
firewall. So we need to do a SNAT and change the source ip of the client
to the internal ip of the firewall.
More information about the Nottingham
mailing list