[Nottingham] some iptables magic required

Thu Dec 30 14:39:28 GMT 2004

Richard Morris wrote:
> In my firewall script I use the following to get the ip addresses, it
> works for me on NTL.
<snip>

Thanks Richard,
That's one fine script, but (call me stubborn!) I'd prefer to do this 
with the knowledge held by the existing script and use the interfaces 
alone if possible.

I found a good reference to this particular problem in a personal log of 
a Lawrence Poon...

http://www2.hkedcity.net/citizen_files/aa/dw/lp209229/public_html/

The remainder of this message is selected quotes from that log. I'm 
still digesting the information and it'll take some time for me to come 
up with the rules. I can't believe how sparse the information is on what 
would appear to be a common requirement. I could, however, be searching 
for all the wrong words!

Regards,
Michael.

18 Sept 2001 Why a NATed client fails to access a web server behind an 
iptables firewall ? (1)

This question has puzzled me for a long time. Today, I finally found the 
answers.

When a NATed client requests the web traffic by typing www.myschool.edu, 
the domain name is resolved into the external ip of the firewall.Then 
the connection is redirected to the web server by the PREROUTING rule. 
The web server receives SYN from the firewall and understands the packet 
is from the NATed client. So the web server sends the SYN/ACK packet 
directly to the NATed client as they are in the same subnet. Since 
firewall fails to send an icmp redirect to the NATed client and inform 
him the route has changed , and the NATed client receives the SYN/ACK 
packet from the web server which it is different as expected from the 
firewall (with different sequence numbers). The NATed client resets the 
connection. So the connection fails to establish from the web server to 
the NATed client.

19 Sept 2001 Why a NATed client fails to access a web server behind an 
iptables firewall ? (2)

iptables -A POSTROUTING -t nat -o \
   $INSIDE_DEVICE -p tcp -s $INSIDE_NETWORK \
   -d $WEB_SERVER --dport 80 -j SNAT --to \
   $INSIDE_IP

Why do we need such a rule ? What does it do to the packet ? When a 
NATed client requests the web traffic by typing www.myscool.edu,the 
domain name is resolved into the external ip of the firewall. If the 
www.myschool.edu is a host and not the firewall itself, the packet will 
be routed to the host. Now the packet is sent back to the firewall. Even 
thought the packet is nated and the source ip is changed, however, 
because it is through the POSTROUTING rule,the firewall still sees the 
source ip of the packet is from the local LAN.That is , the source ip is 
changed after the routing. Any other hosts from the Internet, if the 
packet is directed to them , will see the packet is from the external ip 
of the firewall. When the firewall receives the packet from the external 
interface, the packet is forwarded to the internal web server because of 
the PREROUTING rule. The web server sees a packet is from the LAN 
client. So the web server tries to return a packet the the client. In 
doing so , the packet is sent back to the client by bypassing the 
firewall. So we need to do a SNAT and change the source ip of the client 
to the internal ip of the firewall.