thr3ads.net - LARTC - Netfilter NAT and IP rule [Sep 2004]

If this information is useful, please help other people find it:
Share via:
Benoit Delagarde
2004-Sep-29 15:33 UTC
Netfilter NAT and IP rule

Hi all,

I have a network like this : 



Provider 1      Provider 2
    \              /
     \            /
      \          /
eth1   \        /  eth2
     -------------
     |           |
     |           |
     |           |
     |           |
     |           |
     |   eth0    |
     -------------
           |
           |
           |
           |
        2 networks : 
          - 192.168.2.0/24
          - 192.168.3.0/24


The networks 192.168.3.0 is routed to provider 1 and 192.168.2.0 is routed
to provider 2 (all are behind a masquerade)


On 192.168.2.0 I have an SMTP server (192.168.2.2). I want that all traffic
to other SMTP use the Provider 1 line.

Has explained in the "Linux Advanced Routing & Traffic Control
HOWTO", I
mark packet from this server and I route this marked packet to provider 1.
But it doesn''t work. After investigation, I believe it''s a NAT
problem (But
I''m not sure).

I use ethereal to watch packet on eth1 when I try an SMTP connection from
192.168.2.2. The packets are routed correctly, but it seems those packets
are not masqueraded. I explain:
I see the TCP SYN packet from IP_of_eth1 to A_Server_Mail. 
I received a TCP SYN, ACK from A_Server_Mail to IP_of_eth1.
But after, nothing append... The destination address is never changed...

Can anyone help me? (PS: I try to disable rp_filter has describe in "Linux
Advanced Routing & Traffic Control HOWTO" but it change nothing)

I also need to forward all incoming traffic for port 80 and 25 to this
server... 
All I try (see below) don''t work :
iptables -A FORWARD -d 192.168.2.2 -i eth1 -p tcp -m tcp --dport 80 -j
ACCEPT
iptables -A FORWARD -d 192.168.2.2 -i eth2 -p tcp -m tcp --dport 80 -j
ACCEPT
iptables -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.2.2:80
iptables -A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.2.2:80


Thanks


Here are my firewall''s rules:

# Generated by iptables-save v1.2.6a on Wed Sep 29 12:20:34 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20:1680]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j LOG
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -d 255.255.255.255 -i eth1 -j ACCEPT
-A INPUT -d 255.255.255.255 -i eth0 -j ACCEPT
-A INPUT -d 255.255.255.255 -i eth2 -j ACCEPT
-A INPUT -s 192.168.3.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -d ip_from_provider1 -i eth1 -j ACCEPT
-A INPUT -d broadcast_provider1 -i eth1 -j ACCEPT
-A INPUT -d ip_from_provider2 -i eth2 -j ACCEPT
-A INPUT -d broadcast_provider1 -i eth2 -j ACCEPT
-A INPUT -d 240.0.0.0/240.0.0.0 -i eth0 -p ! tcp -j ACCEPT
-A INPUT -s 192.168.3.0/255.255.255.0 -i eth1 -j LOG
-A INPUT -s 192.168.3.0/255.255.255.0 -i eth1 -j DROP
-A INPUT -s 192.168.3.0/255.255.255.0 -i eth2 -j LOG
-A INPUT -s 192.168.3.0/255.255.255.0 -i eth2 -j DROP
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -j LOG
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -j DROP
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth2 -j LOG
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth2 -j DROP
-A FORWARD -s 192.168.3.0/255.255.255.0 -d 192.168.2.0/255.255.255.0 -j
ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.3.0/255.255.255.0 -j
ACCEPT
-A FORWARD -s 192.168.3.0/255.255.255.0 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -s 192.168.3.0/255.255.255.0 -i eth0 -o eth2 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -i eth0 -o eth2 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.3.0/255.255.255.0 -o eth1 -j LOG
-A FORWARD -d 192.168.3.0/255.255.255.0 -o eth1 -j DROP
-A FORWARD -d 192.168.3.0/255.255.255.0 -o eth2 -j LOG
-A FORWARD -d 192.168.3.0/255.255.255.0 -o eth2 -j DROP
-A FORWARD -d 192.168.2.0/255.255.255.0 -o eth1 -j LOG
-A FORWARD -d 192.168.2.0/255.255.255.0 -o eth1 -j DROP
-A FORWARD -d 192.168.2.0/255.255.255.0 -o eth2 -j LOG
-A FORWARD -d 192.168.2.0/255.255.255.0 -o eth2 -j DROP
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 255.255.255.255 -o eth0 -j ACCEPT
-A OUTPUT -d 255.255.255.255 -o eth1 -j ACCEPT
-A OUTPUT -d 255.255.255.255 -o eth2 -j ACCEPT
-A OUTPUT -d 192.168.3.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -d 224.0.0.0/240.0.0.0 -o eth0 -p ! tcp -j ACCEPT
-A OUTPUT -d 192.168.3.0/255.255.255.0 -o eth1 -j LOG
-A OUTPUT -d 192.168.3.0/255.255.255.0 -o eth1 -j DROP
-A OUTPUT -d 192.168.3.0/255.255.255.0 -o eth2 -j LOG
-A OUTPUT -d 192.168.3.0/255.255.255.0 -o eth2 -j DROP
-A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth1 -j LOG
-A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth1 -j DROP
-A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth2 -j LOG
-A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth2 -j DROP
-A OUTPUT -s ip_from_provider1 -o eth1 -j ACCEPT
-A OUTPUT -s broadcast_provider1 -o eth1 -j ACCEPT
-A OUTPUT -s ip_from_provider2 -o eth2 -j ACCEPT
-A OUTPUT -s broadcast_provider2 -o eth2 -j ACCEPT
COMMIT
# Completed on Wed Sep 29 12:20:34 2004
# Generated by iptables-save v1.2.6a on Wed Sep 29 12:20:34 2004
*mangle
:PREROUTING ACCEPT [2423:332444]
:INPUT ACCEPT [2258:293682]
:FORWARD ACCEPT [159:38506]
:OUTPUT ACCEPT [2513:829818]
:POSTROUTING ACCEPT [2672:868324]
-A PREROUTING -s 192.168.2.2 -i eth0 -p tcp -m tcp --dport 25 -j MARK
--set-mark 0x1
COMMIT
# Completed on Wed Sep 29 12:20:34 2004
# Generated by iptables-save v1.2.6a on Wed Sep 29 12:20:34 2004
*nat
:PREROUTING ACCEPT [93:5089]
:POSTROUTING ACCEPT [29:2408]
:OUTPUT ACCEPT [83:6766]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -j MASQUERADE 
COMMIT
# Completed on Wed Sep 29 12:20:34 2004



Here are my routing table:

Ip rule ls : 

0:      from all lookup local
32763:  from all fwmark        1 lookup T1
32764:  from 192.168.2.0/24 lookup T2
32765:  from 192.168.3.0/24 lookup T1
32766:  from all lookup main
32767:  from all lookup default

ip route ls table T1:

192.168.3.0/24 dev eth0  proto kernel  scope link
192.168.2.0/24 dev eth0  proto kernel  scope link
default via 82.226.97.1 dev eth1

ip route ls table T2:

192.168.3.0/24 dev eth0  proto kernel  scope link
192.168.2.0/24 dev eth0  proto kernel  scope link
default via 192.168.1.1 dev eth2







_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Possibly Parallel Threads

Search for more possibly parallel threads
LARTC - Sep 2004 - Netfilter NAT and IP rule

Netfilter NAT and IP rule

Possibly Parallel Threads

Wisdom of the Ancients
