linux IP Masquerading firewall problems

linux IP Masquerading firewall problems

Post by Imitheo » Mon, 12 Aug 2002 23:49:47



Hello.
Firstly, sorry for the crosspost but i didn't know which one group was
the one for my post.

I have several pcs with static IPs which are behind a masquerading linux
  machine.
My iptables rules setup include the following rules

e.g Linux router = 1.1.1.1, PCs = 1.1.1.2-10 Internal=192.168.0.0/24

IPTABLES="/usr/sbin/iptables"
EXT_IF="eth0"
INT_IF="eth1"
LOCAL_NET="192.168.0.0/24"

$IPTABLES -P FORWARD DROP
$IPTABLES -N fw_tcp
$IPTABLES -N fw_udp
$IPTABLES -N fw_icmp
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -j fw_tcp
$IPTABLES -A FORWARD -p udp -j fw_udp
$IPTABLES -A FORWARD -p icmp -j fw_icmp
$IPTABLES -A FORWARD -d $LOCAL_NET -m limit --limit 5/minute -j LOG
--log-prefix "INCOMING TRAFFIC DROPPED: "
$IPTABLES -A FORWARD -s $LOCAL_NET -m limit --limit 5/minute -j LOG
--log-prefix "OUTGOING TRAFFIC DROPPED: "

$IPTABLES -A fw_tcp -p tcp --dport 20:21 -j ACCEPT
$IPTABLES -A fw_tcp -p tcp --dport 80 -j ACCEPT
# Other services too.

$IPTABLES -t nat -A PREROUTING -p tcp -d 1.1.1.2 --dport 21 -j DNAT
--to-destination 192.168.0.2:21
$IPTABLES -t nat -A PREROUTING -p tcp -d 1.1.1.2 --dport 80 -j DNAT
--to-destination 192.168.0.2:80
# Other services/machines too

iptables -t nat -A POSTROUTING -s 192.168.0.2/32 -j SNAT --to-source 1.1.1.2

I believed that by using these rules 1-1 NAT works in the PREROUTING
chain, FTP,HTTP works because i accept dport 21,80 in the fw_tcp
chain,and because of the state match of ESTABLISHED,RELATED connections
has a target of accept all packets of a connection work.

So, they do.Every connection i tried externally works perfectly.
But, now and then i have messages of logged dropped packets
with OUTGOING TRAFFIC DROPPED blah blah SIP=192.168.0.2 SPT=80

I can solve the problem by adding a rule
$IPTABLES -A fw_tcp -s $LOCAL_NET -p tcp --sport 80 -j ACCEPT
but by using the state match of established connections doesn't solve this ?

Does anyone have an idea why i drop these packets ?

Thank you for your time

 
 
 

linux IP Masquerading firewall problems

Post by andre » Tue, 13 Aug 2002 00:23:27


well, when the packets hit the custom chain and dont find the match, they just fall back,
kind of like return.  :-)
and since you dont have ( i did not see ) rule to catch sport 80, they hit the log chain

 
 
 

linux IP Masquerading firewall problems

Post by andre » Tue, 13 Aug 2002 00:44:19


sorry, think i confused myself
see what bits you have set in dropped packets.
 
 
 

1. IP Firewall and IP Masquerading Problems

I have Linux 1.3.36 with IP Firewall and IP Masquerading turned on.

This machine has 20 MB of RAM, 2 Ethernet Cards, and a Cyclades board with
4 dial-ins.  

It acts as a router for the firewall portions of the nets which is on one
ethernet board and on some of the dial-ins.

About every other day and it happens in the middle of the night, the machine
dies.  I didn't get all the informations from the console but the part that
I do have reads:

        Unable to handle kernel null pointer dereference at virtual address
                c00000ce
        current -> tss.cr3 = 0010100, %cr3 = 00101000
        *pde = 00102067
        *pte=0000027

        "EXTRA STUFF I DID NOT WRITE DOWN"

        Killing Intrupt Handler

This always seems to happen when no one is on the dial-in and I know no one
is on the 2 IP Net.  Data on the 1st IP Net si from the Internet to other
machines on that network. (ie. news, mail, ftp, web ...  each different
machines)

I started out with 12 Megs in the machine and have gone through several
versions of the kernel in the version 1.3.x series.  

I have had this also happen on another set of machines using the 1.2.X set of
kernels.

Any and all help to solve this problem will be greatly appreciated.

Todd Reese

--
Todd Reese
Gwinnett Communications Group
Atlanta, GA

2. Windows developers deserting to Linux -- official

3. Backup scripts, IP firewalling and IP masquerading

4. dga on svga x server?

5. Kernel versions, IP firewalls, IP masquerading and stability

6. Q: Print-accounting

7. IP Masquerading: dynamic IP assignment beyond the firewall?

8. Just wondering...

9. Having problems with firewall/ip masquerading/web server

10. IP masquerading firewall - ftp problem

11. Firewall w/ IP Masquerading Problems???

12. Solution for Linux IP Masquerade users to run Warftpd behind a firewall! =)

13. IP masquerading/firewalling with a Sparc running Linux?