2
If I set up a linux box as a router behind a DSL gateway, do I need to enable masquerading or SNAT?
Logically I would assume that all I need to do is enable ip_forwarding (done) but traffic to Internet dies if I don't perform any NATing.
The config is as follows (apologies for diagram)
Internet---[ppp0_DSL router_eth0]----192.168.1.x-----[eth0_ubunturouter_eth1]------192.168.2.x
If NAT is running on the broadband router, then would I also need it running on the ubuntu router?
Below is the config of the ubuntu router iptables...
# Generated by iptables-save v1.4.21 on Thu Oct 29 12:48:19 2015
*nat
:PREROUTING ACCEPT [10859:2328892]
:INPUT ACCEPT [1002:126271]
:OUTPUT ACCEPT [1256:91484]
:POSTROUTING ACCEPT [638:43890]
COMMIT
# Completed on Thu Oct 29 12:48:19 2015
# Generated by iptables-save v1.4.21 on Thu Oct 29 12:48:19 2015
*filter
:INPUT ACCEPT [5:803]
:FORWARD ACCEPT [127:18532]
:OUTPUT ACCEPT [5:431]
# INPUT to allow ssh and ping from internal network
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "ssh on eth1"
-A INPUT -p icmp -j ACCEPT -m comment --comment "allow ping from internal"
-P INPUT DROP
# god table to handle traffic forwarding and test icmp
-N god
-A god -d 8.8.4.4 -j REJECT
-A god -d 8.8.8.8 -j DROP
# forward configured to explicitly route between interfaces - this could be redundant
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -p tcp -j ACCEPT -m comment --comment "all tcp"
-A FORWARD -p udp -j ACCEPT -m comment --comment "all udp"
-A FORWARD -p icmp -j god -m comment --comment "all icmp"
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-P FORWARD DROP
# output to allow web traffic and icmp from router
-A OUTPUT -o eth1 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-P OUTPUT DROP
COMMIT
# Completed on Thu Oct 29 12:48:19 2015
This config keeps killing the Internet, but it always works if I include
-A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1
But why??? Why does this box work only with SNAT, which is not needed because its already in place on the DSL router?
- UPDATED - - - - - - -
As seen in the comments, Radhil and MichaelB are both correct. I am failing to take into account the lack of routing on the broadband router for anything other than one subnet (192.168.1.0 in this instance). Unfortunately this particular broadband router provides no means of adding additional static routes, so my solution for enabling source based routing from the internal subnet in this instance is to use the PREROUTING tables to chain the traffic.
eg
A PREROUTING -i eth1 -m mac --mac-source xx:xx:xx:xx:xx:xx -j DNAT --to 192.168.2.200
then
-A FORWARD -s 192.168.2.200 -j DROP
This is obviously a lousy solution (done this way as IPTABLES does not allow one to DROP within the PREOUTING / POSTROUTING tables, but I've just included it as an example of being able to route based on source within these straitened circumstances.
Thanks! That's correct of course. I forgot why I'd enabled NAT months back! Am now trying to work out how to get SNAT on Ubuntu to play nice with filtering. Unfortunately the DSL router doesn't have capabilities for adding additonal subnet routes... – TemperedGlass – 2015-11-01T18:23:16.607
@TemperedGlass It's been a very long time since I built a firewall out of iptables, but I was under the impression NAT was by default one of the last steps applied. You've already got connection state rules in there, just apply rules to NEW under the initial IPs/ports you'd expect before the NAT engages and translates everything. If it doesn't work, well... then I'm wrong, and rewrite to expect the opposite. – Radhil – 2015-11-01T18:36:26.373
@TemperedGlass - think it was SNAT under postrouting and DNAT under prerouting? That'd make the most sense to me anyway. – Radhil – 2015-11-01T19:40:25.087
yep, you're right. What's foxing me is that if I apply any filters under FORWARD using -s 192.168.2.0/24 they don't work. I would have thought the filter table maintains state, even if the packet is then mangled in POST? However if I filter with -d then the rules work perfectly. – TemperedGlass – 2015-11-01T19:54:29.473
Erm... FORWARD as written here currently permits anything by line 2. I'd probably need to see how you're adding it. I vaguely remember jumping -i eth0 -o eth1 and vice-versa to an "inbound" and "outbound" subtable to keep it all straight. Might need a chat or a forum cause this is a long rabbit hole you're down. – Radhil – 2015-11-01T20:09:38.597
Well after 3 days banging my head numb this is working now, so many thanks for the guidance! I have set up the PREROUTING table to jump to new tables/chains. I've gone from a living hell to a sudden appreciation of the power and subtlety of IPTABLES. I knew it was worth the sweat. I'll update my original post with this guidance summarised later this evening. Thanks again! – TemperedGlass – 2015-11-01T20:26:13.327
@TemperedGlass - yeah, I see your other question now, and after comparing the two, it's all down to how you're writing the rules and how you expect it to behave. I'll thrown an answer on there too. – Radhil – 2015-11-01T20:33:37.487