does IPTABLES as a router always require masquerade / SNAT?

2

If I set up a linux box as a router behind a DSL gateway, do I need to enable masquerading or SNAT?

Logically I would assume that all I need to do is enable ip_forwarding (done) but traffic to Internet dies if I don't perform any NATing.

The config is as follows (apologies for diagram)

Internet---[ppp0_DSL router_eth0]----192.168.1.x-----[eth0_ubunturouter_eth1]------192.168.2.x

If NAT is running on the broadband router, then would I also need it running on the ubuntu router?

Below is the config of the ubuntu router iptables...

  # Generated by iptables-save v1.4.21 on Thu Oct 29 12:48:19 2015
*nat
:PREROUTING ACCEPT [10859:2328892]
:INPUT ACCEPT [1002:126271]
:OUTPUT ACCEPT [1256:91484]
:POSTROUTING ACCEPT [638:43890]
COMMIT
# Completed on Thu Oct 29 12:48:19 2015
# Generated by iptables-save v1.4.21 on Thu Oct 29 12:48:19 2015
*filter
:INPUT ACCEPT [5:803]
:FORWARD ACCEPT [127:18532]
:OUTPUT ACCEPT [5:431]
# INPUT to allow ssh and ping from internal network
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "ssh on eth1"
-A INPUT -p icmp -j ACCEPT -m comment --comment "allow ping from internal"
-P INPUT DROP
# god table to handle traffic forwarding and test icmp
-N god
-A god -d 8.8.4.4 -j REJECT
-A god -d 8.8.8.8 -j DROP
# forward configured to explicitly route between interfaces - this could be redundant
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -p tcp -j ACCEPT -m comment --comment "all tcp"
-A FORWARD -p udp -j ACCEPT -m comment --comment "all udp"
-A FORWARD -p icmp -j god -m comment --comment "all icmp"
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-P FORWARD DROP
# output to allow web traffic and icmp from router
-A OUTPUT -o eth1 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-P OUTPUT DROP
COMMIT
# Completed on Thu Oct 29 12:48:19 2015

This config keeps killing the Internet, but it always works if I include 

-A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1

But why??? Why does this box work only with SNAT, which is not needed because its already in place on the DSL router?

                • UPDATED - - - - - - -

As seen in the comments, Radhil and MichaelB are both correct. I am failing to take into account the lack of routing on the broadband router for anything other than one subnet (192.168.1.0 in this instance). Unfortunately this particular broadband router provides no means of adding additional static routes, so my solution for enabling source based routing from the internal subnet in this instance is to use the PREROUTING tables to chain the traffic.

eg 

A PREROUTING -i eth1 -m mac --mac-source xx:xx:xx:xx:xx:xx -j DNAT --to 192.168.2.200

then 

-A FORWARD -s 192.168.2.200 -j DROP

This is obviously a lousy solution (done this way as IPTABLES does not allow one to DROP within the PREOUTING / POSTROUTING tables, but I've just included it as an example of being able to route based on source within these straitened circumstances.

TemperedGlass

Posted 2015-11-01T14:55:52.060

Reputation: 47

Answers

2

The DSL router is running it's own NAT on 192.168.1.0, correct? That's the network it's set to hand out.

So the answer would be that it doesn't know anything about any 192.168.2.0 network, and therefore doesn't attempt to NAT it. It may forward that trafficout to the Internet, but the Internet will drop those private IPs right away. It probably also doesn't have routing information to get back through your box to your 2nd network segment, so you would have no return path anyway, unless you set that up as a static route somewhere and didn't point it out.

So you need to give the DSL router something it's expecting. Either find a way to change settings on it to NAT both segments and a static route to your Ubuntu for 192.168.2.0, or set up the NAT on yours like you found.

Radhil

Posted 2015-11-01T14:55:52.060

Reputation: 266

Thanks! That's correct of course. I forgot why I'd enabled NAT months back! Am now trying to work out how to get SNAT on Ubuntu to play nice with filtering. Unfortunately the DSL router doesn't have capabilities for adding additonal subnet routes... – TemperedGlass – 2015-11-01T18:23:16.607

@TemperedGlass It's been a very long time since I built a firewall out of iptables, but I was under the impression NAT was by default one of the last steps applied. You've already got connection state rules in there, just apply rules to NEW under the initial IPs/ports you'd expect before the NAT engages and translates everything. If it doesn't work, well... then I'm wrong, and rewrite to expect the opposite. – Radhil – 2015-11-01T18:36:26.373

@TemperedGlass - think it was SNAT under postrouting and DNAT under prerouting? That'd make the most sense to me anyway. – Radhil – 2015-11-01T19:40:25.087

yep, you're right. What's foxing me is that if I apply any filters under FORWARD using -s 192.168.2.0/24 they don't work. I would have thought the filter table maintains state, even if the packet is then mangled in POST? However if I filter with -d then the rules work perfectly. – TemperedGlass – 2015-11-01T19:54:29.473

Erm... FORWARD as written here currently permits anything by line 2. I'd probably need to see how you're adding it. I vaguely remember jumping -i eth0 -o eth1 and vice-versa to an "inbound" and "outbound" subtable to keep it all straight. Might need a chat or a forum cause this is a long rabbit hole you're down. – Radhil – 2015-11-01T20:09:38.597

Well after 3 days banging my head numb this is working now, so many thanks for the guidance! I have set up the PREROUTING table to jump to new tables/chains. I've gone from a living hell to a sudden appreciation of the power and subtlety of IPTABLES. I knew it was worth the sweat. I'll update my original post with this guidance summarised later this evening. Thanks again! – TemperedGlass – 2015-11-01T20:26:13.327

@TemperedGlass - yeah, I see your other question now, and after comparing the two, it's all down to how you're writing the rules and how you expect it to behave. I'll thrown an answer on there too. – Radhil – 2015-11-01T20:33:37.487

1

This is because the DSL modem doesn't know about the 192.168.2.* network, when the router receives a packet from 192.168.2.x it is presuming it must reply through the default gateway, because it has no specific route to that subnet.

If your DSL router is capable of being configured with a static route, then that will fix it, if not, you'll need to have NAT configured on the router, so that all traffic that the router sees originates from the local network (as far as the DSL router sees)

Michael B

Posted 2015-11-01T14:55:52.060

Reputation: 714

Of course! I had actually forgotten why I'd enabled NAT some months ago - it was for this very reason! Thanks! The issue I now have is one of enabling NAT on Ubuntu such that I can still perform meaningful filtering. Packets filter based on destination but not on source with SNAT enabled! Any ideas perchance? (the DSL router has no way to add additional routes - it's a BT Homehub 5) – TemperedGlass – 2015-11-01T18:21:36.087

You could configure it so that any traffic that is destined for the default gateway goes through NAT, while any Lan traffic is simply routed... – Michael B – 2015-11-01T21:34:27.163

Asked: 2015-11-01T14:55:52.060

Viewed: 625 times

Active: 2015-11-01T20:56:01.370