SNAT vs Forwarding

To: Debian Firwall list <debian-firewall@lists.debian.org>
Subject: SNAT vs Forwarding
From: Cory Petkovsek <coryp@petersen-arne.com>
Date: Fri, 9 Mar 2001 17:12:17 -0800
Message-id: <20010309171217.A18517@cory-l.petersen-arne.com>

Hi all,

I'm using the rc.firewall.iptables.dual and .multi script as a guide to create a firewall script for my network.  I have it working and functional, however there is a small point that to me seems to not be working correctly.  I'm using iptables 1.1.2 and kernel 2.4.2.

I am connecting the internet and two private lans with two nics.  On one nic is my main private lan(1).  On the other nic are two aliased addresses, one going to the internet, one going to the second private lan(2).  I've created variables for the three interfaces, but when it's run the interface for the 2nd private lan and the internet are the same.

For the moment, I've skipped over all TOS/Egress/Mangling/Check Flags and State portions of the scripts.  I've implemented my previous packet filtering, and masquerading.  I'm now using SNAT and DNAT.  In the script I'm using as a guide, SNAT is matching packets based on an interface:
#       $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET \
#               -j SNAT --to $EXT_IP

In my script, I'm basing it on IP addresses, and leaving interface based matching to the packet filtering.  Partly because the interface for intnet2 and the internet are the same, and partly for simplicity.:

    privateIP = "10.0.0.0/24"

    # Private net 1: SNAT to outside
    iptables -t nat -A POSTROUTING -s $intnet1 -d ! $privateIP -j SNAT \
        --to-source $extip

    # Private net 2: SNAT to outside
    iptables -t nat -A POSTROUTING -s $intnet2 -d ! $privateIP -j SNAT \
        --to-source $extip

This is all I'm doing for SNAT.  I'm using DNAT to forward some ports, and that's it for the nat table. Then I have a whole host of rules in my filter table. I don't have mangle table support in the kernel.

For testing I had this in my filter table:
     iptables -A FORWARD -j ACCEPT  (or policy=accept)

Connecting to the internet from either private lan works fine, as well as connecting to forwarded ports from the internet to either private lan.

The problem lies when I connect from private lan to private lan.  It works, however the source IP address is converted to my $extip, as seen from the server I'm connecting to, instead of a private ip.  

I thought the above rules explicitly stated:  "Anything coming from 10.0.x (intnet1) going to anywhere but 10.x SNAT to $extip." and "Anything coming from 10.1.x(intnet2) going to anywhere but 10.x SNAT to $extip."  Thus the implication would be, "Anything else, don't nat it."  Which it should then be forwarded AS IS based upon the filter table.

Is this reasoning incorrect?

When transfering data from intnet1 to intnet2, I run the command:
iptables -L -t nat -v
several times, and watch the packet and byte count for the rules in the nat table.  No change.

Then I run the command iptables -L -v   For the filter table, to see which rules my data is tickling.  When using the above 'Forward All' rule, it's counters increment.  When using more explicit packet filtering rules, I see these ones get the all the data.  All other forward rules have zero data.:
 115K 8138K ACCEPT     all  eth0   eth1    10.0.0.0/16         !10.0.0.0/24
 125K   44M ACCEPT     all  eth1   eth0   !10.0.0.0/24          10.0.0.0/16
 1775  879K ACCEPT     all  eth1   eth1    10.1.0.0/16         !10.0.0.0/24
 1704  497K ACCEPT     all  eth1   eth1   !10.0.0.0/24          10.1.0.0/16

10.0/16 is intnet1 eth0, 10.1/16 is intnet2 eth1.

Below this I have some specific rules for source intnet1, dest intnet2, etc, but they are not touched (ie):
trx rule   p   if  source       dest         port
0 0 DROP   tcp any 10.1.0.0/16	10.0.0.0/16  dpt:1433 
0 0 ACCEPT tcp any 10.0.0.0/16	10.1.0.0/16  spts:1024:65535 dpt:1433 
0 0 ACCEPT tcp any 10.1.0.0/16	10.0.0.0/16  spt:1433 dpts:1024:65535 

This seems to me that it's being SNATted prior to the filter/forward ruleset, even though the SNAT rule shouldn't match the packets, and it's in the POSTROUTING chain.  

If this were so, then a connection from 10.0.0.5 to 10.1.0.5, being snatted: $extip to 10.1.0.5 would be forwarded on rule #1 above, and responses would come across rule # 2, which would explain to me the large amount of data.  (Here I was using a windows remote admin program, little control transfers to, yet much graphical data coming back).
 
Should I add in a rule prior to the above SNAT rules in the nat table with something like:

    iptables -t nat -A POSTROUTING -s $intnet1 -d $intnet2 -j ACCEPT 

Can this even be put there?
Where are my rules incorrect?

Thanks!
Cory

Reply to:

Follow-Ups:
- Re: SNAT vs Forwarding
  - From: Michael Wood <wood@kingsley.co.za>

Prev by Date: Re: box does weird stuff
Next by Date: Proxy transparente
Previous by thread: Re: box does weird stuff
Next by thread: Re: SNAT vs Forwarding
Index(es):
- Date
- Thread