firewall rules for NAT

To: debian-user@lists.debian.org
Subject: firewall rules for NAT
From: Lucio Crusca <lucio@sulweb.org>
Date: Sun, 25 Jun 2017 23:00:20 +0200
Message-id: <[🔎] e8fef7c6-c2a4-de70-8d07-1c935f8c6c2c@sulweb.org>

I have a server with Debian GNU/Linux as host system.

The host runs several guest virtual machines, but it has only one publicIP address.

Each virtual machine is a QEMU/KVM Debian GNU/Linux system that runssome specific service (so I have one for websites, one for mail, one fordatabase, one for ssh connections, and so on).

One of the virtual machines is the router: the host system forwards anyincoming connection to it and the router forwards the connection to thecorrect VM based on the TCP destination port.

The host system forwards connections to the router with these iptablesrules (1.2.3.4 stands for the public IP address):


# Generated by iptables-save v1.4.21 on Sun Jun 25 22:33:39 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [86517:5472157]
:OUTPUT ACCEPT [32635:3750271]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 31222 --tcp-flags FIN,SYN,RST,ACK SYN -mconntrack --ctstate NEW -j ACCEPT

-A INPUT -i virbr10 -p udp -m udp -m multiport --dports 53,67 -j ACCEPT
-A INPUT -i virbr10 -p tcp -m tcp -m multiport --dports 53,67 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-port-unreachable

-A FORWARD -d 10.7.33.0/24 -o virbr10 -m conntrack --ctstateRELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 10.7.33.0/24 -i virbr10 -j ACCEPT
-A FORWARD -i virbr10 -o virbr10 -j ACCEPT

-A FORWARD -d 10.7.33.100/32 -o virbr10 -p tcp -m tcp --dport 1:31221--tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT

-A FORWARD -i virbr10 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o virbr10 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Jun 25 22:33:39 2017
# Generated by iptables-save v1.4.21 on Sun Jun 25 22:33:39 2017
*nat
:PREROUTING ACCEPT [265547:18746839]
:INPUT ACCEPT [7946:621443]
:OUTPUT ACCEPT [44:3768]
:POSTROUTING ACCEPT [737574:41994020]

-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 1:31221 --tcp-flagsFIN,SYN,RST,ACK SYN -j DNAT --to-destination 10.7.33.100

-A POSTROUTING -s 10.7.33.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 10.7.33.0/24 -d 255.255.255.255/32 -j RETURN

-A POSTROUTING -s 10.7.33.0/24 ! -d 10.7.33.0/24 -p tcp -j MASQUERADE--to-ports 1024-65535-A POSTROUTING -s 10.7.33.0/24 ! -d 10.7.33.0/24 -p udp -j MASQUERADE--to-ports 1024-65535

-A POSTROUTING -s 10.7.33.0/24 ! -d 10.7.33.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Jun 25 22:33:39 2017
# Generated by iptables-save v1.4.21 on Sun Jun 25 22:33:39 2017
*mangle
:PREROUTING ACCEPT [32568589:28152102128]
:INPUT ACCEPT [65809:5372699]
:FORWARD ACCEPT [32502779:28146729377]
:OUTPUT ACCEPT [56541:5855271]
:POSTROUTING ACCEPT [32535420:28150481592]

-A POSTROUTING -o virbr10 -p udp -m udp --dport 68 -j CHECKSUM--checksum-fill

COMMIT
# Completed on Sun Jun 25 22:33:39 2017

Then the router has its own set of iptables rules (I report only a fewhere):


# Generated by iptables-save v1.4.21 on Sun Jun 25 22:41:19 2017
*filter
:INPUT ACCEPT [114664:5730467]
:FORWARD ACCEPT [20388771:18133798388]
:OUTPUT ACCEPT [112664:4594474]
-A INPUT -s 10.7.33.101/32 -p tcp -m tcp --sport 29101 -j LOG
COMMIT
# Completed on Sun Jun 25 22:41:19 2017
# Generated by iptables-save v1.4.21 on Sun Jun 25 22:41:19 2017
*nat
:PREROUTING ACCEPT [108899:5217224]
:INPUT ACCEPT [108899:5217224]
:OUTPUT ACCEPT [2734:162786]
:POSTROUTING ACCEPT [2734:162786]

-A PREROUTING -p tcp -m tcp --dport 29101 -j DNAT --to-destination10.7.33.101

-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.7.33.101
-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.7.33.101
-A PREROUTING -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.7.33.109

-A POSTROUTING -d 10.7.33.101/32 -p tcp -m tcp --dport 29101 -j SNAT--to-source 10.7.33.100-A POSTROUTING -d 10.7.33.101/32 -p tcp -m tcp --dport 80 -j SNAT--to-source 10.7.33.100-A POSTROUTING -d 10.7.33.101/32 -p tcp -m tcp --dport 443 -j SNAT--to-source 10.7.33.100-A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT--to-source 10.7.33.100

COMMIT
# Completed on Sun Jun 25 22:41:19 2017

It works like a charm, but there is one problem: my mail server receivesall the connections from the router, which has its own private IPaddress (10.7.33.100), so the mail server can't enforce SPF policies norDNS RBL rules on incoming mail connections.

Is there a way to forward packets from the host to the router and fromthe router to the correct virtual server keeping the original source IPaddress?

Reply to:

Follow-Ups:
- Re: firewall rules for NAT
  - From: Dan Purgert <dan@djph.net>

Prev by Date: Re: Jessie --> Stretch upgrade, apt question
Next by Date: Re: Stretch upgrade from Jessie -- several issues
Previous by thread: Re: konsole blinking screen with irssi when ssh'd to NetBSD
Next by thread: Re: firewall rules for NAT
Index(es):
- Date
- Thread