[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewall rules for NAT



On 27 Jun 2017 9:29 pm, "Lucio Crusca" <lucio@sulweb.org> wrote:
Il 26/06/2017 11:35, Dan Purgert ha scritto:
That shouldn't be happening -- you may have an errant rule you didn't
show

I think I did show that rule:


-A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100

Yes you do need that rule, in case when not using MASQUERADE you have to use SNAT or you'll get timeouts as you found out.

Your problem is that something changes the source ip of the packets sent from the router vm to the mail server one NOT the other way around. The only candidate i can see in your config, assuming you have shown us the full configs, are these rules:

-A POSTROUTING -s 10.7.33.0/24 ! -d 10.7.33.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.7.33.0/24 ! -d 10.7.33.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.7.33.0/24 ! -d 10.7.33.0/24 -j MASQUERADE

but they look ok to me to be honest, they change the source ip of the packets but only if the destination is not 10.7.33.0/24 subnet which should not cause the issue you are seeing.


The problem is that without that rule things do not work at all (connections time out).

For example, I've tried adding only the DNAT rule for TCP port 26, without the SNAT rule above, forwarded to the same mail server.

Then from the client I've tried to open a TCP connection on port 26:

echo hello | netcat 1.2.3.4 26

In the phisycal host system I get:

Jun 27 13:21:09 hostmachine kernel: [2479354.931255] IN=eth0 OUT= MAC=74:d0:2b:99:a1:f5:2c:21:31:28:a6:fb:08:00 SRC="" DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18186 DF PROTO=TCP SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0

In the router virtual machine I get:

Jun 27 13:21:34 router kernel: [2479319.331492] IN=eth0 OUT= MAC=52:54:00:02:90:d2:52:54:00:f0:37:ba:08:00 SRC="" DST=10.7.33.100 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=18186 DF PROTO=TCP SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0

In the mail server virtual machine I get

Jun 27 13:21:09 mx kernel: [2479308.578043] IN=ens2 OUT= MAC=52:54:00:8d:4c:2a:52:54:00:02:90:d2:08:00 SRC="" DST=10.7.33.109 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=18186 DF PROTO=TCP SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0

So the packet actually reaches the mail server as expected. However the client never gets a reply.


Reply to: