Re: Firewall POSTROUTING problem

To: debian-user@lists.debian.org
Subject: Re: Firewall POSTROUTING problem
From: deloptes <emanoil.kotsev@deloptes.org>
Date: Wed, 11 Aug 2021 23:32:51 +0200
Message-id: <[🔎] sf1fm3$umv$1@ciao.gmane.io>
Reply-to: emanoil.kotsev@deloptes.org
References: <[🔎] 20210811204609.GF5729@phcomp.co.uk>

Alain D D Williams wrote:

> Hi,
> 
> I have problems getting POSTROUTING to work on a Debian 10 box.
> 
> Setup:
> 
> INTERNET ... Broadband modem 192.168.108.1
> 
> Network internal to the Debian box for virtual machines 10.239.239.0/24
> 
> Debian has address 192.168.108.2 (interface enp3s0) and 10.239.239.254
> (interface br0)
> 
> Processes on Debian 10 can talk to the Internet
> 
> Processes on virtual machines (eg 10.239.239.23) can talk to the Debian
> machine (ie 192.168.108.2) on which they are hosted.
> 
> If on 10.239.239.23 I ping the BBC (212.58.249.145) and look with a packet
> sniffer on the BB modem I see outgoing addresses 10.239.239.23
> 
> This should not happen. I am running an iptables firewall that should fix
> this with the rule below:
> 
> iptables -t nat -A POSTROUTING -s 10.239.239.0/24 -j SNAT --to-source
> 192.168.108.2
> 
> I have tried variations like:
> iptables -t nat -A POSTROUTING -o enp3s0 -j SNAT --to-source 192.168.108.2
> 
> 
> It is as if the POSTROUTING rule is being ignored.
> 
> This seems to be confirmed by the output below which shows that 0 packets
> have been through POSTROUTING.
> 
> Can anyone shed any light on this ?

I remember it was not only the POSTROUTING. May be I am wrong, but I think
FORWARD and OUTPUT is important.
I also wonder why you are mixing up the -s and --to-source. You should be
using the local address for -s and --to-source the translation (the
outgoing addresses 10.239.239.23)

I later switched to shorewall and since it is doing the iptables rules for
me, so now I just have to put some values in a config and would have
something like

# iptables-save  | grep eth0
:eth0_masq - [0:0]
-A PREROUTING -i eth0 -j net_dnat
-A POSTROUTING -o eth0 -j eth0_masq
-A eth0_masq -s 192.168.xxx.0/24 -j SNAT --to-source 10.0.xxx.1
-A INPUT -i eth0 -j net-fw
-A FORWARD -i eth0 -j net_frwd
-A OUTPUT -o eth0 -j ACCEPT
-A dmz_frwd -o eth0 -j dmz-net
-A loc_frwd -o eth0 -j ACCEPT
-A vpn_frwd -o eth0 -j vpn-net


-- 
FCD6 3719 0FFB F1BF 38EA 4727 5348 5F1F DCFE BCB0

Reply to:

Follow-Ups:
- Re: Firewall POSTROUTING problem
  - From: Alain D D Williams <addw@phcomp.co.uk>

References:
- Firewall POSTROUTING problem
  - From: Alain D D Williams <addw@phcomp.co.uk>

Prev by Date: Firewall POSTROUTING problem
Next by Date: Re: Firewall POSTROUTING problem
Previous by thread: Firewall POSTROUTING problem
Next by thread: Re: Firewall POSTROUTING problem
Index(es):
- Date
- Thread