Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Iptables - Issues with NAT Masquerading

Amit ShilNov 18 2013 — edited Nov 19 2013

Hello Folks,

I have a problem with Iptables NAT Masquerading, let me first explain the setup.

<Machine2> <---> Gateway <--> <Machine 3>

Gateway is running the firewall

Machine 2 - (Source N/W) - Note is having 10.10.10.0 n/w configured but not 12.12.12.0

[root@MACHINE2 ~]# ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 08:00:27:7a:39:05 brd ff:ff:ff:ff:ff:ff

inet 10.10.10.5/24 brd 10.10.10.255 scope global eth5

inet6 fe80::a00:27ff:fe7a:3905/64 scope link

valid_lft forever preferred_lft forever

3: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 08:00:27:0f:38:4a brd ff:ff:ff:ff:ff:ff

inet 192.168.25.4/24 brd 192.168.25.255 scope global eth3

inet6 fe80::a00:27ff:fe0f:384a/64 scope link

valid_lft forever preferred_lft forever

4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN

link/sit 0.0.0.0 brd 0.0.0.0

[root@MACHINE2 ~]# route -n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth5

192.168.25.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3

0.0.0.0 10.10.10.4 0.0.0.0 UG 0 0 0 eth5

10.10.10.4 - is the IP of the Gateway machine running the firewall.

Machine 3 - Destination n/w (connected to 12.12.12.0 N/W - note is not having 10.10.10.0 N/w Configured)

[root@MACHINE3 ~]# ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth4: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000

link/ether 08:00:27:0c:47:99 brd ff:ff:ff:ff:ff:ff

3: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 08:00:27:1a:5c:97 brd ff:ff:ff:ff:ff:ff

inet 192.168.25.7/24 brd 192.168.25.255 scope global eth3

inet6 fe80::a00:27ff:fe1a:5c97/64 scope link

valid_lft forever preferred_lft forever

4: eth6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 08:00:27:40:20:35 brd ff:ff:ff:ff:ff:ff

inet 12.12.12.1/24 brd 12.12.12.255 scope global eth6

inet6 fe80::a00:27ff:fe40:2035/64 scope link

valid_lft forever preferred_lft forever

5: sit0: <NOARP> mtu 1480 qdisc noop state DOWN

link/sit 0.0.0.0 brd 0.0.0.0

[root@MACHINE3 ~]# route -n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

12.12.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth6

192.168.25.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3

169.254.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 eth6

Gateway - 10.10.10.4 (runs the firewall)

filter table rules -

[root@Gateway ~]# iptables -nv -L

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

111 36408 ACCEPT udp -- * * 192.168.25.0/24 0.0.0.0/0 state NEW,ESTABLISHED /* Incoming NFS/UDP */ multiport dports 67,111,2049

0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED /* Incoming ICMP */

210 19220 ACCEPT tcp -- * * 0.0.0.0/0 192.168.25.0/24 state NEW,ESTABLISHED multiport dports 22,47001,2049,111 /* Incoming SSH/NFS */

1405 330K LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* All Input DROP */

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

3278 275K ACCEPT all -- eth1 eth2 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED

3276 275K ACCEPT all -- eth2 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

0 0 LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.25.0/24 state RELATED,ESTABLISHED /* Outgoing NFS */ multiport sports 67,111,2049

0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0

114 12024 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Outgoing ICMP */

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED /* ICMP Originating */

193 34145 ACCEPT tcp -- * * 192.168.25.0/24 0.0.0.0/0 state RELATED,ESTABLISHED multiport sports 22,47001,2049,111 /* Outgoing SSH/NFS */

847 265K LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* All Output Drop */

Chain LOGDROP (3 references)

pkts bytes target prot opt in out source destination

2252 595K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 /* LOGGING CHAIN */ LOG flags 6 level 6 prefix `PACKET DROPPED-'

2252 595K DROP all -- * * 0.0.0.0/0 0.0.0.0/0

NAT table rules

[root@Gateway ~]# iptables -nv -L -t nat

Chain PREROUTING (policy ACCEPT 2759 packets, 483K bytes)

pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

2 168 MASQUERADE all -- * eth2 10.10.10.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 851 packets, 267K bytes)

pkts bytes target prot opt in out source destination

That's the setup across the n/w, now this is what i don't understand.

when i do a ping to Machine 3 from Machine 2 this is what happens ( i get a response, as expected)

[root@MACHINE2 ~]# ping 12.12.12.1

PING 12.12.12.1 (12.12.12.1) 56(84) bytes of data.

64 bytes from 12.12.12.1: icmp_seq=1 ttl=63 time=8.08 ms

64 bytes from 12.12.12.1: icmp_seq=2 ttl=63 time=5.66 ms

64 bytes from 12.12.12.1: icmp_seq=3 ttl=63 time=3.89 ms

64 bytes from 12.12.12.1: icmp_seq=4 ttl=63 time=3.70 ms

64 bytes from 12.12.12.1: icmp_seq=5 ttl=63 time=5.23 ms

64 bytes from 12.12.12.1: icmp_seq=6 ttl=63 time=5.99 ms

when i trace the same on Machine 3 to check whether my SNAT via MASQ is working using a tcpdump i am getting mixed results

Tracing the MASQ IP of the Gateway i can see packets are coming from the advertised IP

[root@MACHINE3 ~]# tcpdump -i eth6 src 12.12.12.3

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth6, link-type EN10MB (Ethernet), capture size 65535 bytes

23:02:13.931280 IP 12.12.12.3 > 12.12.12.1: ICMP echo request, id 40217, seq 87, length 64

23:02:14.933384 IP 12.12.12.3 > 12.12.12.1: ICMP echo request, id 40217, seq 88, length 64

23:02:15.939207 IP 12.12.12.3 > 12.12.12.1: ICMP echo request, id 40217, seq 89, length 64

23:02:16.946205 IP 12.12.12.3 > 12.12.12.1: ICMP echo request, id 40217, seq 90, length 64

23:02:17.951013 IP 12.12.12.3 > 12.12.12.1: ICMP echo request, id 40217, seq 91, length 64

Tracing on the real IP of Machine 2 i am still seeing results, this has me bewildered, can somebody explain this why i am seeing the private n/w of Machine 2 exposed to Machine3?

listening on eth6, link-type EN10MB (Ethernet), capture size 65535 bytes

23:03:41.476844 IP 10.10.10.5 > 12.12.12.1: ICMP echo request, id 40217, seq 174, length 64

23:03:42.481347 IP 10.10.10.5 > 12.12.12.1: ICMP echo request, id 40217, seq 175, length 64

23:03:43.484154 IP 10.10.10.5 > 12.12.12.1: ICMP echo request, id 40217, seq 176, length 64

23:03:44.494127 IP 10.10.10.5 > 12.12.12.1: ICMP echo request, id 40217, seq 177, length 64

23:03:45.503353 IP 10.10.10.5 > 12.12.12.1: ICMP echo request, id 40217, seq 178, length 64

For the love of god,i am unable to explain this behaviour myself. any replies appreciated.

Regards Amit

Locked Post

New comments cannot be posted to this locked post.

Locked on Dec 17 2013

Added on Nov 18 2013

#linux, #oracle-linux

2 comments

1,968 views