[Firewall] NAT Loopback, code review

Lonnie Abelbeck lists at lonnie.abelbeck.com
Thu Oct 11 07:20:10 CEST 2012


Hi,

After further testing it seems the POSTROUTING rules are not necessary since the CONNTRACK is allowing the return path, so rewriting the return seems unnecessary.

Also, if the server is in another LAN it is unreachable (by default) unless a FORWARD hole is created.  This version adds a new variable NAT_LOOPBACK_FORWARD, if
--
NAT_LOOPBACK_FORWARD=1
--
the FORWARD rule to the server is created for all subnets in NAT_LOOPBACK_NET.

Attached is the latest version, with optional FORWARD rules added and commented out POSTROUTING rules.

Lonnie

-------------- next part --------------
A non-text attachment was scrubbed...
Name: custom-rules
Type: application/octet-stream
Size: 3165 bytes
Desc: not available
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20121011/676ed42e/attachment.obj>
-------------- next part --------------




On Oct 10, 2012, at 4:12 PM, Lonnie Abelbeck wrote:

> Hi, Eli and others that would like to test a NAT Loopback feature.
> 
> A "custom-rules" script is attached.  The feature can be easily disabled by commenting out the last "custom_nat_loopback" line and restarting AIF.  It uses the existing NAT_FORWARD_TCP and NAT_FORWARD_UDP rules, so no configuring is needed.
> 
> Though, the variable NAT_LOOPBACK_NET can define what local nets the rules apply to, if not defined, NAT_INTERNAL_NET is used by default.
> 
> Please take a look at this script, a code review of sorts.  Do we need to restrict the iptables rules any more ?
> 
> It seems to work in my tests.
> 
> Assumptions:
> 1) Static external IPv4 address, or the firewall is reloaded if/when the external address changes.
> 
> 2) AIF is started after the external interface is defined, on system startup.
> 
> 3) If more than one external interface is defined, only the first is used to extract the default IPv4 address.
> 
> Please report results.
> 
> 
> Lonnie
> 
> PS: Some time ago Arno received an email from Guzman Braso with a somewhat different (and clever) approach, unfortunately I was not able to get it to work.  If Guzman is listening and have suggestions, please do.
> 
> 
> <custom-rules>
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list