[Firewall] NAT Loopback, code review

Lonnie Abelbeck lists at lonnie.abelbeck.com
Thu Oct 11 15:12:35 CEST 2012


Eli,

OK, the NAT_POSTROUTING_CHAIN rules are back in, thanks.

> K... found another issue. If I try to access internal http services from the gateway itself I get connection refused messages.

When you say this, are you on the AIF box itself and then trying to NAT via the External address ?  I don't think that will work.

My bench test example:

External IPv4 is 10.10.50.62

NAT_FORWARD_TCP="0/0~12345>192.168.110.20~80"

NAT_LOOPBACK_NET and NAT_LOOPBACK_FORWARD not defined (default).

$ curl http://10.10.50.62:12345

works both outside to the external interface and from the internal interfaces, but when attempted from the AIF box itself it does not work because there is no PREROUTING call.  I don't think that can be fixed.

$ curl http://192.168.110.20:80

still works from the AIF box, even though it gets SNAT'ed via POSTROUTING.

For completeness, the 'current' version is enclosed, just uncommenting the NAT_POSTROUTING_CHAIN rules.

Lonnie

-------------- next part --------------
A non-text attachment was scrubbed...
Name: custom-rules
Type: application/octet-stream
Size: 3157 bytes
Desc: not available
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20121011/a516a422/attachment.obj>
-------------- next part --------------



On Oct 11, 2012, at 4:19 AM, Eli Wapniarski wrote:

> K... found another issue. If I try to access internal http services from the gateway itself I get connection refused messages.
> 
> Eli
> 
> Quoting Lonnie Abelbeck <lists at lonnie.abelbeck.com>:
> 
>> Hi Eli,
>> 
>> Hmmm, try uncommenting the ip4tables ... NAT_POSTROUTING_CHAIN lines (2 sets of 2 lines each) and see if that fixes it.
>> 
>> Perhaps some sort of redirect at the HTTPS server is not matching the original CONNTRACK ?
>> 
>> Shame to have to also build the NAT_POSTROUTING_CHAIN for these special cases, but so it may be.
>> 
>> Thanks for testing,
>> 
>> Lonnie
>> 
>> 
>> 
>> On Oct 11, 2012, at 12:29 AM, Eli Wapniarski wrote:
>> 
>>> Hi Lonnie
>>> 
>>> Yay... Thank you for all the work that you are putting into this. :)
>>> 
>>> The first custom-rule worked like a charm with http and https. I have not had a
>>> chance to test it with other services yet.
>>> 
>>> The second one worked with http, but not with https.
>>> 
>>> Thanks again.
>>> 
>>> Eli
>>> 
>>> 
>>> On Thursday 11 October 2012 00:20:10 Lonnie Abelbeck wrote:
>>>> Hi,
>>>> 
>>>> After further testing it seems the POSTROUTING rules are not necessary since
>>>> the CONNTRACK is allowing the return path, so rewriting the return seems
>>>> unnecessary.
>>>> 
>>>> Also, if the server is in another LAN it is unreachable (by default) unless
>>>> a FORWARD hole is created.  This version adds a new variable
>>>> NAT_LOOPBACK_FORWARD, if --
>>>> NAT_LOOPBACK_FORWARD=1
>>>> --
>>>> the FORWARD rule to the server is created for all subnets in
>>>> NAT_LOOPBACK_NET.
>>>> 
>>>> Attached is the latest version, with optional FORWARD rules added and
>>>> commented out POSTROUTING rules.
>>>> 
>>>> Lonnie
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>> 
>>> 
>> 
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>> 
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>> 
>> 
> 
> 
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 



More information about the Firewall mailing list