Iptables and SNAT

iptablesnat;

I am a newbie to iptables with NAT. My network setup is as shown below

                  linuxbox2 (192.x.y.a)
                          |
(194.160.1.1)             |
linuxbox1(eth1)-------- Switch ----- ftpserver
(192.x.y.b)

BOX1 and BOX2 are in VLAN tagging via switch. BOX1 is in a VLAN tag with FTPserver. So BOX2 inorder to connect to the FTPserver should route via BOX1 which should has to do POSTROUTING(SNAT) and send the FTP packets to FTPserver.

eth1 interface is configured with 2 IP-addresses one public and one private addresses.

All the traffic from BOX2 is routed to BOX1. I added following rules in my iptables setup present in BOX1

$IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -s 192.x.y.a -j ACCEPT
$IPTABLES -t mangle -A FORWARD -p tcp --dport 21 -s 192.x.y.a -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.x.y.a -p tcp --dport 21 -j SNAT --to-source 194.160.1.1

Editing the question with new upgrades

If I ping from BOX2 to BOX1 it is working fine. If I try to perform ftp to the Ftpserver then NAT table in iptables script present in BOX1 is invoked and ftp is not successful.

If I do the tcpdump at eth1 I do see ftp packets coming from BOX2 to BOX1 but no packets leaving from BOX1 to ftpserver.

IP 192.x.y.a.45388 > 10.p.q.r.21(ftpserver): S 1380128644:1380128644(0) 
win 5840 <mss 1460,sackOK,timestamp 16897

0,nop,wscale 2>
IP 192.x.y.a.45388 > 10.p.q.r.21: S 1380128644:1380128644(0)
win 5840
IP 192.x.y.a.45388 > 10.p.q.r.21: S 1380128644:1380128644(0)
win 5840

Actually 3 packets are sent from BOX2 to BOX1. Counters for various chains like prerouting, forward shows count as 3 while POSTROUTING chain in NAT table shows a count of 1. But TCPDUMP doesnt show any packet leaving to FTPSERVER.

Now after some tweaking and adding LOG support to the iptables I found out that after getting NATted packets are routed towards ETH0 of BOX1. So I fixed the routing thing and now the packets are leaving through ETH1 to FTPserver and receiving packets back from FTPserver to ETH1.

But a new problem starts here. My iptables setup says – Only packets having appropriate rule in IPTABLES are accepted [might be contradictory for others usage] else DROPPED.

My doubt is the destination IP-address of the packet is public IP-address of ETH1 which is present on BOX1. At the routing decision node will the packet still be accepted for routing so it goes through forward?

I see that routing is not done and the packet is thought as local packet which is getting DROPPED since there is no appropriate rule for it …

I heard that connection tracking mechanism maintains data regarding packets undergone NATting .. so when does the packet's source address get converted back to original destination address?

Check the netfilter packet flow image for more clarification
http://l7-filter.sourceforge.net/PacketFlow.png

NOTE: All my IPTABLE rules should be based on IP-address but not on interface as there is a chance of change in interface names but in IP-addresses.

Best Answer

Remove the three rules you have above and try adding this:

$IPTABLES -t NAT -A POSTROUTING -s 192.x.y.a -j SNAT 192.x.y.b
$IPTABLES -A FORWARD -s 192.x.y.a -J ACCEPT

And enter the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

You should also have a rule similar to the following in your firewall:

$IPTABLES -t FILTER -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

That will take care of all established/related connections, instead of making a rule for each one.

Related Topic