iptables – How to Exclude Local LAN from Port Forward Prerouting

iptables

I use several PREROUTING rules in Jessie Debian to do port forward from WAN to LAN ip with following rule

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8088 -j DNAT --to-destination 192.168.1.6:8088

ETH0 is public static IP
ETH0:0 is Local lan ip 192.168.1.2

These are NAT related IPTABLES

iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  -- !192.168.0.0/24       0.0.0.0/0            tcp dpt:8088 to:192.168.1.6:8088
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8091 to:192.168.1.7:80
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8092 to:192.168.1.1:80
DNAT       tcp  -- !192.168.0.0/24       0.0.0.0/0            tcp dpt:10554 to:192.168.2.10:554
DNAT       udp  -- !192.168.0.0/24       0.0.0.0/0            udp dpt:10554 to:192.168.2.10:554
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10080 to:192.168.2.1:8081
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10443 to:192.168.2.4:10443
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10052 to:192.168.2.1:8080
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:34567 to:192.168.2.10:34567
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10050 to:192.168.2.1:10050

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
SNAT       tcp  --  0.0.0.0/0            192.168.2.10         tcp dpt:554 to:192.168.1.2
SNAT       udp  --  0.0.0.0/0            192.168.2.10         udp dpt:554 to:192.168.1.2
SNAT       tcp  --  0.0.0.0/0            192.168.2.1          tcp dpt:8081 to:192.168.1.2
SNAT       tcp  --  0.0.0.0/0            192.168.2.4          tcp dpt:10443 to:192.168.1.2
SNAT       tcp  --  0.0.0.0/0            192.168.2.1          tcp dpt:8080 to:192.168.1.2
SNAT       tcp  --  0.0.0.0/0            192.168.2.10         tcp dpt:34567 to:192.168.1.2
SNAT       tcp  --  0.0.0.0/0            192.168.2.1          tcp dpt:10050 to:192.168.1.2

However this rule is applied also when accessing that port from LAN. As result I can enter any IP and port 8088 to browser URL and it will always reach destination. for example I can enter http://1.1.1.1:8088 and it will work. this is not desired behaviour.

I'd like to exclude LAN from PREROUTING.

I tried ! -s 192.168.0.0/24 but in prerouting "!" for source parameter does not work

I tried also another approach to use destination parameter "-d mydoman.com" in the rule, but this only works if I remove mydoman.com line from /etc/hosts because mydoman.com links to server local network IP. I'd like to keep that record too.

is there better way to avoid prerouting rule for local network?

Best Answer

If you intend to exclude 192.168.1.8 from the DNAT rule, you shall use 192.168.0.0/23 or 192.168.1.0/24 as the ! -s parameter. The network range 192.168.0.0/24 finishes at 192.168.0.255.

$ ipcalc 192.168.0.0/24
Address:   192.168.0.0          11000000.10101000.00000000. 00000000
Netmask:   255.255.255.0 = 24   11111111.11111111.11111111. 00000000
Wildcard:  0.0.0.255            00000000.00000000.00000000. 11111111
=>
Network:   192.168.0.0/24       11000000.10101000.00000000. 00000000
HostMin:   192.168.0.1          11000000.10101000.00000000. 00000001
HostMax:   192.168.0.254        11000000.10101000.00000000. 11111110
Broadcast: 192.168.0.255        11000000.10101000.00000000. 11111111
Hosts/Net: 254

You may restrict the DNAT rule by interfaces instead of using addresses. For example:

iptables -t nat -A PREROUTING '!' -i eth0 -p tcp --dport 8088 \
    -j DNAT --to-destination 192.168.1.6:8088

Or:

iptables -t nat -A PREROUTING -i ${your_wan_interface} -p tcp --dport 8088 \
    -j DNAT --to-destination 192.168.1.6:8088

Using the RETURN target is also a possible choice:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8088 -j RETURN

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Iptables on CentOS 5.5; I want to allow snmp queries from a remote machine

As I understand your question you want this machine (the one, on which we fight with iptables) be able to sent traps to a remote server, right?

In that case, the interesting part is the OUTPUT chain, as it is, what regulates fate of packets originating in the box.

Debug step one: shut down iptables and verify that trap sending works. If it doesn't the problem is not with firewall configuration of the SNMP trap source. Do not proceed to step two until you have things working with iptables stopped.

Debug step two: grep -i /etc/services shows a plethora of entries for various SNMP-related things. You may either read the documentation and find out, on which ports your software communicates, or get ingenious. Assuming the latter add a line at the end of the OUTPUT chain configuration, that sends everything to LOGDROP chain. Then start iptables, verify that the rule is there in the OUTPUT chain and make a trap to be sent. Then take a look inside your /var/log/messages and you'll see an entry generated by the LOGDROP, which will tell you, that a packet from the local machine to the remote machine using protocol UDP, destined to port XXX has been dropped. Bingo!

Debug step three. Add to the OUTPUT chain rules (above the LOGDROP entry) a line, that ACCEPTs outgoing UDP packets (-p udp) to the remote server (-d <IP_ADDRESS>) on port XXX (--dport XXX) determined in Debug step three. Verify (iptables -L -n -v), that the rule is there. Make a trap to be sent and see it arrive safely at the destination. If it does not arrive, your software may communicate on more than one port, but then GOTO Debug step two. In the pathological case that you should determine large (dozens, hundreds...) ports being used by the software, and if your security policy permits that, you may just allow all (or all UDP) outgoing traffic from this box to the remote machine.

Profit ;)

Best Answer

Related Solutions

Linux – iptables port forward forwarding

Iptables on CentOS 5.5; I want to allow snmp queries from a remote machine

Related Topic