| View previous topic :: View next topic |
| Author |
Message |
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
 Posted: Sun Dec 24, 2023 9:20 am Post subject: [SOLVED]Two stage NAT/masquerade forwarding using nftables? |
 |
|
I have the following setup which I'm trying to migrate from iptables to nftables:
| Code: |
ISP/WAN (192.168.10.xxx) <---> FWO <---> DMZ (172.31.31.0/24) <---> FWI <---> LAN (172.30.30.0/24)
|
The old iptables version has been working fine for years, but I was hoping be able to upgrade the hosts FWI and FWO to a more recent Gentoo version based upon nftables during the holidays.
Both the hosts FWI and FWO have dual NICs.
I have upgraded FWI and the system seem to be working fine. But before I wipe out and re-install FWO I do a fresh Gentoo install on a RockPro64 with a dual PCIe NIC and swap it with the old FWO host to make sure the new configuration works.
However, it does not work. If I revert the RockPro64 swap and put the old iptables FWO host back online it's working fine again.
I have not configured any firewall functionality yet, I will wait until I get packet forwarding/NAT/masquerade working.
FWI is basically configured with:
| Code: |
# ifconfig | grep ^enp -A1
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.30.30.254 netmask 255.255.255.0 broadcast 172.30.30.255
--
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.31.31.253 netmask 255.255.255.0 broadcast 172.30.30.255
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.31.254 0.0.0.0 UG 3 0 0 enp3s0
172.30.30.0 0.0.0.0 255.255.255.0 U 0 0 0 enp2s0
172.31.31.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s0
# cat /proc/sys/net/ipv4/ip_forward
1
# nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "enp2s0" masquerade
}
}
|
FWI also runs a DHCP and DNS server but it should not matter other than that FWO will later need to access these. But I can't even ping remote hosts with IP addresses ATM:
Here's FWO:
Old working iptables system:
| Code: |
dmz ~ # ifconfig | grep -A1 ^eth
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.31.31.254 netmask 255.255.255.0 broadcast 172.31.31.255
--
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.185 netmask 255.255.255.0 broadcast 192.168.10.255
dmz ~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.10.1 0.0.0.0 UG 3 0 0 eth1
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
172.30.30.0 172.31.31.253 255.255.254.0 UG 2 0 0 eth0
172.31.31.0 0.0.0.0 255.255.255.0 U 2 0 0 eth0
192.168.10.0 0.0.0.0 255.255.255.0 U 3 0 0 eth1
dmz ~ # cat /proc/sys/net/ipv4/ip_forward
1
dmz ~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- 221.181.185.19 anywhere
DROP all -- 107.189.31.98 anywhere
DROP all -- 199.195.248.154 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
dmz ~ # iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -j ACCEPT
-A INPUT -s 221.181.185.19/32 -j DROP
-A INPUT -s 107.189.31.98/32 -j DROP
-A INPUT -s 199.195.248.154/32 -j DROP
-A FORWARD -j ACCEPT
-A OUTPUT -j ACCEPT
|
New nftables configuration which does not work:
| Code: |
rockpro64 ~ # ifconfig |grep ^enp -A1
enp1s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.31.31.254 netmask 255.255.255.0 broadcast 172.31.31.255
--
enp1s0f1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.144 netmask 255.255.255.0 broadcast 192.168.10.255
rockpro64 ~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.10.1 0.0.0.0 UG 3 0 0 enp1s0f1
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
172.30.30.0 172.31.31.253 255.255.254.0 UG 2 0 0 enp1s0f0
172.31.31.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s0f0
192.168.10.0 0.0.0.0 255.255.255.0 U 3 0 0 enp1s0f1
rockpro64 ~ # cat /proc/sys/net/ipv4/ip_forward
1
rockpro64 ~ # nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "enp1s0f0" masquerade
}
}
|
From 172.30.30.60:
| Code: |
# traceroute -n 192.168.10.1
traceroute to 192.168.10.1 (192.168.10.1), 30 hops max, 60 byte packets
1 172.30.30.254 0.253 ms 0.270 ms 0.214 ms
2 172.31.31.254 0.509 ms 0.528 ms 0.535 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
|
This is the first time I use nftables so it's likely that the problem is related to the nftables part. Can anybody spot my mistake or point me to some good documentation on how to set up a double NAT/masquerade routing/forwarding system on Gentoo?
Thanks and happy holidays!
Last edited by pgu on Tue Dec 26, 2023 7:46 pm; edited 1 time in total |
|
| Back to top |
|
 |
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4299
Location: Bavaria
|
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Sun Dec 24, 2023 3:24 pm Post subject: |
|
|
| Thank you for the links and your comments. You're right I could do without NAT'ing on FWI. However, both were similar so it made sense when I first configured it many years ago. I'll check out your link and see if I can spot where the problem is and even try without the inner NAT and see if that helps. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4299
Location: Bavaria
|
| Posted: Sun Dec 24, 2023 10:22 pm Post subject: |
|
|
I dont know your skill with network designs ... but maybe it is also interesting for other readers ..
The point of a DMZ is that only machines in the DMZ are allowed to talk to the internet. No machine in the internal network is allowed to connect directly to the internet. For this reason, the DMZ (*) not only contains servers that should be accessible from the outside (e.g. a web server that represents the company on the internet), but also proxy servers (http, https) and other servers (mail, DNS, NTP) that are used by the clients of the internal network to connect to the internet on their behalf.
If, however, a station of the inner network is to be allowed a direct connection to a dedicated server of the Internet (e.g. the server of the bank connection), then the SAME rule can simply be set on both firewalls - IF the inner FW (FWI) only does routing/forwarding and filtering and NO NATtin (Example in iptables):
| Code: | | iptables -A FORWARD -s CLIENTIPADDRESS_OF_INTERNAL_NETWORK -d INTERNETIPADDRESS_OF_BANK -p tcp --dport 443 -j ACCEPT |
The edge firewall (FWO) does/handles FIRST this rule and allows the connection AND then does AFTER this the masquerading of the CLIENTIPADDRESS_OF_INTERNAL_NETWORK
When doing NATting on both firewalls this will not work because the Client from the inner network will not arrive with ITS OWN IP address at the Edge firewall (it was NATted before from the inner FW).
(The "way back" is usually handled automatically by connection tracking:
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT)
*) P.S: Some companies have also two (or more) DMZ - One DMZ is only for servers accessable FROM the internet (and special clients doing the updates of the web server), the other DMZ is with servers for the clients and accessable only from the inner network (you need at least 3 FWs for this ... or also 4 FW).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Mon Dec 25, 2023 8:51 am Post subject: |
|
|
| Thank you for sharing. I'm familiar with network design, not as a professional, but as a UNIX/Linux user and I configured the described system even though it's a long time ago. What I'm not familiar with is nftables. I think I'll first port my old iptables setup to a recent Gentoo installation and then learn more about nftables, possibly with automatic translation from iptables. |
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Tue Dec 26, 2023 7:46 pm Post subject: |
|
|
| I just used iptables-restore-translate to convert my iptables rules to nftables and applied those and it worked. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4299
Location: Bavaria
|
| Posted: Tue Dec 26, 2023 10:15 pm Post subject: |
|
|
| pgu wrote: | | I just used iptables-restore-translate to convert my iptables rules to nftables and applied those and it worked. |
Happy to hear that ! 
Have fun with gentoo ! 
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
