Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Understanding iptables NAT rules in Gentoo Wiki Home Router
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
harisund
n00b
n00b


Joined: 20 Jul 2006
Posts: 5
Location: Baton Rouge, Louisiana

PostPosted: Fri Sep 20, 2019 6:41 am    Post subject: Understanding iptables NAT rules in Gentoo Wiki Home Router Reply with quote

I am referring to this page - https://wiki.gentoo.org/wiki/Home_router

Specifically in the NAT https://wiki.gentoo.org/wiki/Home_router#NAT_.28a.k.a._IP-masquerading.29 section (Finally add the rules for NAT)

Code:
root #iptables -I FORWARD -i ${LAN} -d 192.168.0.0/16 -j DROP
root #iptables -A FORWARD -i ${LAN} -s 192.168.0.0/16 -j ACCEPT
root #iptables -A FORWARD -i ${WAN} -d 192.168.0.0/16 -j ACCEPT
root #iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE


For context ${LAN} is the internal network interface, which is on the 192.168.0.0/16 network anyway.

1. I don't understand the first rule. Why are we dropping something that's coming from the LAN and going back out the LAN anyway? When exactly will this kind of a forward happen and why would we want to drop it?

2. The third rule .. wouldn't we want to specify that only ESTABLISHED/RELATED packets should be accepted? Technically speaking anything that comes in from the external interface and getting forwarded into the internal interface can only happen if a machine on the internal side had initiated the connection first right?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44013
Location: 56N 3W

PostPosted: Sat Sep 21, 2019 9:06 am    Post subject: Reply with quote

harisund,

The order of rules in the final table matters. The Wiki shows how the rules are added. That need not be the same as evaluation order since rulles can be inserted between other existing rules.

What you say is correct but looking at a fragment of how it might be achieved is not useful.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14290

PostPosted: Sat Sep 21, 2019 4:20 pm    Post subject: Reply with quote

  1. Traffic coming from the LAN and going to it should, in most cases, have gone direct and not reached this system at all. Dropping it is a heavy-handed way of informing the offending system that its routing table is wrong.
  2. Yes, a ESTABLISHED/RELATED check would be good here. No, unsolicited traffic from WAN to LAN can arrive, but only if your upstream is behaving strangely and thinks that sending private-range traffic to you is appropriate. If their system is configured in the generally recommended way, you would be right, but there is no specific technical enforcement that they configure their system that way.
Back to top
View user's profile Send private message
harisund
n00b
n00b


Joined: 20 Jul 2006
Posts: 5
Location: Baton Rouge, Louisiana

PostPosted: Mon Sep 23, 2019 9:14 am    Post subject: Reply with quote

Hu wrote:
  1. Traffic coming from the LAN and going to it should, in most cases, have gone direct and not reached this system at all. Dropping it is a heavy-handed way of informing the offending system that its routing table is wrong.
  2. Yes, a ESTABLISHED/RELATED check would be good here. No, unsolicited traffic from WAN to LAN can arrive, but only if your upstream is behaving strangely and thinks that sending private-range traffic to you is appropriate. If their system is configured in the generally recommended way, you would be right, but there is no specific technical enforcement that they configure their system that way.


Quote:
Dropping it is a heavy-handed way of informing the offending system that its routing table is wrong


Understood, thank you for the clarification.

Quote:
No, unsolicited traffic from WAN to LAN can arrive


Interesting, good to know. I guess I was just thinking of an "in an ideal world ..." scenario.

Quote:
Yes, a ESTABLISHED/RELATED check would be good here


I mainly got the idea from this link - https://jamielinux.com/docs/libvirt-networking-handbook/appendix/example-of-iptables-nat.html

Code:

# Allow established traffic to the private subnet.
-A FORWARD -d 192.168.100.0/24 -o virbr10 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow outbound traffic from the private subnet.
-A FORWARD -s 192.168.100.0/24 -i virbr10 -j ACCEPT


Thank you ![/code]
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum