Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 1st March 2012, 03:25 AM
lkimmelz Offline
Registered User
 
Join Date: Mar 2012
Location: NE
Posts: 3
windows_7firefox
Private IP Escaping IPTables

We have a Linux virtual server which we use as a NAT/Router (running IPTables 1.2.11) to front-end a set of virtual machines on a private (192.168.0.x) network. In this private network are two web servers and a few other application servers. Our intent is to utilize two public IP addresses on the NAT server to NAT to each back-end web server:

External Interfaces:
eth1 = xxx.xxx.xxx.1 => 192.168.0.1 (webserver #1)
eth1:0 = xxx.xxx.xxx.2 => 192.168.0.2 (webserver #2)
Internal Interface:
eth0 = 192.168.0.3

We had accomplished this with the following IPTables configuration
Table: nat
Chain PREROUTING (policy DROP)
target prot in out source destination
DNAT tcp eth1 any anywhere xxx.xxx.xxx.1 to:192.168.0.1
DNAT tcp eth1 any anywhere xxx.xxx.xxx.2 to:192.168.0.2
ACCEPT all eth0 any 192.168.0.0/24 anywhere #(to allow all outgoing traffic)

Chain POSTROUTING (policy DROP)
target prot in out source destination
SNAT all any eth1 192.168.0.1 xxx.xxx.xxx.1
SNAT all any eth1 192.168.0.2 xxx.xxx.xxx.2
SNAT all any eth1 192.168.0.0/24 xxx.xxx.xxx.1 #SNAT all other traffic to ip #1

Chain OUTPUT (policy ACCEPT)

Table: filter
Chain Input (policy ACCEPT)
target prot in out source destination

Chain FORWARD (policy ACCEPT)
target prot in out source destination

Chain OUTPUT (policy ACCEPT)
target prot in out source destination

Everything APPEARS to work correctly with this configuration. However, several times a day network monitoring tools on the public side of the NAT server see packets with source addresses from the private network (e.g. 192.168.0.4). In order to troubleshoot we minimized our configuration to try to isolate the problem. We took out the NATing for the second IP:

Table: nat
Chain PREROUTING (policy DROP)
target prot in out source destination
DNAT tcp eth1 any anywhere xxx.xxx.xxx.1 to:192.168.0.1
ACCEPT all eth0 any 192.168.0.0/24 anywhere #(to allow all outgoing traffic)

Chain POSTROUTING (policy DROP)
target prot in out source destination
SNAT all any eth1 192.168.0.1 xxx.xxx.xxx.1

Chain OUTPUT (policy ACCEPT)

Table: filter
Chain Input (policy ACCEPT)
target prot in out source destination

Chain FORWARD (policy ACCEPT)
target prot in out source destination

Chain OUTPUT (policy ACCEPT)
target prot in out source destination

With this configuration the 'leaking' of the private IP addresses seems to stop. However, we need to have the functionality of the second IP address. Any insight into why the 'leak' is happening and how we can add the second IP back in?

Last edited by lkimmelz; 1st March 2012 at 05:50 PM.
Reply With Quote
  #2  
Old 1st March 2012, 05:16 PM
lkimmelz Offline
Registered User
 
Join Date: Mar 2012
Location: NE
Posts: 3
windows_vistaie
Re: Private IP Escaping IPTables

Another important piece of information:

I have used tcpdump to trace the traffic and I have seen that the majority of transactions occur properly and I can see the NATing occuring as expected. However, at some random point the NATing fails and a private IP is not NAT'd. Without fail the packets that escape are either FIN or RST packets as though one of the ends is attempting to end the transaction but it has already died or timed out. I am at a loss at why this would happen.
Reply With Quote
Reply

Tags
escaping, iptables, private

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
one on one private chat raport Using Fedora 2 10th November 2009 03:49 AM
command #service iptables save changed the original config of iptables kesavulur Security and Privacy 0 28th November 2007 06:33 AM
public IP & private IP munna_dude Servers & Networking 4 11th July 2007 11:14 AM
Escaping bash history expansion character davej Using Fedora 4 6th September 2005 08:32 PM


Current GMT-time: 22:16 (Saturday, 30-08-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat