Private IP Escaping IPTables

[lkimmelz]

We have a Linux virtual server which we use as a NAT/Router (running IPTables 1.2.11) to front-end a set of virtual machines on a private (192.168.0.x) network. In this private network are two web servers and a few other application servers. Our intent is to utilize two public IP addresses on the NAT server to NAT to each back-end web server:

External Interfaces:
eth1 = xxx.xxx.xxx.1 => 192.168.0.1 (webserver #1)
eth1:0 = xxx.xxx.xxx.2 => 192.168.0.2 (webserver #2)
Internal Interface:
eth0 = 192.168.0.3

We had accomplished this with the following IPTables configuration
Table: nat
Chain PREROUTING (policy DROP)
target prot in out source destination
DNAT tcp eth1 any anywhere xxx.xxx.xxx.1 to:192.168.0.1
DNAT tcp eth1 any anywhere xxx.xxx.xxx.2 to:192.168.0.2
ACCEPT all eth0 any 192.168.0.0/24 anywhere #(to allow all outgoing traffic)

Chain POSTROUTING (policy DROP)
target prot in out source destination
SNAT all any eth1 192.168.0.1 xxx.xxx.xxx.1
SNAT all any eth1 192.168.0.2 xxx.xxx.xxx.2
SNAT all any eth1 192.168.0.0/24 xxx.xxx.xxx.1 #SNAT all other traffic to ip #1

Chain OUTPUT (policy ACCEPT)

Table: filter
Chain Input (policy ACCEPT)
target prot in out source destination

Chain FORWARD (policy ACCEPT)
target prot in out source destination

Chain OUTPUT (policy ACCEPT)
target prot in out source destination

Everything APPEARS to work correctly with this configuration. However, several times a day network monitoring tools on the public side of the NAT server see packets with source addresses from the private network (e.g. 192.168.0.4). In order to troubleshoot we minimized our configuration to try to isolate the problem. We took out the NATing for the second IP:

Table: nat
Chain PREROUTING (policy DROP)
target prot in out source destination
DNAT tcp eth1 any anywhere xxx.xxx.xxx.1 to:192.168.0.1
ACCEPT all eth0 any 192.168.0.0/24 anywhere #(to allow all outgoing traffic)

Chain POSTROUTING (policy DROP)
target prot in out source destination
SNAT all any eth1 192.168.0.1 xxx.xxx.xxx.1

Chain OUTPUT (policy ACCEPT)

Table: filter
Chain Input (policy ACCEPT)
target prot in out source destination

Chain FORWARD (policy ACCEPT)
target prot in out source destination

Chain OUTPUT (policy ACCEPT)
target prot in out source destination

With this configuration the 'leaking' of the private IP addresses seems to stop. However, we need to have the functionality of the second IP address. Any insight into why the 'leak' is happening and how we can add the second IP back in?

[lkimmelz]

Another important piece of information:

I have used tcpdump to trace the traffic and I have seen that the majority of transactions occur properly and I can see the NATing occuring as expected. However, at some random point the NATing fails and a private IP is not NAT'd. Without fail the packets that escape are either FIN or RST packets as though one of the ends is attempting to end the transaction but it has already died or timed out. I am at a loss at why this would happen.