1:1 NAT - accessing hosts by public IP via LAN

[thebeardedone]

G'day folks.

Am at that point where a week of google-fu and haphazardly going from "iptables policy that makes sense" to "this doesnt make sense, but maybe it'll work", have to throw my hands up and ask for help

My situation:

{Works}
-ASUSWRT-Merlin RT-N66U_3.0.0.4
-cheapy Comcast Business modem (SMC) goes to N66U (obviously), goes to cheapy but good 8-port Asus Gbit switch, servers wired into switch.
-a static /29 block from my ISP (4 for my servers, one for my N66U
-a 1-to-1 NAT setup via iptables SNAT/DNAT
-all hosts on the LAN, whether wired or wireless, can communicate with each other via the private IP (e.g. both wired and wireless clients can connect => 192.168.1.25:25 on the mail server)
-all hosts outside my LAN (e.g. everyone else on the interwebs) can connect to my servers as intended
-for our purposes here, x.x.x.88 is the network address, x.x.x.94 the gateway, x.x.x.95 the broadcast, x.x.x.90 is the N66U, and x.x.x.89 and x.x.x.91-93 are my usable IPs (my servers)

{Buggered}
-from within my LAN, I can't connect to these hosts via their public IP
-it's as though server receives request from client, but server's response never makes it back. Specifically:

telnet from my laptop (192.168.1.142) => mail server (x.x.x.92:25), I see:

tcp        0     54 192.168.1.25:25         192.168.1.1:60499       ESTABLISHED 22320/smtpd

....so, it sees the N66U's br0 IP, and neither the client's private nor public IP

I pop into asuswrt-merlin via ssh, and do nc x.x.x.92:25 and it's a "connection refused"

Perhaps relevant, .91 is my web server, and nc x.x.x.91:80 yields:

# nc x.x.x.91:80
GET / HTTP/1.1

HTTP/1.0 401 Unauthorized
Server: httpd
Date: Wed, 30 Jul 2014 07:47:08 GMT
WWW-Authenticate: Basic realm="RT-N66U"
Content-Type: text/html
Connection: close

Hrmm...that should be hitting my web server, not the httpd on my Merlin box.

Now some background, I did have this functional on a DD-WRT system before. I say that not for blame's sake (because, well, this is obviously user error!), but because I can't get my head around why the gander is so opposed to the goose's sauce.

My old ddwrt setup that worked, was a simple little:

WANIF=`nvram get wan_iface`
WANMASK=`nvram get wan_netmask`
ifconfig $WANIF:1 x.x.x.91 netmask $WANMASK broadcast x.x.x.95
ifconfig $WANIF:1 x.x.x.92 netmask $WANMASK broadcast x.x.x.95
ifconfig $WANIF:1 x.x.x.93 netmask $WANMASK broadcast x.x.x.95
ifconfig $WANIF:1 x.x.x.89 netmask $WANMASK broadcast x.x.x.95

iptables -t nat -I PREROUTING -d x.x.x.89 -j DNAT --to 192.168.1.43
iptables -t nat -I POSTROUTING -s 192.168.1.43 -j SNAT --to x.x.x.89

iptables -t nat -I PREROUTING -d x.x.x.91 -j DNAT --to 192.168.1.80
iptables -t nat -I POSTROUTING -s 192.168.1.80 -j SNAT --to x.x.x.91

iptables -t nat -I PREROUTING -d x.x.x.92 -j DNAT --to 192.168.1.25
iptables -t nat -I POSTROUTING -s 192.168.1.25 -j SNAT --to x.x.x.92

iptables -t nat -I PREROUTING -d x.x.x.93 -j DNAT --to 192.168.1.67
iptables -t nat -I POSTROUTING -s 192.168.1.67 -j SNAT --to x.x.x.93

iptables -I FORWARD -d 192.168.1.80 -j ACCEPT
iptables -I FORWARD -d 192.168.1.25 -j ACCEPT
iptables -I FORWARD -d 192.168.1.43 -j ACCEPT
iptables -I FORWARD -d 192.168.1.67 -j ACCEPT

iptables -t nat -I POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE

Simple enough. After a bit of wrangling, I managed to port these over into nat-start and firewall-start scripts.

{nat-start}

#!/bin/sh

echo 'Start' >> /tmp/000start-nat

iptables -t nat -I PREROUTING -d x.x.x.93 -j DNAT --to 192.168.1.67
iptables -t nat -I POSTROUTING -s 192.168.1.67 -j SNAT --to x.x.x.93
iptables -t nat -I PREROUTING -d x.x.x.92 -j DNAT --to 192.168.1.25
iptables -t nat -I POSTROUTING -s 192.168.1.25 -j SNAT --to x.x.x.92
iptables -t nat -I PREROUTING -d x.x.x.91 -j DNAT --to 192.168.1.80
iptables -t nat -I POSTROUTING -s 192.168.1.80 -j SNAT --to x.x.x.91
iptables -t nat -I PREROUTING -d x.x.x.89 -j DNAT --to 192.168.1.43
iptables -t nat -I POSTROUTING -s 192.168.1.43 -j SNAT --to x.x.x.89

echo 'End' >> /tmp/000start-nat

{firewall-start}

#!/bin/sh

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i ; done

iptables -I FORWARD -d 192.168.1.80 -j ACCEPT
iptables -I FORWARD -d 192.168.1.67 -j ACCEPT
iptables -I FORWARD -d 192.168.1.43 -j ACCEPT
iptables -I FORWARD -d 192.168.1.25 -j ACCEPT
iptables -t nat -I POSTROUTING -o br0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j MASQUERADE

This accomplishes the goal of opening up these servers to folks in the outside world. That part is good to go.

But of course, no connectivity from within my LAN.

Hate throwing my hands up and saying "HALP!", but I'm at that point. I've been firing different "hey, this might work" iptables commands at this thing to no avail. Happy to post my iptables-save, as that's likely useful, but would make my post even longer.

Can anyone see where I'm going wrong with this, and why this wouldn't translate over?

I still have the old DDWRT rig here, and I've been connecting to that to try and compare the two - I had this same problem back on the ddwrt setup, until i added that final masquerade rule. Netfilter is netfilter, I can't see what's missing.

For now, I'm just going to have to remember to undo my hosts file whenever I leave my network, so not the end of the world. Surprised none of the variations of this question I found seemed applicable, but I guess as I want to blindly forward all traffic to my servers, and let their netfilter rules control what accesses what, instead of simply forwarding ports, maybe that's a less-desired setup for most.

At any rate, any input much appreciated.

 

[sinshiva]

the problem appears to be with nat loopback, if it points you in the right direction. i'll see what i can find...

[edit/]

this should be sufficient

(need to mark the other wan IPs, or something to that effect)

 

[thebeardedone]

You're a legend. "NAT loopback", seems that's the operative thing to google when I have this problem again in 5 years. Question - do you reckon it make more sense to go in nat-start, or firewall-start?

ETA The connection still shows as coming from 192.168.1.1, but it connects at least. I do seem to have some kind of "infinite loop" of connections coming into the mail server

Jul 30 12:59:36 renee postfix/smtpd[2669]: connect from unknown[192.168.1.1]
Jul 30 12:59:36 renee postfix/smtpd[2669]: lost connection after CONNECT from unknown[192.168.1.1]
Jul 30 12:59:36 renee postfix/smtpd[2669]: disconnect from unknown[192.168.1.1]
Jul 30 12:59:36 renee postfix/smtpd[2672]: connect from unknown[192.168.1.1]
Jul 30 12:59:36 renee postfix/smtpd[2672]: lost connection after CONNECT from unknown[192.168.1.1]
Jul 30 12:59:36 renee postfix/smtpd[2672]: disconnect from unknown[192.168.1.1]

Which is an annoyance that I'll need to figure out at some point, as it's going to absolutely flood my logs. But the actual operation of things now works

Curiously, I looked at the existing mangle rules, and there was one for:

# iptables -t mangle -L -n -v
Chain PREROUTING (policy ACCEPT 2328K packets, 185M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  !eth0  *       0.0.0.0/0            x.x.x.x90       MARK set 0xd001

So I was all primed to say "nuh uh, I already have that in place!" - then I actually re-read what you wrote, and paid attention to detail.

Replaced the above rule with:

Chain PREROUTING (policy ACCEPT 2328K packets, 185M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  !eth0  *       0.0.0.0/0            x.x.x.88/29    MARK set 0xd001

And sure enough, all is well.

Thanks a ton sinshiva!

In case someone else stumbles onto this via Google, this is what my chains look like now:

{mangle}

 iptables -t mangle -L -n -v
Chain PREROUTING (policy ACCEPT 3341K packets, 265M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 227K   12M MARK       all  --  !eth0  *       0.0.0.0/0            x.x.x.88/29    MARK set 0xd001 
1014K   80M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK save  

Chain INPUT (policy ACCEPT 8301 packets, 815K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 3330K packets, 264M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 21718 packets, 6821K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 3349K packets, 270M bytes)
 pkts bytes target     prot opt in     out     source               destination

{nat}

Chain PREROUTING (policy ACCEPT 202K packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
  250 13497 DNAT       all  --  *      *       0.0.0.0/0            x.x.x.89       to:192.168.1.43 
  750 43444 DNAT       all  --  *      *       0.0.0.0/0            x.x.x.91       to:192.168.1.80 
 256K   15M DNAT       all  --  *      *       0.0.0.0/0            x.x.x.92       to:192.168.1.25 
  269 14715 DNAT       all  --  *      *       0.0.0.0/0            x.x.x.93       to:192.168.1.67 
 1152 79787 VSERVER    all  --  *      *       0.0.0.0/0            x.x.x.90       

Chain POSTROUTING (policy ACCEPT 5193 packets, 546K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  261 19580 SNAT       all  --  *      *       192.168.1.43         0.0.0.0/0           to:x.x.x.89 
  723 53656 SNAT       all  --  *      *       192.168.1.80         0.0.0.0/0           to:x.x.x.91 
 184K   13M SNAT       all  --  *      *       192.168.1.25         0.0.0.0/0           to:x.x.x.92 
  465 34824 SNAT       all  --  *      *       192.168.1.67         0.0.0.0/0           to:x.x.x.93 
11921 1137K MASQUERADE  all  --  *      eth0   !x.x.x.90        0.0.0.0/0           
87794 5268K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0xd001

for those unfamiliar with iptables, to get there I ran:

iptables -t mangle -D PREROUTING -i ! eth0 -d x.x.x.90 -j MARK --set-mark 0xd001
iptables -t mangle -I PREROUTING -i ! eth0 -d x.x.x.x.88/29 -j MARK --set-mark 0xd001

aka, i deleted the rule that covered *only* my gateway IP, and added the rule that covered my entire /29

and now it works

The finished/working iptables-save looks like so:

# Generated by iptables-save v1.3.8 on Wed Jul 30 12:55:04 2014
*nat
:PREROUTING ACCEPT [246112:17248708]
:POSTROUTING ACCEPT [166:27992]
:OUTPUT ACCEPT [139:24702]
:DNSFILTER - [0:0]
:LOCALSRV - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT 
-A PREROUTING -d x.x.x.89 -j DNAT --to-destination 192.168.1.43 
-A PREROUTING -d x.x.x.91 -j DNAT --to-destination 192.168.1.80 
-A PREROUTING -d x.x.x.92 -j DNAT --to-destination 192.168.1.25 
-A PREROUTING -d x.x.x.93 -j DNAT --to-destination 192.168.1.67 
-A PREROUTING -d x.x.x.90 -j VSERVER 
-A POSTROUTING -s 192.168.1.43 -j SNAT --to-source x.x.x.89 
-A POSTROUTING -s 192.168.1.80 -j SNAT --to-source x.x.x.91 
-A POSTROUTING -s 192.168.1.25 -j SNAT --to-source x.x.x.92 
-A POSTROUTING -s 192.168.1.67 -j SNAT --to-source x.x.x.93 
-A POSTROUTING -s ! x.x.x.90 -o eth0 -j MASQUERADE 
-A POSTROUTING -s 192.168.0.0/255.255.0.0 -d 192.168.0.0/255.255.0.0 -o br0 -j MASQUERADE 
-A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE 
-A VSERVER -j VUPNP 
-A VSERVER -j LOCALSRV 
-A VSERVER -j DNAT --to-destination 192.168.1.103 
COMMIT
# Completed on Wed Jul 30 12:55:04 2014
# Generated by iptables-save v1.3.8 on Wed Jul 30 12:55:04 2014
*mangle
:PREROUTING ACCEPT [4731822:375063262]
:INPUT ACCEPT [3387:278312]
:FORWARD ACCEPT [4728056:374754192]
:OUTPUT ACCEPT [2930:579763]
:POSTROUTING ACCEPT [4730764:375312671]
-A PREROUTING -d x.x.x.88/255.255.255.248 -i ! eth0 -j MARK --set-mark 0xd001 
-A PREROUTING -j CONNMARK --save-mark 
COMMIT
# Completed on Wed Jul 30 12:55:04 2014
# Generated by iptables-save v1.3.8 on Wed Jul 30 12:55:04 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2820:568709]
:FUPNP - [0:0]
:PControls - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i tun21 -j ACCEPT 
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -m state --state NEW -j ACCEPT 
-A INPUT -i br0 -m state --state NEW -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -j DROP 
-A FORWARD -d 192.168.1.25 -j ACCEPT 
-A FORWARD -i tun21 -j ACCEPT 
-A FORWARD -d 192.168.1.43 -j ACCEPT 
-A FORWARD -d 192.168.1.67 -j ACCEPT 
-A FORWARD -d 192.168.1.80 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i ! br0 -o eth0 -j DROP 
-A FORWARD -m state --state INVALID -j DROP 
-A FORWARD -i br0 -o br0 -j ACCEPT 
-A FORWARD -i eth0 -p icmp -j DROP 
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT 
-A FORWARD -i br0 -j ACCEPT 
-A PControls -j ACCEPT 
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options 
-A logaccept -j ACCEPT 
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 
-A logdrop -j DROP 
COMMIT
# Completed on Wed Jul 30 12:55:04 2014

about all that's left to do is to figure out how to get all of this to happen in the right order via nat-start and firewall-start

I have my homework, but at least now in the absolute worst case scenario I iptables-restore on startup if I end up at my wit's end again.

Thanks again sinshiva!

 

[Nicknoxx]

In case someone else stumbles onto this via Google, this is what my chains look like now:

And here I am, three and half years later trying to do pretty much the same thing and your post is the most helpful I've found so far.