small logo

melfneerg.com

 - 'cos life is like that

[Blog]  [Pictures]  [Links]  [About
About the Author
Tudor Davies

author Tudor is a techie turned manager who fights like mad to keep his tech skills honed and relevant. Everything from web hosting, networking, *nix and the like. Constantly developing and co-ordinating with others to make the web a better (and easier to use) place.

SNAT

Wednesday, 28th Jul 2010  Posted @ 12:43

Was having a random problem with a customer network that I tried to resolve by playing around with one of our test hosting setups (as I could run debugs faster, etc) and then spotted something odd.

The address reported as the source when sending traffic out from my servers was different from the address I use to contact them from the outside. I eventually tracked this down to IPCOP using MASQUERADE, which meant all outgoing traffic was hidden behind a single address (not what you need when you need RDNS, etc). What I needed was source NAT or SNAT as its known.

Edit /etc/rc.d/rc.firewall

Find the following:

# Outgoing masquerading DISABLED
/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
(This section hides all traffic behind the first address on the RED interface)

First off, I commented that line out.
Then I added the following:
# Machines on GREEN
# web server
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.2 -j SNAT --to-source x.x.x.2
# mail server
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.3 -j SNAT --to-source x.x.x.3
# All other machines on GREEN
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source x.x.x.1
I saved that and then rebooted. All tested and working.

Once that was resolved, sorting out the customers issue was very quick - they have 2 internet circuits and are currently migrating from one to the other but dont appear to have properly thought it through.

This was proved with a quick TCPDUMP on our test firewall and what we saw was this:

1 - A SYN packet leaves with SRC of x.x.x.x destined to y.y.y.y
2 - A SYN/ACK packet arrives with SRC of z.z.z.z destined for x.x.x.x

Essentially, incoming traffic is going down the new circuit, through the new firewall and hitting a server, which is then responding via the old firewall and the old circuit which has a different address.

Any firewall in front of the requesting machine will drop the packet as it doesnt have a conversation to relate the SYN/ACK to. If there isnt a security product there, the requesting machine gets a response back from a completely different network and therefore ignores it!

[ no comments : Add ]

Tweet



layout and initial css based on the Qtractor page