# [SOLVED] Help with iptables - One host does not MASQ

## fincoop

Hello,

I've been using iptables for years and would consider myself a networking/security expert. However I have a problem that is driving me nuts. I have one host on my internal network that goes out to the Internet with the internal IP, it does not SNAT/MASQ. I can't see any reason (config related) why. I have no rules that call out this host specifically and other hosts on my internal network are being MASQd fine. I've tried inserting rules in the config to at least get a count but they are not getting hit. I would appreciate your help in troubleshooting this. The host is 192.168.11.148/32. Here is the relevant config:

```

echo "*******************************"

echo "** FIREWALL INIT **************"

echo "*******************************"

echo " "

IPT='/sbin/iptables'

### INTERFACE DECLARATION

IN='enp0s25'

OUT='ppp0'

# ==========================================================

# FLUSH ALL CONFIGURATION

# ==========================================================

# Flush tables

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

# Delete user-defined chains

$IPT -X

$IPT -t nat -X

$IPT -t mangle -X

# Reset Counters

$IPT -Z

# ==========================================================

# CUSTOM CHAINS

# ==========================================================

$IPT -P INPUT DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT ACCEPT

$IPT -N MINIUPNPD

$IPT -N checkBcast

$IPT -N checkBlacklist

$IPT -N checkDrop

$IPT -N checkReject

$IPT -N lab2dmz

$IPT -N lab2fw

$IPT -N lab2in

$IPT -N lab2out

$IPT -N lab2vpna

$IPT -N lab2vpnb

$IPT -N labFwd

$IPT -N dmz2lab

$IPT -N dmz2fw

$IPT -N dmz2in

$IPT -N dmz2out

$IPT -N dmz2vpna

$IPT -N dmz2vpnb

$IPT -N dmzFwd

$IPT -N dropLog

$IPT -N dynamic

$IPT -N fw2lab

$IPT -N fw2dmz

$IPT -N fw2in

$IPT -N fw2out

$IPT -N fw2vpna

$IPT -N fw2vpnb

$IPT -N fwdLog

$IPT -N in2lab

$IPT -N in2dmz

$IPT -N in2fw

$IPT -N in2out

$IPT -N in2vpna

$IPT -N in2vpnb

$IPT -N inFwd

$IPT -N logFlags

$IPT -N out2lab

$IPT -N out2dmz

$IPT -N out2fw

$IPT -N out2in

$IPT -N out2vpna

$IPT -N out2vpnb

$IPT -N outFwd

$IPT -N rejectAction

$IPT -N rejectLog

$IPT -N sfilter

$IPT -N smurfLog

$IPT -N smurfs

$IPT -N tcpFlags

$IPT -N vpna2lab

$IPT -N vpna2dmz

$IPT -N vpna2fw

$IPT -N vpna2in

$IPT -N vpna2out

$IPT -N vpna2vpnb

$IPT -N vpnaFwd

$IPT -N vpnb2lab

$IPT -N vpnb2dmz

$IPT -N vpnb2fw

$IPT -N vpnb2in

$IPT -N vpnb2out

$IPT -N vpnb2vpna

$IPT -N vpnbFwd

# Connections through FW

$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

$IPT -A FORWARD -j checkBlacklist

$IPT -A FORWARD -i $IN      -j inFwd 

$IPT -A FORWARD -j checkReject

$IPT -A FORWARD -g rejectAction

# Drop invalid broadcast traffic

$IPT -A checkBcast -m addrtype --dst-type BROADCAST -j DROP

$IPT -A checkBcast -m addrtype --dst-type MULTICAST -j DROP

$IPT -A checkBcast -m addrtype --dst-type ANYCAST -j DROP

$IPT -A checkBcast -d 224.0.0.0/4 -j DROP

# Validate for drop

$IPT -A checkDrop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT

$IPT -A checkDrop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT

$IPT -A checkDrop -m conntrack --ctstate INVALID -j DROP

$IPT -A checkDrop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP

$IPT -A checkDrop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP

$IPT -A checkDrop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP

$IPT -A checkDrop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP

$IPT -A checkDrop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP

$IPT -A checkDrop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

$IPT -A checkDrop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP

# Validate for rejection

$IPT -A checkReject -j checkBcast

$IPT -A checkReject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT

$IPT -A checkReject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT

$IPT -A checkReject -m conntrack --ctstate INVALID -j DROP

$IPT -A checkReject -p udp -m multiport --dports 135,445 -m comment --comment SMB -j rejectAction

$IPT -A checkReject -p udp -m udp --dport 137:139 -m comment --comment SMB -j rejectAction

$IPT -A checkReject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j rejectAction

$IPT -A checkReject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j rejectAction

$IPT -A checkReject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP

$IPT -A checkReject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

$IPT -A checkReject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP

# Reject actions

$IPT -A rejectAction -m addrtype --src-type BROADCAST -j DROP

$IPT -A rejectAction -s 224.0.0.0/4 -j DROP

$IPT -A rejectAction -p igmp -j DROP

$IPT -A rejectAction -p tcp -j REJECT --reject-with tcp-reset

$IPT -A rejectAction -p udp -j REJECT --reject-with icmp-port-unreachable

$IPT -A rejectAction -p icmp -j REJECT --reject-with icmp-host-unreachable

$IPT -A rejectAction -j REJECT --reject-with icmp-host-prohibited

# Log the connection and forward

$IPT -A fwdLog -j LOG --log-prefix "[FIREWALL] FWD-LOG:" --log-level 6

$IPT -A fwdLog -j ACCEPT

# Log the connection and drop

$IPT -A dropLog -j LOG --log-prefix "[FIREWALL] BLOCK-LOG:DROP:" --log-level 6

$IPT -A dropLog -j DROP

# Log the connection and reject

$IPT -A rejectLog -j LOG --log-prefix "[FIREWALL] BLOCK-LOG:REJECT:" --log-level 6

$IPT -A rejectLog -j rejectAction

# Check for invalid TCP flags

$IPT -A tcpFlags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logFlags

$IPT -A tcpFlags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logFlags

$IPT -A tcpFlags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logFlags

$IPT -A tcpFlags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logFlags

$IPT -A tcpFlags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logFlags

# Log invalid TCP flags

$IPT -A logFlags -j LOG --log-prefix "[FIREWALL] logflags:DROP:" --log-level 6 --log-ip-options

$IPT -A logFlags -j DROP

# Sfilter checking

$IPT -A sfilter -j LOG --log-prefix "[FIREWALL] sfilter:DROP:" --log-level 6

$IPT -A sfilter -j DROP

# Log and drop Smurfs

$IPT -A smurfLog -j LOG --log-prefix "[FIREWALL] :smurfs:DROP" --log-level 6

$IPT -A smurfLog -j DROP

# Check for Smurfs

$IPT -A smurfs -s 0.0.0.0/32 -j RETURN

$IPT -A smurfs -m addrtype --src-type BROADCAST -g smurfLog

$IPT -A smurfs -s 224.0.0.0/4 -g smurfLog

# Inside to another interface

$IPT -A in2out -j ACCEPT

$IPT -A inFwd -j ACCEPT

# Internet to another interface

$IPT -A outFwd -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

$IPT -A outFwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic

$IPT -A outFwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs

$IPT -A outFwd -p tcp -j tcpFlags

$IPT -A outFwd -j MINIUPNPD

$IPT -A outFwd -o $IN -j out2in

# Internet to Inside

$IPT -A out2in -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

$IPT -A out2in -j checkDrop

$IPT -A out2in -j DROP

echo "*******************************"

echo "** NAT CONNECTIONS        *****"

echo "*******************************"

echo " "

IPT='/sbin/iptables -t nat'

$IPT -N MINIUPNPD

$IPT -N lab_dnat

$IPT -N dmz_dnat

$IPT -N out_dnat

$IPT -N vpna_dnat

$IPT -N vpnb_dnat

$IPT -A PREROUTING -i $IN -j MINIUPNPD

$IPT -A PREROUTING -i $OUT -j MINIUPNPD

$IPT -A PREROUTING -i $OUT -j out_dnat

$IPT -A POSTROUTING -o $OUT -j MASQUERADE

IPT="/sbin/iptables -t mangle"

$IPT -A PREROUTING -p udp --dport 5060 -j TOS --set-tos 0x10

$IPT -A PREROUTING -p udp --dport 5060 -j RETURN

$IPT -A PREROUTING -j TOS --set-tos 0

```

Last edited by fincoop on Fri Feb 21, 2014 4:02 am; edited 1 time in total

----------

## ChrisJumper

Hello fincoop,

myself need some time to read iptable rules, and actual i am in hurry. But for me the Subnet configuration for your Host stick out, did you mistyped yourself? The Ipv4 subnet mask has just 32 Bits and if you use slash 32 you will have no Host Part of your subnet configuration.

 *fincoop wrote:*   

> The host is 192.168.11.148/32.

 

I am not sure if this cause your host without SNAT/MASQ, but i bet on that.

Regards

Chris

----------

## shuuraj

LoL yeah would be hard with 0 bits of host range  :Very Happy: 

----------

## fincoop

Thank you both for your help. The /32 notation denotes a host IP (versus /24, /16 etc), but that actually wasn't defined anywhere in my rule set. The issue appears to be DHCP related, oddly. I have a host declaration for this device to give it a fixed IP address. I removed the fixed IP address and it is working again, but I do not think that I have identified the root cause of this problem.

----------

## fincoop

I rebooted my VOIP ATA device and watched it on a tcpdump/tshark. I saw that HTTP traffic from this host was NAT'd properly but the UDP SIP messages were not. With this piece of info I was able to deduce that SIP NAT was not working, so I suspected a SIP helper for iptables to be at fault. The option to enable/disable was missing from my kernel menuconfig, so I went to .config and removed the parameter manually. I suspect I created this condition by manually copying an older .config to a newer kernel version.

```
CONFIG_NF_CONNTRACK_SIP=y

CONFIG_NF_NAT_SIP=n
```

----------

