# Avoiding double NAT

## Double Click

I need advice on weather or not to go for a bridging firewall with squid or a normal firewall with squid. I have a LAN that has a router which has two WAN interfaces. This router will split the traffic up accordingly and is maintaned by our ISP. This router will be also doing NAT. 

I want to do network packet filtering for our network and also webcaching (transparent). I really don't wanna do double NAT as the router already does this. This is why I thought a bridging firewall will be perfect in this case. I only need to add it between the ISP router and the LAN and all traffic will be filtered and cached. I followed the guide at HOWTO: Bridging, Transparent Firewalls and IPS but ran into major problems and which don't seem to tbe able to be fixed in the near future. For reference goto the HOWTO and check out my posts.

(By accident used that forum for support related questions  :Embarassed: )

Bridging sounds really niece but I have struggling with it over a week now and I don't get anywhere. Resources on the net seem to very limited as well as it seems that this one of those things that just work first time.  :Confused: 

Anyway .... to avoid double NAT, in my case, is there anything else that iptables can offer ?

PS: www.netfilter.org seems to be down ???

----------

## adaptr

Why would you need to do NAT on the Gentoo box?

As long as you can decide which subnet(s) are used on the inside of the network you can simply route everything through the Gentoo box - and set up a nice transparent squid proxy while you're at it.

(Reason being, you can set up a transparent proxy only on a gateway, and the Gentoo box would inevitably be a gateway, NAT or not.)

EDIT: It is. Strange...

----------

## Double Click

I fully understand what you mean - let me try to figure out how to translate that in IPTABLES term ....

Unless you have some examples ....  :Very Happy:  Obviously forwarding must still be enabled then as IPTABLES have to intercept the traffic between the network cards ?

----------

## adaptr

Well, since netfilter provides you with an INPUT, OUTPUT and FORWARD chain you can do pretty much all the filtering you need.

Set policies to DENY (better behaved than DROP on your internal net) and add ACCEPT rules for... acceptable traffic. :Wink: 

Since the router does NAT you don't need much of a firewall - I wonder what exactly you want to filter ?

And yes, IP forwarding must be enabled in order to route IP traffic - but this has nothing to do with iptables.

A pair of static routes is more than enough - one on the Gentoo box and one on the router.

----------

## Double Click

 *adaptr wrote:*   

> Since the router does NAT you don't need much of a firewall - I wonder what exactly you want to filter ?

 

The router is going to have very loose ACL and I would like to do the filtering on the firewall/proxy. Basically the router will be connected to the firewall on eth0 and then the eth1 is going to be connected to the workgroup switches to the LAN. There will be about 70 users behind firewall then. The router is going to redirect only a certain IP range to one WAN interface and all the rest to the secondary WAN interface ( this is the part which is going to be done by the ISP ).

I will then need to ensure then the following:

 1. Internal originating HTTP/HTTPS traffic to be cached to reduce overall Internet bandwidth consumption

       2. Protect the internal LAN from misc activities and reduce overall chatter to the and from the WAN. (At the moment there are no    firewalls in place only a one router - don't ask why cause it is a realllllyyy long story  :Wink: ).

       3. Allow only specified traffic from and to the LAN.

       4. Setup up monitoring - traffic monitoring, individual client computer activity logging/monitoring which all can be viewed via graphs ( was thinking of using MRTG but that I will still have to figure out somehow)

 *adaptr wrote:*   

> And yes, IP forwarding must be enabled in order to route IP traffic - but this has nothing to do with iptables. 
> 
> A pair of static routes is more than enough - one on the Gentoo box and one on the router.

 

What do u mean excactly ? Gentoo box will forward to it's default gateway (ISP router) and the router will then do its thing ?

----------

## adaptr

 *Double Click wrote:*   

>  *adaptr wrote:*   Since the router does NAT you don't need much of a firewall - I wonder what exactly you want to filter ? 
> 
> The router is going to have very loose ACL and I would like to do the filtering on the firewall/proxy.

 

Basically, that's the wrong way around.

You generally block/filter traffic as close to the source as possible.

Two very simple reasons:

- It brings down traffic (traffic is dropped earlier in the network), and

- it reduces the possibility for attacks (since only one router is involved before traffic gets dropped, not two)

But then, if you cannot personally configure this router there is really no easy way to do this.

You can only hope that the ISP does a sensible job in configuring it.

 *Double Click wrote:*   

> Basically the router will be connected to the firewall on eth0 and then the eth1 is going to be connected to the workgroup switches to the LAN. There will be about 70 users behind firewall then. The router is going to redirect only a certain IP range to one WAN interface and all the rest to the secondary WAN interface ( this is the part which is going to be done by the ISP ).

 

Which,simply put, means none of this is under your control, and therefore not your problem - you can still safely route everything directly through the firewall to the router.

 *Double Click wrote:*   

> I will then need to ensure then the following:
> 
>  1. Internal originating HTTP/HTTPS traffic to be cached to reduce overall Internet bandwidth consumption

 

You should not ever cache HTTPS traffic; squid won't even let you.

 *Double Click wrote:*   

>  2. Protect the internal LAN from misc activities and reduce overall chatter to the and from the WAN. (At the moment there are no    firewalls in place only a one router - don't ask why cause it is a realllllyyy long story ).

 

Define "chatter" and "misc activities" - if you mean M$ broadcasting and the like then a NAT router is already more than enough - none of it will get out.

As for "chatter from the WAN" - there won't be any on the inside of a NAT router.

 *Double Click wrote:*   

>        3. Allow only specified traffic from and to the LAN.

 

That's going to be much harder.

If by specified traffic to the LAN you mean access to internal servers, then yes - secure these as much as possible.

But as I said earlier, there will in general not be any direct traffic form the outside in - unless it is in reply to requests from the inside.

This type of traffic is allowed with one or two iptables rules at maximum.

 *Double Click wrote:*   

>  4. Setup up monitoring - traffic monitoring, individual client computer activity logging/monitoring which all can be viewed via graphs ( was thinking of using MRTG but that I will still have to figure out somehow)

 

Traffic monitoring can be done with MRTG or cacti - I like cacti a lot, it also uses rrdtool and SNMP but is much more flexible than MRTG.

Activity logging - for web, use sarg or any other squid analyser.

For actual traffic analisys you may want to install ntop - it is incredibly detailed.

Also strongly consider installing snort to monitor for intrusion attempts - and breakout attempts from the inside (to catch bots and zombies).

The simple facts of Linux networking are that if you set up a NAT router with Squid then you have already prevented over 99% of all common threats from the Internet.

Combine that with Snort for security monitoring and I would be very surprised if you had to respond to security issues more than once every few months...

 *Double Click wrote:*   

>  *adaptr wrote:*   And yes, IP forwarding must be enabled in order to route IP traffic - but this has nothing to do with iptables. 
> 
> A pair of static routes is more than enough - one on the Gentoo box and one on the router. 
> 
> What do u mean excactly ? Gentoo box will forward to it's default gateway (ISP router) and the router will then do its thing ?

 

Yes - if you set up a static route on the router, back to the routed network behind the Gentoo box.

It is miles easier to set up and maintain than using a second layer of (totally superfluous) NAT.

If your ISP won't set this up then they're... not very knowledgable, let's keep it at that  :Wink: 

----------

## Double Click

 *adaptr wrote:*   

>  *Double Click wrote:*    *adaptr wrote:*   Since the router does NAT you don't need much of a firewall - I wonder what exactly you want to filter ? 
> 
> The router is going to have very loose ACL and I would like to do the filtering on the firewall/proxy. 
> 
> Basically, that's the wrong way around.
> ...

 

I don't have a clue on how to configure a firewall with two internet permanent interfaces (not DMZ), one internal LAN interface and have only certain traffic routed on the one internet interface and all the rest on the other internet interface. Time was also a big issues as the pressure is on, to get this done - so i cannot spend to much time figuring out how to this with iptables - have my handful just setting up a simple firewall  :Embarassed: 

 *adaptr wrote:*   

>  *Double Click wrote:*    2. Protect the internal LAN from misc activities and reduce overall chatter to the and from the WAN. (At the moment there are no    firewalls in place only a one router - don't ask why cause it is a realllllyyy long story ). 
> 
> Define "chatter" and "misc activities" - if you mean M$ broadcasting and the like then a NAT router is already more than enough - none of it will get out.
> 
> As for "chatter from the WAN" - there won't be any on the inside of a NAT router.

 

IGMP announcments, broadcasts from ?? 254.0.0.1 ???, a lot of ARP queries, occassional SQL Worm propogation, once in a while failed attempts to do basic dictonary attacks. (if you really interested I can give a juice output from tcpdump - I am not in the office at the moment) Basically tcpdump flies past so fast that i can hardly keep up reading the lines.

I am still not understanding IPFILTERS completly - I am grasping the idea of INPUT, OUTPUT and FORWARD chains .... and played around a little bit around with some basic rules. But what I don't completly don't understand is this whole SNAT,DNAT and NAT -  and is MASQUERADING not just NAT ?? There is also a lot of talk on creating IPFILTER rule set which will drop or reject anything in that is not part of a established connection from internally. That should take care of most worries in the beginning?

Like I said I am having problems grasping this whole IPFILTERS thing - maybe need to get a new brain or something  :Sad: 

But thanks a million on the rest ... guess I will be ditching the bridging oddness ... 

Hopefully will have a chance to get something right tomorrow - will post some findings then ... 

PS: I am joined up at the IPFILTERS mailing list and they talk mostly about heavy stuff which is chaotic for a super n00b...

----------

## adaptr

You say your ISP wil configure this load-balancing router, so I am not assuming it will be a Linux device (although it may very well still run Linux internally) - much more likely that it is a SOHO box from Cisco or the like.

The kernel technology that is programmed by iptables is correctly called netfilter - not that I mind very much how you call it, but confusion can be dangerous when you're talking firewalls..  :Wink: 

I am assuming that's what you mean.

 *Quote:*   

> IGMP announcments, broadcasts from ?? 254.0.0.1 ???, a lot of ARP queries, occassional SQL Worm propogation, once in a while failed attempts to do basic dictonary attacks.

 

Is this when you capture packets directly from the inside of the dual-uplinked router ?

Then it is not a masquerading NAT router!

Believe me when I say this; it is not possible to get ANY outside-generated traffic into the LAN when you use masquerading NAT.

Broadcasts and ARP queries are certainly out of the question - they won't even survive the first normal router.

Either we're miscommunicating here or you will need to define more closely what it is this dual-net connection actually does.

About your NAT questions:

Masquerading is actually more a form of NAPT; real NAT is a one-to-one IP mapping; MASQ is a many-to-one IP mapping where the ports are redirected so as not to conflict -> Network Address and Port Translation.

Basically, you use DNAT to forward external requests to internal servers (reverse traffic is handled automatically for you; neat, eh?), and SNAT to implement a more static form of NAT.

SNAT & DNAT = true NAT, MASQ = NAPT

Oh and only allowing outside traffic that was initiated from the inside is indeed a one-liner:

```
iptables -A INPUT -i $EXTERN_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
```

The policy needs to be set to DENY or DROP for this to have any effect; DROP is the more sensible policy for a direct Internet connection, since you won't waste any bandwidth responding...

Don't worry, it will become second nature after a year or two  :Wink: 

----------

## Double Click

 *adaptr wrote:*   

> You say your ISP wil configure this load-balancing router, so I am not assuming it will be a Linux device (although it may very well still run Linux internally) - much more likely that it is a SOHO box from Cisco or the like.

 

They going to use a CISCO 1700 Series router which they are still waiting for (2 weeks now). At the moment I am running behind a CISCO 805 for testing.

 *adaptr wrote:*   

> Is this when you capture packets directly from the inside of the dual-uplinked router ?

 

I am capturing this data from the "inside" behind our original setup. The whole setup is not in place yet as mentioned above. We have been running on a public IP range the whole time - this really was a fight to get it changed ever since i took over this site but apperantly there were some "reasons" for this ?!?!?!? Eitherway I had enough of this crap and decided to take internal matters in my own hand after long talks with managment as they did not feel comfortable to stray from corporate policies. You think this is all ! PM/IM me and I can tell you the whole story .... i'll bet you never heared of anything like this!

 *adaptr wrote:*   

> Then it is not a masquerading NAT router!
> 
> Believe me when I say this; it is not possible to get ANY outside-generated traffic into the LAN when you use masquerading NAT.
> 
> Broadcasts and ARP queries are certainly out of the question - they won't even survive the first normal router.
> ...

 

This is interesting .... cause that means there is really absolutly nothing protecting us at the moment. The dual-net connection is a CISCO 1700 Series Router with two WAN ports - one goes to a local ISP lease line and the other goes to our current VSAT ISP. The local ISP line will only be utilized for their ERP software based on a group of IP addresses. All the rest of the traffic will be going over the VSAT ISP. There will be no load balancing as this is apperantly to complicated to configure by the ISP - I was told. All of this will be setup by the local ISP. But as I mentioned that is not yet in place.

 *adaptr wrote:*   

> Oh and only allowing outside traffic that was initiated from the inside is indeed a one-liner:
> 
> ```
> iptables -A INPUT -i $EXTERN_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
> ```
> ...

 

Is that all I need ?? Then obviously I just insert the rule to redirect all HTTP traffic to SQUID

```
iptables -t nat -A PREROUTING -i $INTERN_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128
```

and the make sure the other options are enabled. Sorry for these absurd questions but I went through a dozen tutorials but all leave me more and more with questions ...  :Crying or Very sad:  So if I want to add other rules e.g. want remote access to a server internaly I just add it in the beginning of the FORWARD chain ?

 *adaptr wrote:*   

> Don't worry, it will become second nature after a year or two 

   :Shocked:  *shudder*

----------

## adaptr

Let me get this straight:

- you have set up a firewall (of sorts) yourself because the company couldn't be arsed to protect their PC's

- they want dual net connections for some fatass corporate reason (it always is) but that won't actually protect anything, or in fact make any sense whatsoever

- for this purpose they intend to deploy a not-so-cheap Cisco router (which I could easily config for you BTW) that is only used as a router and nothing else

I don't want to bash Gentoo or come down on your own l33t skillz  :Wink:  but this is my advice:

- download ipcop, it's really really big (50mb or so)

- burn it onto a huge gigantuan CD

- install it - any 500MHz box will be enough for 70 users

- and forget about it  :Wink: 

Really.

It has a built-in transparent Squid cache.

And there are add-ons for authenticating that in every way imaginable - MS-DS, LDAP, NDS, whatever

And logging - and IDS - and a DMZ for servers - and a Wireless subnet...

Pretty much everything I've advised you over this thread - is running on my compaq P3 500 firewall right now.

For free (as in lazy, not beer - okay, beer too... free, lazy, beer with freedom)

But by all means come back and we can banter around the Cisco / FW stuff some more !

----------

## Double Click

 *adaptr wrote:*   

> Let me get this straight: 
> 
> - you have set up a firewall (of sorts) yourself because the company couldn't be arsed to protect their PC's 
> 
> - they want dual net connections for some fatass corporate reason (it always is) but that won't actually protect anything, or in fact make any sense whatsoever 
> ...

 

Yip - right on! It was a typical case of you-live-in-Africa-so-u-must-be-talking-crap  :Crying or Very sad: .

 *adaptr wrote:*   

> - download ipcop, it's really really big (50mb or so)

 

I am using Smoothwall at the moment with the advanced proxy client and URL filter (which oddly is both availbel for IPCOP as well) and I must say it runs so sweet. If I don't come right with this "manual" firewall/proxy I will just slap on smoothwall on this Gentoo Box as well. The ISP did not get the router yet so I still have some time left. 

The reason why I was making it so difficult for myself is that I actually wanted to learn something (my background is from a MS world and ISA Server !). I tried bastille as well but I ended up jacking up more and I thought that the time spend trying to figure this bastille out I might as well learn NETFILTER. 

Then there is that feeling of actually doing something yourself and it is working  :Very Happy: 

 *adaptr wrote:*   

> But by all means come back and we can banter around the Cisco / FW stuff some more !

 

I will defently - just want to try a couple of things on this and then post my findings.

PS: Is there a way of displaying my tcpdump results with my public IP and DNS name not displayed?

----------

## adaptr

 *Quote:*   

> I am using Smoothwall at the moment with the advanced proxy client and URL filter (which oddly is both availbel for IPCOP as well)

 

Not so odd: ipcop is a fork of smoothwall.

 *Quote:*   

> PS: Is there a way of displaying my tcpdump results with my public IP and DNS name not displayed?

 

Sure - just run the dump through sed and replace both with a string of your choosing.

----------

## Double Click

Okay - after messing around with iptables and trying out a lot of iptables scripts i decided I am rather going to use a  script  for the time being to make my firewall as secure as possible until i get around understanding some of the rules in full. At least I have some partial knowledge now - but as a lot would agree, is not going to be good for making sure that a network is going to be secure with iptables and i don't wanna try smoothwall as i will learn jack with that. Anyway ... does anybody use the script as well that I am using and what is the general idea/opinion with scripts that create iptables rules in a production enviroment?

I maybe wanna install a DNS forwarder/cache on the firewall as well that will handle all the internal DNS to outside requests. Which forwarder will be well suited for a ~100 user based network? Would BIND be overkill in this case as a forwarder only ?

----------

