# Iptables: routing and firewall, multiple ip's, NAT

## RealNitro

I need to setup a firewall/router for a (quite) complex network. I read this tutorial, but it's still difficult for me to figure out how the packets flow through the different tables.

Some info about the network:

The external interface of the firewall has 4 ip's, and there are three internal interfaces, one for each subnet. The first subnet is a DMZ with the servers, the second one is a 'trusted' network with desktop pc's, and the third one is a 'trusted' network for wireless devices. 3 of the 4 ip's direct to one ore more servers in the DMZ (DNAT), the 4th ip is used by subnet 2 and 3 to surf (SNAT). The three subnets should be totally separated.

I wrote the DNAT-rules (in the PREROUTING chain of the nat table) for the DMZ (the servers have fixed local ip's), the SNAT rules for subnet 2 and 3 (in the POSTROUTING chain of the nat table, not DNAT because the machines in those subnets will get their ip by DHCP), and the FORWARD rules, but I'm to confused now to be able to write the INPUT filtering rules.

I'll post some of the rules I wrote for the forwarding and nat-ing:

```
#

# 4.1.5 FORWARD chain

#

#

# HTTP server

#

# Forward TCP traffic on 80 and 8080 port to the web servers

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_WEB_IP \

--dport 80 -j allowed

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_WEB_IP \

--dport 8080 -j allowed

$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_WEB_IP \

-j icmp_packets

#

# LAN section

#

# Forwarding of LAN2 to the INET

$IPTABLES -A FORWARD -i $LAN2_IFACE -o $INET_IFACE -j ACCEPT

$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN2_IFACE -m state \

--state ESTABLISHED,RELATED -j ACCEPT

# Forwarding of LAN3 to the INET

$IPTABLES -A FORWARD -i $LAN3_IFACE -o $INET_IFACE -j ACCEPT

$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN3_IFACE -m state \

--state ESTABLISHED,RELATED -j ACCEPT

#

# 4.2.4 PREROUTING chain

#

#

#4.2.4.1 HTTP

#

#HTTP on WEB_IP_1 redirected to the DMZ_WEB_IP: TCP on port 80 to port 80

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $WEB_IP_1 --dport 80 \

-j DNAT --to-destination $DMZ_WEB_IP:80

#HTTP on WEB_IP_2 redirected to DMZ_WEB_IP: TCP on port 8080 to port 8080

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $WEB_IP_1 --dport 8080 \

-j DNAT --to-destination $DMZ_WEB_IP:8080

#HTTP op WEB_IP_2 redirected to DMZ_WEB_IP: TCP on port 80 to port 80

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $WEB_IP_2 --dport 80 \

-j DNAT --to-destination $DMZ_WEB_IP:80

#

# 4.2.5 POSTROUTING chain

#

# NAT for subnet 2

$IPTABLES -t nat -A POSTROUTING -i $LAN2_IFACE -o $INET_IFACE -j SNAT --to-source $SURF_IP

# NAT for  subnet 3

$IPTABLES -t nat -A POSTROUTING -i $LAN3_IFACE -o $INET_IFACE -j SNAT --to-source $SURF_IP

```

My next task would be to write the INPUT filter rules. But, I just don't know how I can figure out what traffic is meant for the webserver, of what traffic is for one of the subnets. I'll try to write how I see it now, please correct me where I'm wrong:

- The IP's for the web traffic get changed in the prerouting chain, so I cant use the WEB_IP_1 or WEB_IP_2 to filter the traffic for the webserver out, because the NAT will happen before the filtering.

- The IP's for subnet 2 and 3 only change in the postrouting chain, so I can filter them out by using '-d $SURF_IP'.

- The packets go through the (used) tables like this: PREROUTING - INPUT - FORWARD - OUTPUT - POSTROUTING

Plz correct me if I'm wrong. A site with more information about how all tables and chains follow eachother would be great too. Thx!

----------

## pjp

There's an iptables tutorial ( http://iptables-tutorial.frozentux.net/iptables-tutorial.html ) that many recommend.  It isn't a place to find quick solutions, but to take a while and really learn iptables.

----------

## ikke

 *RealNitro wrote:*   

> I read this (http://iptables-tutorial.frozentux.net/iptables-tutorial.html) tutorial, but it's still difficult for me to figure out how the packets flow through the different tables.

 

 :Smile: 

----------

## tutaepaki

Packets flow through iptables as follows...

PREROUTING(mangle) -> PREROUTING(nat) -> routing decision

then they go EITHER (based on the routing decision)

FORWARD(mangle) -> FORWARD(filter)

or

INPUT(mangle) -> INPUT(filter) -> local process -> OUTPUT(mangle) -> OUTPUT(nat) -> OUTPUT(filter)

POSTROUTING(mangle) -> POSTROUTING(nat)

----------

## RealNitro

 *tutaepaki wrote:*   

> Packets flow through iptables as follows...
> 
> PREROUTING(mangle) -> PREROUTING(nat) -> routing decision
> 
> then they go EITHER (based on the routing decision)
> ...

 So, if I get this right, a NAT'ed packet never goes through the INPUT filter?

----------

## tutaepaki

A NAT'd packet will go through the INPUT filter if it is destined for the localhost. (the one running iptables) But if the packet is being forwarded on, then no, it will never go through the INPUT filter.

----------

## RealNitro

 *tutaepaki wrote:*   

> A NAT'd packet will go through the INPUT filter if it is destined for the localhost. (the one running iptables) But if the packet is being forwarded on, then no, it will never go through the INPUT filter.

 Ok. So, traffic that gets prerouted (DNAT) has a destination ip that's not an ip of the router/firewall box, and passes through the forward chain. But traffic that is postrouted (SNAT), still has an ip of the router/firewall as its destination IP at the routing decision point, so it passes through the INPUT (and OUTPUT) chain.

Correct?

----------

## tutaepaki

iptables is a stateful firewall, which means that traffic which has passed out through the postrouting chain, will be in the 'state table' when the return packets arrive with the firewall's address as the destination. The NAT will be undone prior to the routing decision.

So, no, packets related to one session will always flow through the same filter chain in both directions.

----------

