Wednesday, May 11, 2011

Dangers of IPTables NAT with DHCP

For Archer, I have setup a small private LAN for all the core resources to share with a common out into the main network, which connects to the Internet. I use Linux's IPTables via masquerade for NAT or routing the packets from the private network into the Internet and DHCP to automatically assign IP addresses to the resources. Recently, I extended the router to support other hosts to use it to bridge into the local network, which may or may not be responsiblef or a whole host of other issues. The two primary issues were routing of bridged packets through IPTables and DHCP messages traversing the bridge, both request and replies from both sides.

The routing of bridged packets was particularly difficult to figure out. I had recently setup a web server, which had a public IP address and was bridged into the LAN. It was pingable and could ping other IP addresses within the LAN, but it couldn't ping the gateway. Furthermore, it was accessible from the Internet but could not initiate communication with the Internet. It was very strange behavior. I whipped out tcpdump and quickly noticed that packets it was sending out via the bridge were being picked up by IPtables masquerade and having their source address change. So that when the packet came back, it had no where to go. The resolution to this problem was pretty easy: add "-s ip_range/mask" to the masquerade iptables line. So this:
iptables -t nat -A POSTROUTING -o bridged -j MASQUERADE became
iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o bridged -j MASQUERADE
where bridged is the network bridge into the LAN, i.e., a Linux bridge connecting eth0 to other devices wanting access to the LAN and 10.0.1.0/24 is the private address space. Now masquerade will only forward packets with the source address 10.0.1.0/24.

Perhaps, doing this opened up the other problem, which was that resources on the LAN were somehow getting DHCP requests to the private network. This never makes people happy and worst of all, those individuals were losing their Internet connectivity. This could be related to forwarding of broadcast Ethernet packets as well. The resolution for this was a bit easier, simply drop all DHCP packets that come across the NAT:
iptables -A FORWARD -p udp --dport 67 -i bridged -j DROP
iptables -A FORWARD -p udp --dport 67 -o nat -j DROP
In this case, packets coming from the bridged device (-i bridged) are those on the LAN looking for IPs. The packets coming from the nat device (-o nat) are those on the private network looking for IPs. These rules effectively prevent the retransmission of dhcp packets. The reality is, I probably should prevent the transmission of multicast / broadcast messages from crossing the NAT, since there exists no gateway for packets to get into the private network.

Anyway, this was a rather unfun discovery as I found NOWHERE online that discusses these two issues when configuring NATs. I hope this turns out to be useful for someone else out there.
Posted by David Wolinsky at 1:49 PM

10 comments:

  1. himel-sirajiMay 19, 2013 at 1:55 AM

    nice information...

    ReplyDelete
  2. Arnold DKOctober 25, 2021 at 10:34 PM

    great nice information for sharing these information with all of us.Kinemaster Gold

    ReplyDelete
  3. Thomas55November 25, 2021 at 1:57 AM

    Thank you very much for sharing the better idea about usage of dangers of iptables. I will for sure add this wrapper in my Dissertation Writing Services uk website.

    ReplyDelete
  4. Alexander JacobDecember 13, 2021 at 10:56 AM

    I am browsing this website daily and get good facts from here all the time. Aw, this was a really nice post. kenyan evisa, Obtaining a Kenyan visa is quite convenient for individuals who wish to travel to the country for tourism or business purposes.

    ReplyDelete
  5. Deniel AlexFebruary 14, 2022 at 10:15 PM

    Information that is useful and appealing. This blog is really rocking... Yes, I like the post very much. Do I need an e-Visa to go to India? Yes, foreign nationals need an e-visa to visit India. can apply for an e-Visa to go to India.

    ReplyDelete
  6. Sophia LucasMarch 9, 2022 at 10:47 PM

    It is a good site,Thank you.. Required documents for India E-Medical visa, you can check online required information for India E-Medical visa via Indian e visa website.

    ReplyDelete
  7. SophiaMay 25, 2022 at 2:48 AM

    You have written a fantastic post, I hope to read many more of your posts in the future. Travelers have a query about: how to apply for a visa to Turkey ? Now you can get a visa by 3 simple steps like filling an application form online, then making payment and receiving it in your email.

    ReplyDelete
  8. Elvin BraydenJune 23, 2022 at 6:08 AM

    Thanks for taking the time to talk about it; it's something I was very excited to know about. I just inform you that we provide IT storage solutions to various industries like:- education, automotive, finance services, health and insurance and many more. By the use of the latest technology for the clients of B2B & B2C both.

    ReplyDelete
  9. Angel17May 23, 2023 at 8:06 AM

    Awesome! What a beautiful post of the blog sharing the best info update that looks very amazing. Edmonton Massage Therapist

    ReplyDelete
  10. Edison hopeJuly 31, 2023 at 10:00 PM

    Wow.. Very informative article.. Travel and Entry to Turkey During Covid-19: Navigating the complexities of international travel amidst the pandemic can be daunting. Understanding Turkey's current entry requirements and safety protocols is crucial for a smooth and enjoyable journey to this beautiful destination.

    ReplyDelete

Subscribe to: Post Comments (Atom)