News Profile Code Photography Looking Glass Projects System Statistics Uncategorized
Present Location: News >> Blog >> Weird iptables NAT

Blog
> Weird iptables NAT
Posted by prox, from Charlotte, on February 10, 2008 at 12:54 local (server) time

Most cable modems use 192.168.100.1 as a management interface, accessible from the Ethernet interface.  I typically block all RFC1918 traffic in and out of my network, so, without creating an exception, I wouldn't be able to access said IP.  So I sort-of got a 1:1 NAT working, for it.

First, I created an additional loopback IP on the box closest to the cable modem:

% ifconfig lo:1
lo:1      Link encap:Local Loopback  
          inet addr:10.3.4.29  Mask:255.255.255.255
          UP LOOPBACK RUNNING  MTU:16436  Metric:1

So my whole network could route to it, I advertised it into OSPF (soon to be BGP) with Quagga's ospfd:

router ospf
 ospf router-id 10.3.4.3
 network 10.3.4.29/32 area 0.0.0.0
[...]

Then, I added two iptables rules:

IPTABLES="/sbin/iptables"
$IPTABLES -t nat -A PREROUTING -d 10.3.4.29 -j DNAT --to-destination 192.168.100.1
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE -d 192.168.100.1

This takes all transit connections destined to 10.3.4.29, changes the destination address on the way in to 192.168.100.1, then applies source NAT on the way out, so the cable modem sees all connections coming from the ISP-assigned address.

It works, but there are two oddities I haven't been able to fix/explain:

  1. The TTL is not updated during transit through the box where the NAT is being done.  This makes it look like, from a traceroute, that the loopback address is really on the Linux box, and not on something behind it.  Other firewall implementations (Cisco PIX, Juniper NetScreen/ISG/SSG) modify the TTL, and optionally mask the intemediate hops toward the host that is the destination NAT target.
  2. The NAT rules are not applied to local connections.  If I telnet to port 80 on 10.3.4.29 from another box on my network, I get the web interface of the cable modem.  However, if I telnet to 10.3.4.29 from the router, I get a RST since there is no web server running locally.

I'm pretty sure I saw some "NAT of local connections" in the Linux kernel awhile back, but I can't seem to find it, now.  Weird.  Anyhow, I can still monitor traffic on the cable modem's various interfaces.  Neat.

> Add Comment

New comments are currently disabled for this entry.

XHTML 1.0 ValidCSS ValidRSS 2.0Powered by FreeBSDIPv4 This HTML for this page was generated in 0.000 seconds.