Home / server / Questions / 561539
Accepted
pgoetz
Asked: 2013-12-16 13:41:30 +0800 CST

IPtables NAT puzzler: Why is traffic from the firewall host being NATed even though it's not coming from one of the prescribed source addresses?

  • 772

I run a small network where a linux web/mail server also provides NAT for a collection of windows boxes. One of these windows machines is apparently misbehaving (ZeroAccess botnet even though I can't find any problems using Norton PowerEraser and have only been able to find 3 outgoing port 16465 packets in /var/syslog in weeks of logging). For some reason setting a firewall rule to drop all outgoing 16465 packets doesn't solve the problem, either, but that's an unrelated issue.

This issue is causing the mail server to be blacklisted with, for example, spamhaus.org. Since I can't find the infected windows host, I hit upon the idea of using IP aliasing to send the NAT traffic out through a different IP address.

External interface:

eth0:   216.82.212.230
eth0:1  72.48.103.182

Internal interface:

eth1:   172.18.90.1

In my firewall rules I then changed

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 216.82.212.230

to

iptables -t nat -A POSTROUTING -s 172.18.90.0/24 -o eth0 -j SNAT --to 72.48.103.182

The problem is now everything appears to be going out as 72.48.103.182, including traffic from the mail server. If I ssh from the firewall host to another external machine, the connection is identified as coming from 72.48.103.182.

This doesn't make sense to me as I'm specifically specifying the source IP's which are supposed to be NATed. Originally I tried the line above without "-s 172.18.90.0/24" and got exactly the same result.

Any thoughts on what is going on? I'm not an iptables expert by stretch of the imagination, but have made an effort to try and research this before posting to serverfault.

=======================

root@www:etc# ip ro
216.82.212.0/24 dev eth0  proto kernel  scope link  src 216.82.212.230
72.48.103.0/24 dev eth0  proto kernel  scope link  src 72.48.103.182
172.18.90.0/24 dev eth1  proto kernel  scope link  src 172.18.90.1
default via 216.82.212.254 dev eth0  src 72.48.103.182  metric 100
default via 216.82.212.254 dev eth0  metric 100
iptables

2 Answers

  1. Best Answer

    The "magic" part is not the SNAT rule or the NAT table altogether, it is this routing table entry:

    default via 216.82.212.254 dev eth0  src 72.48.103.182  metric 100

    it is telling your kernel to use 72.48.103.182 for outbound locally-initiated connections (as long as the socket is not explicitly bound to a specific address upon creation) if the destination is reachable via this route - which would be the case for all "external" destinations as this is your default route. You should redefine it as

    default via 216.82.212.254 dev eth0  src 216.82.212.230  metric 100

    to get the expected behavior.

    • 3

  2. Ok, so I as thought — your server just uses this IP as outogoing one. Actually you don't need 2 default routes at all and it's even misleading. You have to use only one:

    ip ro add default via 216.82.212.254

    Alias you're using doesn't need to have special default route entry, since more than likely it's being routed back by your ISP using the primary link (address) of your interface.

    • 2