Reputation: 1
iptables FORWARD chain set to DROP, rules for tagged traffic don´t forward pakets from one interface to another
I already searched everywhere, also on stackoverflow but didn´t find an anwser. I tried a lot and didn´t see something like that prior.
**Host01: ** Has two functions:
- Act as a docker host (https://docs.docker.com/network/iptables/#docker-on-a-router=
- IP-Forwarding (iptables) traffic between eth_net_0/vlan100@eth_net_0 <-> eth_inet_1/eth_inet_2
Runs: Ubuntu 20.04 (5.4.0-135-generic)
Host01 should forward traffic:
eth_net_0 <-> eth_inet_1 vlan100@eth_net_0 <-> eth_inet_2
eth_inet_1:
- NAT/MASQ
- DHCP
eth_inet_2
- static IP
- within netplan static nameserver definition
- within netplan static default route to 0.0.0.0 via 172.16.0.1/24 with metric 1000
In case both eth_inet_1/_2 are connected to internet eth_inet_1 will be chosen because of higher metric for default route in routing table.
xxxxxxxxxxxxxx xxxxxxxxxxxxxx
x x x x
x DSL-Router x x LTE-Router x <-- (192.168.0.1/24)
x x x x
xxxxxxxxxxxxxx xxxxxxxxxxxxxx
| |
| |
| | <-- (192.168.0.0/24)
| |
| |
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x (NAT) (NAT) x
x eth_inet_1 eth_inet_2 x <-- (static: 192.168.0.100)
x (DHCP) x
x x
x Router/Docker Host x
x (Host01) x
x x
x eth_net_0 vlan@100eth_net_0 x
x x
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
| <-- (Tagged & Untagged Traffic)
| Host01
| -> eth_net_0: 10.0.0.1
| -> vlan100@eth_net_0: 10.100.0.1
|
xxxxxxxxxxxxxxxxxxxxxxxxxx
x x
x Switch x
x Portbased VLAN x
xxxxxxxxxxxxxxxxxxxxxxxxxx
| |
VLAN100 | | <-- VLAN1
untagged--> | | untagged (native VLAN)
| |
xxxxxxxxxxxxxx xxxxxxxxxxxxxx
x x x x
x PC01 x x PC02 x
x x x x
xxxxxxxxxxxxxx xxxxxxxxxxxxxx
PC01: PC02:
10.100.0.50/24 10.0.0.50/24
Note: default interfaces get renamed by netplan at startup by matching NIC MAC-Addresses to configure and rename interfaces.
What I did so far:
1. Enable ip_forwarding: (yes I also edited /etc/sysctl.conf and uncommented "#net.ip4.ip_forward=1" to make changes persistent) milkreis@host01:~$ cat /proc/sys/net/ipv4/ip_forward 1
2. Enable NAT: iptables -A POSTROUTING -o eth_inet_1 -m comment --comment "Allow Masquerading" -j MASQUERADE iptables -A POSTROUTING -o eth_inet_2 -m comment --comment "Allow Masquerading" -j MASQUERADE
3. Define iptables rules:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-001 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-001 -j DOCKER
-A FORWARD -i br-001 ! -o br-001 -j ACCEPT
-A FORWARD -i br-001 -o br-001 -j ACCEPT
...
-A DOCKER -d 172.16.0.2/32 ! -i br-001 -o br-001 -p tcp -m tcp --dport 51000 -j ACCEPT
...
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-001 ! -o br-001 -j DOCKER-ISOLATION-STAGE-2
...
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-001 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
...
-A DOCKER-USER -i eth_inet_1 -o eth_net_0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i eth_net_0 -o eth_inet_1 -m state --state NEW -j ACCEPT
...
-A DOCKER-USER -i eth_inet_1 -o eth_net_0.100 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i eth_net_0.100 -o eth_inet_1 -m state --state NEW -j ACCEPT
...
-A DOCKER-USER -i eth_inet_2 -o eth_net_0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i eth_net_0 -o eth_inet_2 -m state --state NEW -j ACCEPT
...
-A DOCKER-USER -i eth_inet_2 -o eth_net_0.100 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i eth_net_0.100 -o eth_inet_2 -m state --state NEW -j ACCEPT
...
-A DOCKER-USER -j RETURN
The DOCKER rules have been set automatically by docker. I followed the advice to but my forward rules under the DOCKER-USER chain in order to be forwarded.
Unless "-P FORWARD ACCEPT" is set to ACCEPT forwarding works as expected. As soon as docker deamon is loaded it sets "-P FORWARD DROP". Now the strange behavior kicks in.
Traffic from PC02 traversing from eth_net_0 to any of the eth_inet_1/2 interfaces gets forwarded by host01 with no problem. Ping from PC02 -> 192.168.0.1 (LTE-Router) is OK.
Traffic from PC01 traversing from vlan100@eth_net_0 to any of the eth_inet_1/2 interfaces will NOT gets forwarded by host01. Ping from PC02 -> 192.168.0.1 (LTE-Router) is NOT OK.
I tried it also with just eth_inet_2 connected, but with no success. I wireshark running on PC01 a can see the ping requests be sent. On eth_net_0 with "tcp_dump -i eth_net_0 icmp" I can see the inbound requests but on the eth_inet_2 I don´t see any.
When defining the iptables I found out, that the interface names are allowed to have a maximum character length of 15 Bytes + (1 Byte for '\0'). Thats why:
"-A DOCKER-USER -i vlan100@eth_net_0 -o eth_inet_2 -m state --state NEW -j ACCEPT" will throw an error. So changing vlan100@eth_net_0 -> eth_net_0.100 fixes that.
Any idea what I am missing?
Upvotes: -1
Views: 582
Answers (1)
Reputation: 1
I solved it. With netplan, I rename interfaces based on its MAC addresses. But for VLANs (virtual interfaces) the interface name is just the name of the virtual interface s.a. vlan100 instead of eth_net_0.100. The interfaces and directly connected networks can be seen when typing "route -n".
Upvotes: 0