Project

General

Profile

Issue #3546

iptables nat connection not working

Added by Adrian Pelaez 2 months ago. Updated 23 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.9.0
Resolution:
No change required

Description

Hello,

I have installed and configured a site to site connection successfully with strongswan, but now i need to connect to a DB located inside that network and I can't reach it, I'll explain the scenario.

The DBs public ip is for example: 1.1.1.1
The strongswan server public ip where i want to connect to the db: 2.2.2.2
I need to present my server in the connection with the following ip in order to connect to the DB: 3.3.3.3
VPN server ip: 4.4.4.4
eth0 inet address: 5.5.5.5

So the stronwswan configuration is the following:

        type=tunnel
        authby=secret
        left=%any
        leftid=2.2.2.2
        leftsubnet=3.3.3.3/29
        right=4.4.4.4
        rightid=4.4.4.4
        rightsubnet=1.1.1.1/32
        keyexchange=ikev1
        ike=aes256-sha1-modp1024!
        ikelifetime=7200s
        esp=aes256-sha1-modp1024!
        keylife=28800s
        auto=start
        rekey=yes
        keyingtries=%forever
        aggressive=no

After this successfull connection:

Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.3.0-1032-aws, x86_64):
  uptime: 5 seconds, since Aug 20 08:18:00 2020
  malloc: sbrk 1622016, mmap 0, used 584608, free 1037408
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  5.5.5.5
Connections:
vpc-to-remode-node:  %any...4.4.4.4  IKEv1
vpc-to-remode-node:   local:  [2.2.2.2] uses pre-shared key authentication
vpc-to-remode-node:   remote: [4.4.4.4] uses pre-shared key authentication
vpc-to-remode-node:   child:  3.3.3.3/29 === 1.1.1.1/32 TUNNEL
Security Associations (1 up, 0 connecting):
vpc-to-remode-node[1]: ESTABLISHED 5 seconds ago, 5.5.5.5[2.2.2.2]...4.4.4.4[4.4.4.4]
vpc-to-remode-node[1]: IKEv1 SPIs: c7d5fd4066b20e77_i* b92dfbd8134844de_r, pre-shared key reauthentication in 106 minutes
vpc-to-remode-node[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vpc-to-remode-node{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c39281f2_i fabd8f71_o
vpc-to-remode-node{1}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
vpc-to-remode-node{1}:   3.3.3.3/29 === 1.1.1.1/32

I try to nat the ips as follow also loging the output but the only filters that work are the MASQUERADE and OUTPUT DNAT filters, not the SNAT ones:

nat rules

Chain PREROUTING (policy ACCEPT 36 packets, 2106 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DNAT       tcp  --  eth0   *       5.5.5.5              1.1.1.1        to:1.1.1.1

Chain INPUT (policy ACCEPT 36 packets, 2106 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 SNAT       tcp  --  *      *       5.5.5.5              1.1.1.1        to:3.3.3.3

Chain OUTPUT (policy ACCEPT 21 packets, 2854 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       37  2748 DNAT       all  --  *      *       5.5.5.5              1.1.1.1        to:3.3.3.3

Chain POSTROUTING (policy ACCEPT 1 packets, 72 bytes)
num   pkts bytes target      prot opt in     out     source               destination         
1        0     0 ACCEPT      all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec
2      198 27180 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
3        0     0 SNAT        all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            to:3.3.3.3
4        0     0 SNAT        all  --  *      eth0    5.5.5.5              0.0.0.0/0            to:3.3.3.3

raw rules

Chain PREROUTING (policy ACCEPT 9170 packets, 884K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 TRACE      all  --  *      *       0.0.0.0/0            1.1.1.1       

Chain OUTPUT (policy ACCEPT 7340 packets, 1398K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      299 23388 TRACE      all  --  *      *       0.0.0.0/0            1.1.1.1       
2        0     0 TRACE      all  --  *      *       0.0.0.0/0            3.3.3.3 

This is the output log I can see:

Aug 20 07:11:14 ip-5-5-5-5 kernel: [152684.712570] TRACE: raw:OUTPUT:policy:3 IN= OUT=eth0 SRC=5.5.5.5 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39653 DF PROTO=ICMP TYPE=8 CODE=0 ID=5979 SEQ=4 UID=0 GID=0 
Aug 20 07:11:14 ip-5-5-5-5 kernel: [152684.712583] TRACE: filter:OUTPUT:policy:2 IN= OUT=eth0 SRC=5.5.5.5 DST=3.3.3.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39653 DF PROTO=ICMP TYPE=8 CODE=0 ID=5979 SEQ=4 UID=0 GID=0

As you can see the dst is changing but not the source.
How can I manage to change the source IP?

History

#1 Updated by Adrian Pelaez about 2 months ago

Solved the problem without iptables.

The server is part of AWS.
So I created a new image with the EC2 that I had, then created a new EC2 instance from that image but associating this instance to a new Network Interface that with the Primary private IP that I wanted, this Network interface was inside the security group that I had with the same input and output rules and everything inside a new VPC with the IPv4 CIDR range of the IPs that I needed.

As a resume, I just created the infrastructure again setting the private IP that I needed for the server.

It is possible to maintain the same public IP if you already had an elastic IP defined, just disassociate and associate it to the new instance.

#2 Updated by Tobias Brunner 23 days ago

  • Category set to configuration
  • Status changed from New to Closed
  • Resolution set to No change required

Also available in: Atom PDF