Securifi Community Forum

Securifi Products => Almond+ => Topic started by: jtrott on January 23, 2015, 05:13:32 pm

Title: Port Forwards shouldn't masquerade
Post by: jtrott on January 23, 2015, 05:13:32 pm

I'm running R069 but this has been an issue from the first day.
I have several port forwards from the internet to internal hosts, I set these up in the GUI under the port forwarding section.
They work, the problem is that they masquerade the incoming traffic behind the LAN IP of the Almond+.
This causes issues for SMTP as the mail server can't see the original source IP of the connection, so can't apply blacklisting or other filtering rules properly.
The iptables rule that causes the problem is this one:

Chain zone_lan_nat (1 references)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           

The fix I have found is to insert the following rule:

Chain zone_lan_nat (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Can anyone tell me why incoming traffic is being masqueraded and if there is any good reason for this practice? Also, is there some way other than hacking the firewall scripts to turn this behaviour off?
Masquerading outgoing traffic is neccessary and good, but not incoming traffic.

Thanks,
JT

Title: Re: Port Forwards shouldn't masquerade
Post by: j8048188 on January 25, 2015, 06:26:04 pm

This might fix my VPN server issues. I'll give it a try and report back.

Title: Re: Port Forwards shouldn't masquerade
Post by: j8048188 on January 25, 2015, 09:34:58 pm

Hey jtrott, how did you add in that rule?

Title: Re: Port Forwards shouldn't masquerade
Post by: jtrott on January 27, 2015, 06:26:06 am

I added the rule with the following command:

/usr/sbin/iptables -t nat -I zone_lan_nat -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

You can see if it worked with the following command:

/usr/sbin/iptables -t nat -L -n

To try and make it permanent, I added the command into the /lib/firewa/core.sh file on the 54th line before the "}" of the "fw_start() { "  block.
I haven't had a chance to reboot and test the changes yet.

Title: Re: Port Forwards shouldn't masquerade
Post by: jtrott on February 08, 2015, 01:46:54 pm

A better fix is probably to switch to the OpenWRT interface, edit the port forward rule and turn off NAT Reflection.
That also fixes the problem and doesn't require hacking any firewall rules files manually.

Title: Re: Port Forwards shouldn't masquerade
Post by: jtrott on February 13, 2015, 05:29:11 pm

Except, after upgrading to R70, the problem is back - and I still have the Enable NAT Loopback option disabled in OpenWRT.