Bad default firewall POSTROUTING rule for NAT on itnerfaces with aliases

[piotrek.zurek@…]

When enabling firewall module all outgoing traffic is wrongly sourced.

My configuration is:

eth0 physical lan interface with IP 192.168.144.14 and no defined gateway

eth0:virt1 with external IP 193.106.145.6 with gateway 193.106.245.1

eth0:virt2 with external IP 194.88.158.196 with gateway 194.88.158.193

Everything (routing, static routing, balancing, multigateway) works all right until I turn on the firewall module which puts this rule into POSTROUTING table:

SNAT all -- * eth0 !192.168.144.14 0.0.0.0/0 to:192.168.144.14[[BR]][[BR]]

which prevents me from getting any answer from my default routers on 193.106.245.1 and 194.88.158.193.

If I had a default gateway defined on physical interface's subnet I could have not spotted this until trying to ping through static routes.

When deleted (this rule) everything seems to work nicely.

I'm using Ubuntu's 12.04 and PPA for it version 2.3.7 of firewall module with hotfix for: #4705 (thanks for pointing me to it yesterday - fix works OK).

[jamor@…]

Thanks for your report Piotrek Zurek.

This problem is due that the alias interfaces also match in their unaliased interface in iptables rules. We will fix this

[jamor@…]

Since netfilter only knows about physical devices we have changed the redirects tables to reflect this. Now there is not entries for viurtual interfaces and the entry for physical interface indicates all its vifaces.

This will be released in the next version of zentyal-firewall

[piotrek.zurek@…]

OK, I have now a new version of zentyal-firewall. Next problem with these default settings. I didn't change the config so it is the same as in first ticket (eth0:192.168.144.14, eth0:virt1, and eth0:virt2 with WAN adresses). If I don't want (and I don't) assign the eth0 interface as the default for NATing because I have two Gateways on virtual interfaces I don't get NAT at all, and if I check the NAT option in the main interface eth0 then the iptables rule to SNAT everything to 192.168.144.14. What am I supposed to do if I want to NAT on any available gateway (ie. MASQUERADE or chosing SNAT address for some ports/services/addressess manually).

[jamor@…]

Hello Piotrek Zutrel,

As for make distinct rules to each of the virtual interfaces, it is impossible because netfilter (linux firewall) does not discriminate between virtual interfaces, it see only the 'real' interface.

Maybe you could switch your eth0 configuration to trunk and use vlanes?. This way you could specify a different firewall configuration for each vlan. To change to trunk see  http://doc.zentyal.org/en/firststeps.html#network-configuration-with-zentyal

However this is now a configuration issue, so it is out of the scope of the trac. You could ask questions about vlan configuration in the forum.

Regards,

Javier