Weird entries in iptables and S-NAT not working

Hi there!

I am new to the ipfire community, have set up a miniPC with 4 interfaces (2 PCI Ethernet NICs and 2 USB NIC Adapters) and have started to play around with the thing.
Now for starters I do not want to do anything with green or orange interfaces other than allow my laptop on green to connect to the firewall by ssh and webGUI.
My first goal is to allow devices connected to my wifi access point to use the Internet. However, when I configured things like I thought they should work, nothing did.
When troubleshooting I found out that there were two weird entries in the iptables that did not make sense to me at all, one in the INPUT chain and one in the FORWARD chain - I will show them here with a leading line so you can see where they were added:

-A INPUT -j GUIINPUT
-A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT

-A FORWARD -j IPSECFORWARD
-A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD

As far as my knowledge of iptables goes, those entries were responsible for everything coming from the blue0 interface being dropped and also I thought those entries are not necessary, as connection tracking is done in the CONNTRACK chain already.
Well, I just went ahead and deleted the two entries from iptables, which resulted in less log entries but still no connectivity for my wifi devices.
I searched on and at the end of the iptables configuration found the following line:

-A NAT_SOURCE -s 10.10.10.0/24 -m policy --dir out --pol none -j SNAT --to-source 0.0.0.0

While the 10.10.10.0/24 is the network I set up for my wifi, the “to-source 0.0.0.0” baffled me. Because I would have expected to see the address of the firewall red0 interface there. Well, short story: I changed the address to the red0 one and hey, suddenly my wifi devices are on the internet.

Now of course I am curious if anyone can give me an explanation. I am willing to provide full configuration data of course but am not sure if just posting several 100 lines here would be sensible.

Best regards,
Loderunner

P.S.: And I would be thankful for a hint on how I can make my changes to the iptables permanent. I did the upgrade from Core 159 to Core 160 and voila - the weird entries returned …

Hi @loderunner

Welcome to the IPFire community.

When you were setting up the Blue interface did you also setup the Blue Access page as per the wiki
https://wiki.ipfire.org/configuration/firewall/accesstoblue

If you find things that don’t make sense I would recommend asking in the forum or, if the questions have a technical background, in the Development Mailing List, before considering deleting or modifying things in the iptables structural setup.

Yes, this will happen, also for some changes they will be replaced if you do a modification or a save of a WUI page.
I think you have asked this question in another post and it has been answered there.
https://community.ipfire.org/t/how-to-make-manual-iptables-changes-permanent/6424

1 Like

Hi @bonnietwin

Thanks for the friendly welcome and your answers to my posts. I will take into account your hints and links and will try once more to gain understanding what ipfire does in regard to the Blue interface, maybe I did not grasp the concept behind this special treatment for Wifi devices. It will take some time but I will be back here with more questions if I cannot figure out things on my own.

1 Like

There no really ‘special treatment’ for blue0. It serves just an access point, with (possible) restrictions on devices. If you want your blue0 network just working as your green0, allow the whole blue0 net (10.10.10.0/24).

Special iptables rules ( placed into firewall.local ) are in the responsibilty of the admin ( you ). They cannot checked for correctness or consistency.

Yay! Guys, I finally worked out all my issues. Took me a bit to recognize my mistakes.
Btw. there IS special treatment for blue0 … devices in the blue zone need to be listed by MAC in the “blue access”, which is when the two mysterious entries redirecting new connections into the WIRELESSINPUT and WIRLESSFORWARD chains began to make sense to me.
And the SNAT-trouble just went away as soon as I recognized that ipfire aims to be comfortable for people who do not want to care about NATting and MASQUERADing by themselves. I simply did not need to add that SNAT-feature to my rule as everything going out the RED interface will by default be MASQUERADEd …
So, at the moment no more unexplained issues, chugging along happily and looking forward to setting up the other systems and zones around my little “private datacenter in my basement” project. Moving rather slowly, though, due to work load and projects en masse to protect the unwitting customers from the bad bad ransomware guys.
Next on the menu: Making the ipfire redundant by clustering two machines … wish me luck …

Cheers,
Loderunner

2 Likes