Linux Connection NAT Helper not Working

Some protocols need more than one TCP or UDP connection. For NAT to work the firewall needs to open additional ports to allow client server connection automatically. Examples are FTP (port 21 handshake, additional ports for data), PPTP (port 1723 for handshake, proto GRE 47 for payload)

Since Linux kernel (~) 4.7 these helpers are not bound automatically to iptables for security reasons. The idea is to implement iptables rules to activate connection helpers explicitly. Just loading the helper module is not enough.

To change this to the old behavior you can add this to your startup (for example /etc/rc.local)

# echo 1 > proc/sys/net/netfilter/nf_conntrack_helper

Source IP Address Based on User

If you want to use different source IP addresses based on the logged in user or running service on a Linux computer you can use these simple commands:

/sbin/ifconfig eth0:1 NEW-IP-ADDRESS netmask YOUR-NORMAL-NETMASK
/sbin/iptables -t nat -A POSTROUTING -m owner --uid-owner USERNAME -j SNAT --to-source NEW-IP-ADDRESS

You can use this if the source IP is necessary for remote firewall filter lists, or to separate IP traffic from services that don’t allow to configure the outgoing source IP.

Add these lines to /etc/rc.local to make it permanent.

Version: Should work on every Linux kernel of the last 10 years, tested on Linux 4.11.1

Sophos UTM BGP Announces 0 Prefixes

Problem: A simple bgp upstream configuration. A small AS with one IP prefix wants to connect to its upstream using BGP. The BGP peerings are up. Sophos receives the expected routes from its upstream, but the upstream router does not receive the expected single prefix.

Discussion: an outbound filter list is set to prevent sending other than the local prefix x/24. Therefor ae ip filter list is configured in the web gui and connected to the bgp neighbor settings as filter list out. The web gui should generate a quagga bgpd.conf from this and it should look like this:

router bgp 2222

neighbor remote-as 1111
neighbor prefix-list REF_BgpFilBgpfiltero_4 out

ip prefix-list REF_BgpFilBgpfiltero_4 seq 5 permit le 32
ip prefix-list REF_BgpFilBgpfiltero_4 seq 10 deny le 32

But looking into the actual config file in /var/sec/chroot-quagga/etc/quagga showed that the prefix list was missing. The backup config file bgpd.conf.sav showed the correct prefix list was there before. The only change in the meantime was that I removed an other (not used) “filter list in” in the gui. It seems there is a bug in Sophos UTM that the web gui removes all prefix lists from the config file, when you actually want to remove only one.

Workarround: configure a new fillter list and attach it to the neighbor config.

It’s very good that I actually could log into the Sophos box, because I would have never found this bug without ssh access.

Version: 9.408-4


PaloAlto Packet Loss of 1% and More

Problem: PaloAlto firewall is dropping packets in small bursts of some seconds, and sometimes it drops TCP connections. It only happens on HA clusters on interfaces in active/passive (fail over) mode.

Solution: disable the following check box in the Ethernet interface Advanced – LLDP settings: “Enable in HA Passive State”

Discussion: Palo Alto uses only one MAC address for both machines of an HA cluster. The passive box sends LLDP packets using this MAC address. The switch learns this MAC address and sends the traffic to the passive node until the active node sends new packets. The passive node should never send packets with the MAC address of the active node, and should have its own MAC address for LLDP and possibly other services.

Version: PaloAlto current version of Nov 2016, connected to a Cisco Catalyst 6500