NAT network and firewall - conntrack zone

[someone755]

Hello all!

I'm building a one node testing lab and configured my server to have virtual network as I'm limited to one public IP. I managed to successfully configure everything around networking, thanks to some help of already opened threads here on forum, but I'm not able to decipher one of the iptables rules which I used to make NAT firewall working. I'm talking about the rule which goes into the raw table and affects all fwbr interfaces:

iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1

This is my network interfaces config, so that you get an idea what I'm talking about:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address PUBLIC_IP
        netmask NETMASK
        gateway GATEWAY

auto vmbr0
iface vmbr0 inet static
        address 172.17.0.1
        netmask 255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '172.17.0.0/24' -o eth0 -j MASQUERADE
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t nat -D POSTROUTING -s '172.17.0.0/24' -o eth0 -j MASQUERADE
        post-up   iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

As far as I came across this issue after reading a bunch of forums, documentation and looking some YT videos, this rule moves packet into a different zone in conntrack table. I also read this is needed in case there are same networks used on more interfaces so this is the fix to differ between connections on these interfaces. The main thing that bothers me here is zone. I don't understand why it's marked as 1 (but if I'm correct 0 is default one) everywhere I found this rule - but it was more or less discussed only among Proxmox community members.

After checking out interfaces with ip a command, I stumbled on different interfaces which are made for VMs/based on their IDs. For example the fwbr interface which is targeted by rule doesn't have any IP there, so no match there for me with what I read about same networks on different interfaces. This was also the last thing I tried to figure out on how those things are composed together.

I also read about marking (--set-mark) in context of conntrack - the mark is also mentioned in docs for CT as a possible option along an zone ID. How are those two things connected and why can't we use marking in mangle table instead of CT + zone in raw table?

I understand this question is not appropriate at all for what it should probably be discussed here, but I'd like to understand what is going on behind the scenes before I start using this anywhere else then in a test environment. Thanks in advance for any help!

 

[someone755]

Hi!

Does anyone know anything about this topic or if could just leave some links to the resources to check out for understanding what is going on behind the commands/configs written above?

Thanks in advance!

 

[Temtaime]

Same question after years. Still no one knows ?
Maybe at least someone from stuff can say that this rule is safe to use? I badly need built-in firewall with NATed CT

 

[spirit]

maybe look at:
https://lwn.net/Articles/370152/

you need the conntrack zone if you need nat, because without it, the packet will never reach the POSTROUTING chain.

To simplify: the packet will be open connection in conntrack when going the vm fwbr firewall. As it's already in conntrack, the nat rule will not be look. Using a different conntrack zone for the nat rule, will force the use another entry in conntrack table.

(value can be =1 or another value, it's just need to be different than 0)