Re: NAT and IPTABLES problem

To: debian-amd64@lists.debian.org
Subject: Re: NAT and IPTABLES problem
From: Alex Samad <alex@samad.com.au>
Date: Tue, 1 Apr 2008 16:07:40 +1100
Message-id: <[🔎] 20080401050740.GI21748@samad.com.au>
Mail-followup-to: debian-amd64@lists.debian.org
In-reply-to: <[🔎] 25852.657.qm@web54106.mail.re2.yahoo.com>
References: <[🔎] 25852.657.qm@web54106.mail.re2.yahoo.com>

On Mon, Mar 31, 2008 at 07:56:31PM -0700, chindea mihai wrote:
> I'm trying to give internet access to a subnet. On my Debian Etch pc, I tried to configure NAT on IPtables, but I can get it working. 
> I used rules, with packets filtering, and after without it, but it's not working. Most simple rulles I've been using are:
> 
> #!/bin/sh
> IPTABLES='/sbin/iptables'
> EXTIF='eth1'
> INTIF='eth2'
> # enable ip forwarding in the kernel
> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> # flush rules and delete chains
> $IPTABLES -F
> $IPTABLES -X
> $IPTABLES -t nat --flush
> $IPTABLES -t nat --delete-chain
> 
> #Enable masquerading to allow LAN internet access
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> 
> #Forward LAN traffic from LAN $INTIF to Internet $EXTIF
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
>     
> And it's just not working, the rulles above should forward all packets without any filtering from subnet eth2, to eth1 which has an static IP provided by my ISP. That type of maquerade, as far as I read, is for dynamically allocated IPs, but I tried something like this:
>     $IPTABLES -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth1 -j SNAT --to xx.xx.xx.xxx, and it's still not working.
why not try something like this

iptables -I FORWARD --match state --state ESTABLISHED,RELATED --jump ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF  --jump ACCEPT

iptables -t nat -A POSTROUTING -s <place your internal subnet here>  -o $EXTIF -j MASQUERADE

try pinging from the firewall. Then try pinging from a client machine,
whilst doing a tcpdump on the firewall.
on the internal int try tcpdump -pni <intf> icmp
then on the external interface tcpdump -pni <eint> icmp

you should be able to watch the packets at each of the stages

Alex

> 
> Now if I do somethig like this, on a pc in the subnet; 
>   C:\ ping yahoo.com
>   Request timed out.
> 
> I'm obviously doing somethig wrong, but I just can't figured it out. 
> Any help would be appreciated.
> 
> Mihai Chindea
> 
> 
> 
>       ____________________________________________________________________________________
> Special deal for Yahoo! users & friends - No Cost. Get a month of Blockbuster Total Access now 
> http://tc.deals.yahoo.com/tc/blockbuster/text3.com
-- 
"It's your money. You paid for it."

	- George W. Bush
10/18/2000
LaCrosse, WI

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- NAT and IPTABLES problem
  - From: chindea mihai <misubs24@yahoo.com>

Prev by Date: Re: NAT and IPTABLES problem
Next by Date: Re: NAT and IPTABLES problem
Previous by thread: Re: NAT and IPTABLES problem
Next by thread: Re: NAT and IPTABLES problem
Index(es):
- Date
- Thread