Re: NAT and IPTABLES problem

To: chindea mihai <misubs24@yahoo.com>
Cc: debian-amd64@lists.debian.org
Subject: Re: NAT and IPTABLES problem
From: Alex Samad <alex@samad.com.au>
Date: Wed, 2 Apr 2008 00:38:57 +1100
Message-id: <[🔎] 20080401133857.GK21748@samad.com.au>
Mail-followup-to: chindea mihai <misubs24@yahoo.com>, debian-amd64@lists.debian.org
In-reply-to: <444507.24057.qm@web54105.mail.re2.yahoo.com>
References: <444507.24057.qm@web54105.mail.re2.yahoo.com>

Hi

you should really try to keep the replies on list, that way this can
help other people (or other people can help you)

it looks like the icmp is going out to 216.109.112.135 and then coming
back to the firewall.  For some reason the firewall is sending back a
time exceeded in-transit, I believe this is a icmp message to state that
the packet tried to go past to many routers (hops).

is this a dump of the firewall machine making the ping attempt or a
client being the firewall ?

Do you have any other iptables rules in place, have you made any changes
via sysctl ad have you got forwarding turned on ?

Alex


On Tue, Apr 01, 2008 at 04:11:59AM -0700, chindea mihai wrote:
> hy .. I tried what you told me, it's still not working. But I used tcpdump, and now I'm sure that the masqurading works fine. Well here's the output of tpcdump, on the external interface:
>     10:55:25.575690 IP 89.38.yy.yyy > 216.109.112.135: ICMP echo request, id 1, seq 8997, length 40
>     10:55:25.698621 IP 216.109.112.135 > 89.38.yy.yyy: ICMP echo reply, id 1, seq 8997, length 40
>     10:55:25.698677 IP 89.38.yy.yyy > 216.109.112.135: ICMP time exceeded in-transit, length 68
>     10:55:30.550023 IP 89.38.yy.yyy > 216.109.112.135: ICMP echo request, id 1, seq 8998, length 40
>     10:55:30.672964 IP 216.109.112.135 > 89.38.yy.yyy: ICMP echo reply, id 1, seq 8998, length 40
>     10:55:30.673010 IP 89.38.yy.yyy > 216.109.112.135: ICMP time exceeded in-transit, length 68
> 
> Any thoughts, cause I ran out of inspiration already.
> Thanks,
> 
> Mihai,
> 
> ----- Original Message ----
> From: Alex Samad <alex@samad.com.au>
> To: debian-amd64@lists.debian.org
> Sent: Tuesday, April 1, 2008 5:07:40 AM
> Subject: Re: NAT and IPTABLES problem
> 
>  On Mon, Mar 31, 2008 at 07:56:31PM -0700, chindea mihai wrote:
> > I'm trying to give internet access to a subnet. On my Debian Etch pc, I tried to configure NAT on IPtables, but I can get it working. 
> > I used rules, with packets filtering, and after without it, but it's not working. Most simple rulles I've been using are:
> > 
> > #!/bin/sh
> > IPTABLES='/sbin/iptables'
> > EXTIF='eth1'
> > INTIF='eth2'
> > # enable ip forwarding in the kernel
> > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
> > 
> > # flush rules and delete chains
> > $IPTABLES -F
> > $IPTABLES -X
> > $IPTABLES -t nat --flush
> > $IPTABLES -t nat --delete-chain
> > 
> > #Enable masquerading to allow LAN internet access
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> > 
> > #Forward LAN traffic from LAN $INTIF to Internet $EXTIF
> > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
> >     
> > And it's just not working, the rulles above should forward all packets without any filtering from subnet eth2, to eth1 which has an static IP provided by my ISP. That type of maquerade, as far as I read, is for dynamically allocated IPs, but I tried something like this:
> >     $IPTABLES -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth1 -j SNAT --to xx.xx.xx.xxx, and it's still not working.
> why not try something like this
> 
> iptables -I FORWARD --match state --state ESTABLISHED,RELATED --jump ACCEPT
> iptables -A FORWARD -i $INTIF -o $EXTIF  --jump ACCEPT
> 
> iptables -t nat -A POSTROUTING -s <place your internal subnet here>  -o $EXTIF -j MASQUERADE
> 
> try pinging from the firewall. Then try pinging from a client machine,
> whilst doing a tcpdump on the firewall.
> on the internal int try tcpdump -pni <intf> icmp
> then on the external interface tcpdump -pni <eint> icmp
> 
> you should be able to watch the packets at each of the stages
> 
> Alex
> 
> > 
> > Now if I do somethig like this, on a pc in the subnet; 
> >   C:\ ping yahoo.com
> >   Request timed out.
> > 
> > I'm obviously doing somethig wrong, but I just can't figured it out. 
> > Any help would be appreciated.
> > 
> > Mihai Chindea
> > 
> > 
> > 
> >       ____________________________________________________________________________________
> > Special deal for Yahoo! users & friends - No Cost. Get a month of Blockbuster Total Access now 
> > http://tc.deals.yahoo.com/tc/blockbuster/text3.com
> -- 
> "It's your money. You paid for it."
> 
>     - George W. Bush
> 10/18/2000
> LaCrosse, WI
> 
> 
> 
> 
> 
> 
>       ____________________________________________________________________________________
> You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
> http://tc.deals.yahoo.com/tc/blockbuster/text5.com
-- 
There is, in fact, no reason to believe that any given natural phenomenon,
however marvelous it may seem today, will remain forever inexplicable.
Soon or late the laws governing the production of life itself will be
discovered in the laboratory, and man may set up business as a creator
on his own account.  The thing, indeed, is not only conceivable; it is
even highly probable.
		-- H. L. Mencken, 1930

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Re: NAT and IPTABLES problem
Next by Date: Re: NAT and IPTABLES problem
Previous by thread: Re: NAT and IPTABLES problem
Next by thread: Re: NAT and IPTABLES problem
Index(es):
- Date
- Thread