[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NAT and IPTABLES problem

Can you post the output of these 3 comands ?
/sbin/iptables -t filter -L -v -n
/sbin/iptables -t nat -L -v -n
/sbin/iptables -t mangle -L -v -n

chindea mihai a écrit :



----- Original Message ----
From: Bonnel Christophe <mage.tophinus@free.fr>
To: chindea mihai <misubs24@yahoo.com>
Cc: debian-amd64@lists.debian.org
Sent: Tuesday, April 1, 2008 4:22:38 AM
Subject: Re: NAT and IPTABLES problem

Hi,

I think there is two problems here :
>
> #Forward LAN traffic from LAN $INTIF to Internet $EXTIF
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state
> NEW,ESTABLISHED -j ACCEPT
You allow only NEW and ESTABLISHED output to the web. Don't you forget
RELATED ?

You must also let your gateway forward input datas from the web :
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,
RELATED -j ACCEPT

You should also redifined the default policy :
$IPTABLES -P INPUT -j DROP
$IPTABLES -P OUTPUT -j DROP
$IPTABLES -P FORWARD -j DROP
$IPTABLES -t NAT -P PREROUTING ACCEPT
$IPTABLES -t NAT -P POSTROUTING ACCEPT
$IPTABLES -t NAT -P OUTPUT ACCEPT

Now, this line  :
>
>    $IPTABLES -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth1 -j SNAT
> --to xx.xx.xx.xxx, and it's still not working.
>
You should use it if you want DMZ for example, so you don't need it here.

Hope this helps

Christophe
I made those changes, but unfortunately I still get "Request times out", at ping attempts, from subnet pc. You know it's weird, cause I have VMware installed, and apparently NAT connection works just fine for it, well vmware doesn't use iptables. 

Mihai,


------------------------------------------------------------------------
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access <http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>, No Cost.
Reply to: