Re: NAT and IPTABLES problem

To: debian-amd64@lists.debian.org
Subject: Re: NAT and IPTABLES problem
From: Alex Samad <alex@samad.com.au>
Date: Wed, 2 Apr 2008 07:27:29 +1100
Message-id: <[🔎] 20080401202729.GB6485@samad.com.au>
Mail-followup-to: debian-amd64@lists.debian.org
In-reply-to: <[🔎] 522754.67695.qm@web54111.mail.re2.yahoo.com>
References: <[🔎] 522754.67695.qm@web54111.mail.re2.yahoo.com>

On Tue, Apr 01, 2008 at 07:33:30AM -0700, chindea mihai wrote:
> 
> 
> ----- Original Message ----
> From: Bonnel Christophe <mage.tophinus@free.fr>
> To: chindea mihai <misubs24@yahoo.com>
> Cc: debian-amd64@lists.debian.org
> Sent: Tuesday, April 1, 2008 4:22:38 AM
> Subject: Re: NAT and IPTABLES problem
> 
>  Hi,
> 
> I think there is two problems here :
> >
> > #Forward LAN traffic from LAN $INTIF to Internet $EXTIF
> > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state 
> > NEW,ESTABLISHED -j ACCEPT
> You allow only NEW and ESTABLISHED output to the web. Don't you forget 
> RELATED ?
> 
> You must also let your gateway forward input datas from the web :
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED, 
> RELATED -j ACCEPT
> 
> You should also redifined the default policy :
> $IPTABLES -P INPUT -j DROP
> $IPTABLES -P OUTPUT -j DROP
> $IPTABLES -P FORWARD -j DROP
> $IPTABLES -t NAT -P PREROUTING ACCEPT
> $IPTABLES -t NAT -P POSTROUTING ACCEPT
> $IPTABLES -t NAT -P OUTPUT ACCEPT
> 
> Now, this line  :
> >
> >     $IPTABLES -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth1 -j SNAT 
> > --to xx.xx.xx.xxx, and it's still not working.
> >
> You should use it if you want DMZ for example, so you don't need it here.
> 
> Hope this helps
> 
> Christophe
> 
> I made those changes, but unfortunately I still get "Request times out", at ping attempts, from subnet pc.
> You know it's weird, cause I have VMware installed, and apparently NAT connection works just fine for it, well vmware doesn't use iptables.
vmware has its own network module to do that
> 
> Mihai,
> 
> 
> 
> 
> 
> 
>       ____________________________________________________________________________________
> You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
> http://tc.deals.yahoo.com/tc/blockbuster/text5.com
-- 
It's getting uncommonly easy to kill people in large numbers, and the first
thing a principle does -- if it really is a principle -- is to kill somebody.
		-- Dorothy L. Sayers, "Gaudy Night"

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: NAT and IPTABLES problem
  - From: chindea mihai <misubs24@yahoo.com>

Prev by Date: Re: NAT and IPTABLES problem
Next by Date: help with reproducing bug #424643
Previous by thread: Re: NAT and IPTABLES problem
Next by thread: Re: NAT and IPTABLES problem
Index(es):
- Date
- Thread