Hi,
/etc/network# iptables -t filter -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
22 10448 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- !lo
* 127.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4
0 0 DROP 0 -- !lo * 127.0.0.0/8 0.0.0.0/0
0 0 ACCEPT 0 -- eth2 * 0.0.0.0/0 255.255.255.255
36 1206 ACCEPT 0 -- eth2 * 192.168.5.0/24 0.0.0.0/0
0 0
ACCEPT !tcp -- eth2 * 0.0.0.0/0 224.0.0.0/4
0 0 LOG 0 -- eth1 * 192.168.5.0/24 0.0.0.0/0 LOG flags 0 level 4
0 0 DROP 0 -- eth1 * 192.168.5.0/24 0.0.0.0/0
0 0 ACCEPT 0 -- eth1 *
0.0.0.0/0 255.255.255.255
38 15905 ACCEPT 0 -- eth1 * 0.0.0.0/0 xx.xx.xx.221
31 899 ACCEPT 0 -- eth1 * 0.0.0.0/0 xx.xx.xx.255
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
19 1140 ACCEPT 0 -- eth2 eth1 192.168.5.0/24 0.0.0.0/0
0 0 ACCEPT 0 -- * *
0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG 0 -- * eth1 0.0.0.0/0 192.168.5.0/24 LOG flags 0 level 4
0 0 DROP 0 -- * eth1 0.0.0.0/0 192.168.5.0/24
0 0 LOG 0 -- * *
0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 1 packets, 92 bytes)
pkts bytes target prot opt in out source destination
22 10448 ACCEPT 0 -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT 0 -- * eth2 0.0.0.0/0 255.255.255.255
35 1399 ACCEPT 0 -- * eth2 0.0.0.0/0 192.168.5.0/24
1 107 ACCEPT !tcp -- * eth2 0.0.0.0/0 224.0.0.0/4
0 0 LOG 0 -- * eth1
0.0.0.0/0 192.168.5.0/24 LOG flags 0 level 4
0 0 DROP 0 -- * eth1 0.0.0.0/0 192.168.5.0/24
0 0 ACCEPT 0 -- * eth1 0.0.0.0/0 255.255.255.255
89 9594 ACCEPT 0 -- * eth1 xx.xx.xx.221 0.0.0.0/0
0 0 ACCEPT
0 -- * eth1 xx.xx.xx.255 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
0 0 DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0
/etc/network#
xx.xx.xx.221 is my static IP, provided by ISP.
/etc/network# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 105 packets, 11641 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 38 packets, 1769
bytes)
pkts bytes target prot opt in out source destination
67 4020 MASQUERADE 0 -- * eth1 192.168.5.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 39 packets, 1861 bytes)
pkts bytes target prot opt in out source destination
/etc/network#
/etc/network# iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 995 packets, 121K bytes)
pkts bytes target prot opt in out
source destination
Chain INPUT (policy ACCEPT 824 packets, 110K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 83 packets, 4952 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 892 packets, 128K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING
(policy ACCEPT 1243 packets, 140K bytes)
pkts bytes target prot opt in out source destination
/etc/network#
That's all.
Thanks,
Mihai
----- Original Message ----
From: Bonnel Christophe <mage.tophinus@free.fr>
To: chindea mihai <misubs24@yahoo.com>
Cc: debian-amd64@lists.debian.org
Sent: Tuesday, April 1, 2008 3:08:54 PM
Subject: Re: NAT and IPTABLES problem
Can you post the output of these 3 comands ?
/sbin/iptables -t filter -L -v -n
/sbin/iptables -t nat -L -v -n
/sbin/iptables -t mangle -L -v -n
chindea mihai a écrit :
>
>
> ----- Original Message ----
> From: Bonnel Christophe <
mage.tophinus@free.fr>
> To: chindea mihai <
misubs24@yahoo.com>
> Cc:
debian-amd64@lists.debian.org> Sent: Tuesday, April 1, 2008 4:22:38 AM
> Subject: Re: NAT and IPTABLES problem
>
> Hi,
>
> I think there is two problems here :
> >
> > #Forward LAN traffic from LAN $INTIF to Internet $EXTIF
> > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state
--state
> > NEW,ESTABLISHED -j ACCEPT
> You allow only NEW and ESTABLISHED output to the web. Don't you forget
> RELATED ?
>
> You must also let your gateway forward input datas from the web :
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,
> RELATED -j ACCEPT
>
> You should also redifined the default policy :
> $IPTABLES -P INPUT -j DROP
> $IPTABLES -P OUTPUT -j DROP
> $IPTABLES -P FORWARD -j DROP
> $IPTABLES -t NAT -P PREROUTING ACCEPT
> $IPTABLES -t NAT -P POSTROUTING ACCEPT
> $IPTABLES -t NAT -P OUTPUT ACCEPT
>
> Now, this line :
> >
> > $IPTABLES -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth1 -j SNAT
> > --to xx.xx.xx.xxx, and it's still not working.
> >
> You should use it if you want DMZ for example, so you don't need it here.
>
> Hope this
helps
>
> Christophe
>
> I made those changes, but unfortunately I still get "Request times
> out", at ping attempts, from subnet pc.
> You know it's weird, cause I have VMware installed, and apparently NAT
> connection works just fine for it, well vmware doesn't use iptables.
>
> Mihai,
>
>
> ------------------------------------------------------------------------
> You rock. That's why Blockbuster's offering you one month of
> Blockbuster Total Access
> <
http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>,
> No Cost.