[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NAT and IPTABLES problem

Hi,

I think you want the output of tcpdump, on the internal interface, which in my case is eth2. So here's the output:

/etc/network# tcpdump -pni eth2 -v icmp
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
02:13:01.968565 IP (tos 0x0, ttl 128, id 1131, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.5.10 > 216.109.112.135: ICMP echo request, id 1, seq 11911, length 40
02:13:06.969158 IP (tos 0x0, ttl 128, id 1132, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.5.10 > 216.109.112.135: ICMP echo request, id 1, seq 11912, length 40
02:13:11.969718 IP (tos 0x0, ttl 128, id 1133, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.5.10 > 216.109.112.135: ICMP echo request, id 1, seq 11913, length 40
02:13:16.970051 IP (tos 0x0, ttl 128, id 1134, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.5.10 > 216.109.112.135: ICMP echo request, id 1, seq 11914, length 40
02:13:21.970677 IP (tos 0x0, ttl 128, id 1135, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.5.10 > 216.109.112.135: ICMP echo request, id 1, seq 11915, length 40
02:13:26.971256 IP (tos 0x0, ttl 128, id 1139, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.5.10 > 216.109.112.135: ICMP echo request, id 1, seq 11916, length 40

Mihai,

----- Original Message ----
From: Alex Samad <alex@samad.com.au>
To: debian-amd64@lists.debian.org
Sent: Tuesday, April 1, 2008 8:25:55 PM
Subject: Re: NAT and IPTABLES problem

Hi

Can you change the tcpdump to

tcpdump -pni eth0 -v icmp

this way you will get something like this
07:24:22.289726 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
ICMP (1), length 84) 192.168.11.10 > 192.168.11.11: ICMP echo request,
id 48974, seq 9, length 64
07:24:22.289783 IP (tos 0x0, ttl 64, id 55013, offset 0, flags [none],
proto ICMP (1), length 84) 192.168.11.11 > 192.168.11.10: ICMP echo
reply, id 48974, seq 9, length 64                                                                                                                                 


notice you will see a ttl.  I just want to check if the inbound packet
has a ttl of 0.

Alex

On Tue, Apr 01, 2008 at 07:10:59AM -0700, chindea mihai wrote:
> Packet Forwarding is activated, and it was since the beginning.
> Now the output I gave you, was from the pc that runs iptables, but the ping attempt was made by a laptop in the subnet. Again, any ping attempt from the machine with iptables succeeds.
> I suppose the problem is on forwarding the packets to subnet, but I just can't  understand why.
> Here is the complete set of rules, that iptables used for last test:
>
> #!/bin/sh
> IPTABLES='/sbin/iptables'
>
> # Set interface values
> EXTIF='eth1'
> INTIF='eth2'
>
> $IPTABLES -F
> $IPTABLES -X
> $IPTABLES -t nat --flush
> $IPTABLES -t nat --delete-chain
>
> $IPTABLES -P INPUT  DROP
>  $IPTABLES -P OUTPUT  DROP
>  $IPTABLES -P FORWARD  DROP
>  $IPTABLES -t nat -P PREROUTING ACCEPT
>  $IPTABLES -t nat -P POSTROUTING ACCEPT
>  $IPTABLES -t nat -P OUTPUT ACCEPT
>
>  $IPTABLES -I FORWARD --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT
>  $IPTABLES -A FORWARD -i $INTIF -o $EXTIF  --jump ACCEPT
>  $IPTABLES -t nat -A POSTROUTING -s 192.168.5.0/24  -o $EXTIF -j MASQUERADE
>
> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> Mihai,
>
> ----- Original Message ----
> From: Alex Samad <alex@samad.com.au>
> To: chindea mihai <misubs24@yahoo.com>
> Cc: debian-amd64@lists.debian.org
> Sent: Tuesday, April 1, 2008 1:38:57 PM
> Subject: Re: NAT and IPTABLES problem
>
>  Hi
>
> you should really try to keep the replies on list, that way this can
> help other people (or other people can help you)
>
> it looks like the icmp is going out to 216.109.112.135 and then coming
> back to the firewall.  For some reason the firewall is sending back a
> time exceeded in-transit, I believe this is a icmp message to state that
> the packet tried to go past to many routers (hops).
>
> is this a dump of the firewall machine making the ping attempt or a
> client being the firewall ?
>
> Do you have any other iptables rules in place, have you made any changes
> via sysctl ad have you got forwarding turned on ?
>
> Alex
>
>
> On Tue, Apr 01, 2008 at 04:11:59AM -0700, chindea mihai wrote:
> > hy .. I tried what you told me, it's still not working. But I used tcpdump, and now I'm sure that the masqurading works fine. Well here's the output of tpcdump, on the external interface:
> >    10:55:25.575690 IP 89.38.yy.yyy > 216.109.112.135: ICMP echo request, id 1, seq 8997, length 40
> >    10:55:25.698621 IP 216.109.112.135 > 89.38.yy.yyy: ICMP echo reply, id 1, seq 8997, length 40
> >    10:55:25.698677 IP 89.38.yy.yyy > 216.109.112.135: ICMP time exceeded in-transit, length 68
> >    10:55:30.550023 IP 89.38.yy.yyy > 216.109.112.135: ICMP echo request, id 1, seq 8998, length 40
> >    10:55:30.672964 IP 216.109.112.135 > 89.38.yy.yyy: ICMP echo reply, id 1, seq 8998, length 40
> >    10:55:30.673010 IP 89.38.yy.yyy > 216.109.112.135: ICMP time exceeded in-transit, length 68
> >
> > Any thoughts, cause I ran out of inspiration already.
> > Thanks,
> >
> > Mihai,
> >
> > ----- Original Message ----
> > From: Alex Samad <alex@samad.com.au>
> > To: debian-amd64@lists.debian.org
> > Sent: Tuesday, April 1, 2008 5:07:40 AM
> > Subject: Re: NAT and IPTABLES problem
> >
> >  On Mon, Mar 31, 2008 at 07:56:31PM -0700, chindea mihai wrote:
> > > I'm trying to give internet access to a subnet. On my Debian Etch pc, I tried to configure NAT on IPtables, but I can get it working.
> > > I used rules, with packets filtering, and after without it, but it's not working. Most simple rulles I've been using are:
> > >
> > > #!/bin/sh
> > > IPTABLES='/sbin/iptables'
> > > EXTIF='eth1'
> > > INTIF='eth2'
> > > # enable ip forwarding in the kernel
> > > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
> > >
> > > # flush rules and delete chains
> > > $IPTABLES -F
> > > $IPTABLES -X
> > > $IPTABLES -t nat --flush
> > > $IPTABLES -t nat --delete-chain
> > >
> > > #Enable masquerading to allow LAN internet access
> > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> > >
> > > #Forward LAN traffic from LAN $INTIF to Internet $EXTIF
> > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
> > >   
> > > And it's just not working, the rulles above should forward all packets without any filtering from subnet eth2, to eth1 which has an static IP provided by my ISP. That type of maquerade, as far as I read, is for dynamically allocated IPs, but I tried something like this:
> > >    $IPTABLES -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth1 -j SNAT --to xx.xx.xx.xxx, and it's still not working.
> > why not try something like this
> >
> > iptables -I FORWARD --match state --state ESTABLISHED,RELATED --jump ACCEPT
> > iptables -A FORWARD -i $INTIF -o $EXTIF  --jump ACCEPT
> >
> > iptables -t nat -A POSTROUTING -s <place your internal subnet here>  -o $EXTIF -j MASQUERADE
> >
> > try pinging from the firewall. Then try pinging from a client machine,
> > whilst doing a tcpdump on the firewall.
> > on the internal int try tcpdump -pni <intf> icmp
> > then on the external interface tcpdump -pni <eint> icmp
> >
> > you should be able to watch the packets at each of the stages
> >
> > Alex
> >
> > >
> > > Now if I do somethig like this, on a pc in the subnet;
> > >  C:\ ping yahoo.com
> > >  Request timed out.
> > >
> > > I'm obviously doing somethig wrong, but I just can't figured it out.
> > > Any help would be appreciated.
> > >
> > > Mihai Chindea
> > >
> > >
> > >
> > >      ____________________________________________________________________________________
> > > Special deal for Yahoo! users & friends - No Cost. Get a month of Blockbuster Total Access now
> > > http://tc.deals.yahoo.com/tc/blockbuster/text3.com
> > --
> > "It's your money. You paid for it."
> >
> >    - George W. Bush
> > 10/18/2000
> > LaCrosse, WI
> >
> >
> >
> >
> >
> >
> >      ____________________________________________________________________________________
> > You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. 
> > http://tc.deals.yahoo.com/tc/blockbuster/text5.com
> --
> There is, in fact, no reason to believe that any given natural phenomenon,
> however marvelous it may seem today, will remain forever inexplicable.
> Soon or late the laws governing the production of life itself will be
> discovered in the laboratory, and man may set up business as a creator
> on his own account.  The thing, indeed, is not only conceivable; it is
> even highly probable.
>        -- H. L. Mencken, 1930
>
>
>
>
>
>
>      ____________________________________________________________________________________
> You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. 
> http://tc.deals.yahoo.com/tc/blockbuster/text5.com
--
"Columbia carried in its payroll classroom experiments from some of our students in America."

    - George W. Bush
02/03/2003
Bethesda, MD


You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
Reply to: