can you also provide the output of ip r alex On Tue, Apr 01, 2008 at 04:01:28PM -0700, chindea mihai wrote: > Hi, > > /etc/network# iptables -t filter -L -v -n > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 22 10448 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG 0 -- !lo * 127.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 > 0 0 DROP 0 -- !lo * 127.0.0.0/8 0.0.0.0/0 > 0 0 ACCEPT 0 -- eth2 * 0.0.0.0/0 255.255.255.255 > 36 1206 ACCEPT 0 -- eth2 * 192.168.5.0/24 0.0.0.0/0 > 0 0 ACCEPT !tcp -- eth2 * 0.0.0.0/0 224.0.0.0/4 > 0 0 LOG 0 -- eth1 * 192.168.5.0/24 0.0.0.0/0 LOG flags 0 level 4 > 0 0 DROP 0 -- eth1 * 192.168.5.0/24 0.0.0.0/0 > 0 0 ACCEPT 0 -- eth1 * 0.0.0.0/0 255.255.255.255 > 38 15905 ACCEPT 0 -- eth1 * 0.0.0.0/0 xx.xx.xx.221 > 31 899 ACCEPT 0 -- eth1 * 0.0.0.0/0 xx.xx.xx.255 > 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 > 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 19 1140 ACCEPT 0 -- eth2 eth1 192.168.5.0/24 0.0.0.0/0 > 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 LOG 0 -- * eth1 0.0.0.0/0 192.168.5.0/24 LOG flags 0 level 4 > 0 0 DROP 0 -- * eth1 0.0.0.0/0 192.168.5.0/24 > 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 > 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy DROP 1 packets, 92 bytes) > pkts bytes target prot opt in out source destination > 22 10448 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT 0 -- * eth2 0.0.0.0/0 255.255.255.255 > 35 1399 ACCEPT 0 -- * eth2 0.0.0.0/0 192.168.5.0/24 > 1 107 ACCEPT !tcp -- * eth2 0.0.0.0/0 224.0.0.0/4 > 0 0 LOG 0 -- * eth1 0.0.0.0/0 192.168.5.0/24 LOG flags 0 level 4 > 0 0 DROP 0 -- * eth1 0.0.0.0/0 192.168.5.0/24 > 0 0 ACCEPT 0 -- * eth1 0.0.0.0/0 255.255.255.255 > 89 9594 ACCEPT 0 -- * eth1 xx.xx.xx.221 0.0.0.0/0 > 0 0 ACCEPT 0 -- * eth1 xx.xx.xx.255 0.0.0.0/0 > 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 > 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 > /etc/network# > > xx.xx.xx.221 is my static IP, provided by ISP. > > > /etc/network# iptables -t nat -L -v -n > Chain PREROUTING (policy ACCEPT 105 packets, 11641 bytes) > pkts bytes target prot opt in out source destination > > Chain POSTROUTING (policy ACCEPT 38 packets, 1769 bytes) > pkts bytes target prot opt in out source destination > 67 4020 MASQUERADE 0 -- * eth1 192.168.5.0/24 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 39 packets, 1861 bytes) > pkts bytes target prot opt in out source destination > /etc/network# > > > /etc/network# iptables -t mangle -L -v -n > Chain PREROUTING (policy ACCEPT 995 packets, 121K bytes) > pkts bytes target prot opt in out source destination > > Chain INPUT (policy ACCEPT 824 packets, 110K bytes) > pkts bytes target prot opt in out source destination > > Chain FORWARD (policy ACCEPT 83 packets, 4952 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 892 packets, 128K bytes) > pkts bytes target prot opt in out source destination > > Chain POSTROUTING (policy ACCEPT 1243 packets, 140K bytes) > pkts bytes target prot opt in out source destination > /etc/network# > > That's all. > Thanks, > > Mihai > ----- Original Message ---- > From: Bonnel Christophe <mage.tophinus@free.fr> > To: chindea mihai <misubs24@yahoo.com> > Cc: debian-amd64@lists.debian.org > Sent: Tuesday, April 1, 2008 3:08:54 PM > Subject: Re: NAT and IPTABLES problem > > Can you post the output of these 3 comands ? > /sbin/iptables -t filter -L -v -n > /sbin/iptables -t nat -L -v -n > /sbin/iptables -t mangle -L -v -n > > chindea mihai a écrit : > > > > > > ----- Original Message ---- > > From: Bonnel Christophe <mage.tophinus@free.fr> > > To: chindea mihai <misubs24@yahoo.com> > > Cc: debian-amd64@lists.debian.org > > Sent: Tuesday, April 1, 2008 4:22:38 AM > > Subject: Re: NAT and IPTABLES problem > > > > Hi, > > > > I think there is two problems here : > > > > > > #Forward LAN traffic from LAN $INTIF to Internet $EXTIF > > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state > > > NEW,ESTABLISHED -j ACCEPT > > You allow only NEW and ESTABLISHED output to the web. Don't you forget > > RELATED ? > > > > You must also let your gateway forward input datas from the web : > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED, > > RELATED -j ACCEPT > > > > You should also redifined the default policy : > > $IPTABLES -P INPUT -j DROP > > $IPTABLES -P OUTPUT -j DROP > > $IPTABLES -P FORWARD -j DROP > > $IPTABLES -t NAT -P PREROUTING ACCEPT > > $IPTABLES -t NAT -P POSTROUTING ACCEPT > > $IPTABLES -t NAT -P OUTPUT ACCEPT > > > > Now, this line : > > > > > > $IPTABLES -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth1 -j SNAT > > > --to xx.xx.xx.xxx, and it's still not working. > > > > > You should use it if you want DMZ for example, so you don't need it here. > > > > Hope this helps > > > > Christophe > > > > I made those changes, but unfortunately I still get "Request times > > out", at ping attempts, from subnet pc. > > You know it's weird, cause I have VMware installed, and apparently NAT > > connection works just fine for it, well vmware doesn't use iptables. > > > > Mihai, > > > > > > ------------------------------------------------------------------------ > > You rock. That's why Blockbuster's offering you one month of > > Blockbuster Total Access > > <http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>, > > No Cost. > > > > > > > ____________________________________________________________________________________ > You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. > http://tc.deals.yahoo.com/tc/blockbuster/text5.com -- Dr. Livingston? Dr. Livingston I. Presume?
Attachment:
signature.asc
Description: Digital signature