----- Original Message ----
From: Alex Samad <alex@samad.com.au>
To: debian-amd64@lists.debian.org
Sent: Wednesday, April 2, 2008 3:37:33 AM
Subject: Re: NAT and IPTABLES problem
can you also provide the output of
ip r
alex
On Tue, Apr 01, 2008 at 04:01:28PM -0700, chindea mihai wrote:
> Hi,
>
> /etc/network# iptables -t filter -L -v -n
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 22 10448 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
> 0 0 LOG 0 -- !lo * 127.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4
> 0 0 DROP 0 -- !lo *
127.0.0.0/8 0.0.0.0/0
> 0 0 ACCEPT 0 -- eth2 * 0.0.0.0/0 255.255.255.255
> 36 1206 ACCEPT 0 -- eth2 * 192.168.5.0/24 0.0.0.0/0
> 0 0 ACCEPT !tcp -- eth2 * 0.0.0.0/0 224.0.0.0/4
> 0 0 LOG 0 -- eth1 * 192.168.5.0/24 0.0.0.0/0 LOG flags 0 level 4
> 0 0 DROP 0 -- eth1 * 192.168.5.0/24
0.0.0.0/0
> 0 0 ACCEPT 0 -- eth1 * 0.0.0.0/0 255.255.255.255
> 38 15905 ACCEPT 0 -- eth1 * 0.0.0.0/0 xx.xx.xx.221
> 31 899 ACCEPT 0 -- eth1 * 0.0.0.0/0 xx.xx.xx.255
> 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
> 0 0 DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 19 1140 ACCEPT 0 -- eth2 eth1 192.168.5.0/24 0.0.0.0/0
> 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 LOG 0 -- * eth1 0.0.0.0/0 192.168.5.0/24 LOG flags 0 level 4
> 0 0 DROP
0 -- * eth1 0.0.0.0/0 192.168.5.0/24
> 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
> 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy DROP 1 packets, 92 bytes)
> pkts bytes target prot opt in out source destination
> 22 10448 ACCEPT 0 -- * lo 0.0.0.0/0
0.0.0.0/0
> 0 0 ACCEPT 0 -- * eth2 0.0.0.0/0 255.255.255.255
> 35 1399 ACCEPT 0 -- * eth2 0.0.0.0/0 192.168.5.0/24
> 1 107 ACCEPT !tcp -- * eth2 0.0.0.0/0 224.0.0.0/4
> 0 0 LOG 0 -- * eth1 0.0.0.0/0 192.168.5.0/24 LOG flags 0 level 4
> 0 0 DROP 0 -- * eth1
0.0.0.0/0 192.168.5.0/24
> 0 0 ACCEPT 0 -- * eth1 0.0.0.0/0 255.255.255.255
> 89 9594 ACCEPT 0 -- * eth1 xx.xx.xx.221 0.0.0.0/0
> 0 0 ACCEPT 0 -- * eth1 xx.xx.xx.255 0.0.0.0/0
> 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
> 0 0 DROP 0 -- *
* 0.0.0.0/0 0.0.0.0/0
> /etc/network#
>
> xx.xx.xx.221 is my static IP, provided by ISP.
>
>
> /etc/network# iptables -t nat -L -v -n
> Chain PREROUTING (policy ACCEPT 105 packets, 11641 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 38 packets, 1769 bytes)
> pkts bytes target prot opt in out source
destination
> 67 4020 MASQUERADE 0 -- * eth1 192.168.5.0/24 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 39 packets, 1861 bytes)
> pkts bytes target prot opt in out source destination
> /etc/network#
>
>
> /etc/network# iptables -t mangle -L -v -n
> Chain PREROUTING (policy ACCEPT 995 packets, 121K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain INPUT (policy ACCEPT 824 packets, 110K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 83 packets, 4952 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 892 packets, 128K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 1243 packets, 140K bytes)
> pkts bytes target prot opt in out source destination
> /etc/network#
>
> That's all.
> Thanks,
>
> Mihai
> ----- Original Message ----
> From: Bonnel Christophe <
mage.tophinus@free.fr>
> To: chindea mihai <
misubs24@yahoo.com>
> Cc:
debian-amd64@lists.debian.org> Sent: Tuesday, April 1, 2008 3:08:54 PM
> Subject: Re: NAT and IPTABLES problem
>
> Can you post the output of these 3 comands ?
> /sbin/iptables -t filter -L -v -n
> /sbin/iptables -t nat -L -v -n
> /sbin/iptables -t mangle -L -v -n
>
> chindea mihai a écrit :
> >
> >
> > ----- Original Message ----
> > From: Bonnel Christophe <
mage.tophinus@free.fr>
> > To: chindea mihai <
misubs24@yahoo.com>
> > Cc:
debian-amd64@lists.debian.org> > Sent: Tuesday, April 1, 2008 4:22:38 AM
> > Subject: Re: NAT and IPTABLES problem
> >
> > Hi,
> >
> > I think there is two problems here :
> > >
> > > #Forward LAN traffic from LAN $INTIF to Internet $EXTIF
> > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state
> > > NEW,ESTABLISHED -j ACCEPT
> > You allow only NEW and ESTABLISHED output to the web. Don't you forget
> > RELATED ?
> >
> > You must also let your gateway forward input datas from the web :
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,
> > RELATED -j ACCEPT
> >
> > You should
also redifined the default policy :
> > $IPTABLES -P INPUT -j DROP
> > $IPTABLES -P OUTPUT -j DROP
> > $IPTABLES -P FORWARD -j DROP
> > $IPTABLES -t NAT -P PREROUTING ACCEPT
> > $IPTABLES -t NAT -P POSTROUTING ACCEPT
> > $IPTABLES -t NAT -P OUTPUT ACCEPT
> >
> > Now, this line :
> > >
> > > $IPTABLES -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth1 -j SNAT
> > > --to xx.xx.xx.xxx, and it's still not working.
> > >
> > You should use it if you want DMZ for example, so you don't need it here.
> >
> > Hope this helps
> >
> > Christophe
> >
> > I made those changes, but unfortunately I still get "Request times
> > out", at ping attempts, from subnet pc.
> > You know it's weird, cause I have VMware installed, and apparently NAT
> >
connection works just fine for it, well vmware doesn't use iptables.
> >
> > Mihai,
> >
> >
> > ------------------------------------------------------------------------
> > You rock. That's why Blockbuster's offering you one month of
> > Blockbuster Total Access
> > <
http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>,
> > No Cost.
>
>
>
>
>
>
> ____________________________________________________________________________________
> You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
>
http://tc.deals.yahoo.com/tc/blockbuster/text5.com--
Dr. Livingston?
Dr. Livingston I. Presume?