[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Having trouble establishing IP masquerading

You need to have rules in the FORWARD chain (of the filter table) - The examples in the URL you referenced:

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

I'm guessing $EXTIF would be eth0, and $INTIF would be whatever your inside interface is.

David

On 9/11/10 8:10 AM, Hendrik Boom wrote: 
I've been IP masquerading for years. But now my Pentium front-end machine 
has bit the dust, and I'm setting up my server to do the masquerading 
itself.

It's and AMD65 running Debian lenny:

hendrik@lovesong:~$ uname -a
Linux lovesong 2.6.30-1-486 #1 Mon Aug 3 15:05:33 UTC 2009 i686 GNU/Linux
hendrik@lovesong:~$ 

I've been more-or-less following the instructions in 

http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html

but nothing seems to work.  I wondered it perhaps the modules weren't 
being loaded, so I did lsmod.  INstead of the modules I requested, whose 
names started with ip_, I have another set of modules with similar names 
starting with nf_.  Is this relevant?

The script I'm using to start IP forwarding is as follows:

#!/bin/sh

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

modprobe ip_conntrack_irc

modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc


echo "1" > /proc/sys/net/ipv4/ip_forward

iptables --policy INPUT ACCEPT
iptables --flush INPUT
iptables --policy OUTPUT ACCEPT
iptables --flush OUTPUT
iptables --policy FORWARD DROP

iptables -t nat -F

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo list resulting ip tables
iptables --list 

echo filter:
iptables -L -n -t filter

echo mangle:
iptables -L -n -t mangle

echo nat:
iptables -t nat -n -L -v


And when I run it, it reports:

list resulting ip tables
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
filter:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
mangle:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
nat:
Chain PREROUTING (policy ACCEPT 32304 packets, 2322K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 2881 packets, 200K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 3520 packets, 242K bytes)
 pkts bytes target     prot opt in     out     source               destination         

list resulting ip tables
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
filter:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
mangle:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
nat:
Chain PREROUTING (policy ACCEPT 32304 packets, 2322K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 2881 packets, 200K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 3520 packets, 242K bytes)
 pkts bytes target     prot opt in     out     source               destination         



Evidently, when I run it, it does *something*.  But when I try to
use the masquerade, nothing seems to get through, except from the
machine doing the masquerading itself.  The server is currently 
the only machine on my LAN that has access to the internet.

-- hendrik
Reply to: