problem with iptables nat

To: debian-firewall@lists.debian.org
Subject: problem with iptables nat
From: Guenter.Sprakties@team4.de
Date: Wed, 18 May 2005 15:42:29 +0200
Message-id: <[🔎] OF7B0EEF16.F35D652E-ONC1256FFE.004D05D4-C1257005.004B4CE5@team4.de>

Hello,

while we learned that the fast and easy-to-use fast nat did't work anymore (horrible) we try to get iptables ugly nat features to work. And see, they do not work.

We change from SuSE 8.2 2.4 kernel to debian. Our test equipment looks like this:
Given is a standard debian 2.6.8-2 kernel for 386; we also added the appropriate kernel headers.

There are two interfaces:

eth0 Protokoll:Ethernet Hardware Adresse 00:02:1E:F1:AA:32
inet Adresse:172.31.27.1 Bcast:172.31.31.255 Maske:255.255.248.0
inet6 Adresse: fe80::202:1eff:fef1:aa32/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth1 Protokoll:Ethernet Hardware Adresse 00:01:02:04:C2:55
inet Adresse:192.168.2.1 Bcast:192.168.2.255 Maske:255.255.255.0
inet6 Adresse: fe80::201:2ff:fe04:c255/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Protokoll:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metric:1

In our testing environment, ther are two test machines connecte to each interface with the ip of 172.31.27.10 (1) and 192.168.2.20 (2).
Like it should be, the nets are not routed because ip_forward is set to 0. We open the router together with some logging by iptable (no other rules defined):

From now, test machine1 can ping machine 2 and vice versa:

#~ tail -F /var/log/messages
May 11 16:55:33 T4AC00 kernel: FORWARD LOG: IN=eth0 OUT=eth1 SRC="" DST=192.168.2.20 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=35 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=6144
May 11 16:55:33 T4AC00 kernel: FORWARD LOG: IN=eth1 OUT=eth0 SRC="" DST=172.31.27.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=23 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=6144

So, everything look fine. Now we start iptables nat.

Think the 172.31.. network as intranet and the 192.168.. net/machine as dmz. We like to get the 192.168.2.20 ip natted to 172.31.27.20 from the intranet; that means that we can ping 172.31.27.20 from 172.31.27.10, the ping arrived as 192.168.2.20 and the return package arrived again as 172.31.27.20. When we take the NAT HOW-TO, we construct following rules:

# NAT
#
iptables -t nat -A POSTROUTING -s 192.168.2.20 -o eth0 -j SNAT --to 172.31.27.20
iptables -t nat -A PREROUTING -i eth1 -d 172.31.27.20 -j DNAT --to 192.168.2.20

The nat tables look llike this:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- anywhere 172.31.27.20 to:192.168.2.20

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.2.20 anywhere to:172.31.27.20

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Didn't work, we see no packages in /var/logs/messages.

Like I said before, standard kernel. What's wrong?

Greetings,

Dr. Günter Sprakties

Reply to:

Follow-Ups:
- Re: problem with iptables nat
  - From: Goesta Smekal <goesta@smekal.at>
- Re: problem with iptables nat
  - From: Gian Piero Carrubba <gp-ml@rm-rf.it>

Prev by Date: Re: Help needed on block SMTP
Next by Date: Re: Help needed on block SMTP
Previous by thread: Get latest version, cds and download under $99
Next by thread: Re: problem with iptables nat
Index(es):
- Date
- Thread