iptables, still

To: debian-firewall@lists.debian.org
Subject: iptables, still
From: Steve <dlist@bluewin.ch>
Date: Fri, 15 Apr 2005 10:24:08 +0200
Message-id: <[🔎] 423AED7D00280628@mail6.bluewin.ch> (added by postmaster@bluewin.ch)

Hi all!

After the firmware upgrade of my modem/router, I have strange behaviour
with my lan: I can ping the internet from my clients but not from the
gateway machine ! 

Here is the setup:

internet ---- modem ------- eth0  (gateway) ath0 -------- eth0 (client)

with :

modem LAN : 192.168.1.1
modem WAN : dhcp
eth0 gateway : dhcp
ath0 : 192.168.20.1 (fixe)
eth0 client : 192.168.20.3 (fixe)

both running Debian Sarge kernel 2.6

I enabled the NAT mode on the modem so that all trafic goes on eth0 on
which I have the following iptables ruleset: 

gateway# iptables-save

# Generated by iptables-save v1.2.11 on Fri Apr 15 10:10:33 2005
*filter
:INPUT DROP [10:878]
:FORWARD DROP [9:360]
:OUTPUT DROP [82:15508]
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 192.168.20.0/255.255.255.0 -d 192.168.20.1 -i ath0 -j ACCEPT
-A INPUT -s 192.168.20.255 -d 192.168.20.1 -i ath0 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -j ULOG --ulog-prefix "Netfilter" 

-A FORWARD -s 192.168.20.0/255.255.255.0 -i ath0 -o eth0 -m state
--state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -A FORWARD -d
192.168.20.0/255.255.255.0 -i eth0 -o ath0 -m state --state
RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT 

-A OUTPUT -s 192.168.20.1 -d 192.168.20.0/255.255.255.0 -o ath0 -j
ACCEPT -A OUTPUT -s 192.168.20.1 -d 192.168.20.255 -o ath0 -j ACCEPT 
-A OUTPUT -j ULOG --ulog-prefix "Netfilter" 
COMMIT
# Completed on Fri Apr 15 10:10:33 2005
# Generated by iptables-save v1.2.11 on Fri Apr 15 10:10:33 2005
*nat
:PREROUTING ACCEPT [227:28353]
:POSTROUTING ACCEPT [9:743]
:OUTPUT ACCEPT [80:4951]
-A POSTROUTING -s 192.168.20.0/255.255.255.0 -o eth0 -j MASQUERADE 
COMMIT
# Completed on Fri Apr 15 10:10:33 2005


gateway# ping 192.168.1.1

PING 192.168.1.1 (192.168.1.1): 56 data bytes
ping: sendto: Operation not permitted
ping: wrote 192.168.1.1 64 chars, ret=-1

but as I said, from the client it's ok.. and :

gateway # route

Table de routage IP du noyau
Destination     Passerelle   Genmask    Indic Metric Ref    Use Iface
192.168.20.0    *          255.255.255.0   U     0      0   0 ath0
192.168.2.0     *               255.255.255.0   U     0      0 0 eth1
192.168.1.0     *               255.255.255.0   U     0     0    0 eth0
default         192.168.1.1     0.0.0.0         UG   0      0   0 eth0

 ok no?


So what's wrong? I haven't changed anything in my setup, so I don't
really understand what's going on (learning ..) What have I missed?

Any help is welcomed ;-)


Greetings
Thanks

steve

Reply to:

Follow-Ups:
- Re: iptables, still [solved]
  - From: Steve <dlist@bluewin.ch>

Prev by Date: Abwesenheitsnachricht
Next by Date: iptables, still
Previous by thread: Abwesenheitsnachricht
Next by thread: Re: iptables, still [solved]
Index(es):
- Date
- Thread