Re: NAT problems

To: debian-firewall@lists.debian.org
Subject: Re: NAT problems
From: Carlos Pasqualini <charly@setionline.com.ar>
Date: Thu, 13 Sep 2007 07:13:23 -0300
Message-id: <[🔎] 1189678403.4541.22.camel@vampire.seti-net.com.ar>
In-reply-to: <[🔎] 46E8F472.10102@plouf.fr.eu.org>
References: <[🔎] 1189617590.9429.10.camel@vampire.seti-net.com.ar> <[🔎] 46E84A78.7010304@plouf.fr.eu.org> <[🔎] 1189652730.6530.4.camel@vampire.seti-net.com.ar> <[🔎] 46E8F472.10102@plouf.fr.eu.org>

El jue, 13-09-2007 a las 10:27 +0200, Pascal Hambourg escribió:
> Carlos Pasqualini a écrit :
> > 
> This one has nf_conntrack/nf_nat enabled anyway.
> Again, please describe precisely what is going wrong.
> 
> 

the point is just that i don't know what it's going on... so i'm looking
for changes that could be the source of the problem.

when i start to implement a linux box as router, i test it with a script
that do not filter anything, it just make masquerade. after all works
well i restart the script but filtering everythng and say "this packet >
accpet"

the early script (the really unsecure one) give me failures in the
network, the script it's so simple:

iptables -F for every table / chain...
iptables -P ACCEPT for everything
iptables -P INPUT DROP

$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
iptables -N permitido
iptables -A permitido -p tcp --syn -j ACCEPT
iptables -A permitido -p tcp -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A permitido -p tcp -j DROP
# external tcp open ports
for i in `cat /etc/firewall/conf/ext_tcp_open_ports`; do
        echo -n "iptables -A INPUT --protocol tcp -i $EXT --dport $i -j
permitido"
        iptables -A INPUT -m state --state NEW --protocol tcp -i $EXT
--dport $i -j permitido && echo "         done!"
done
(same for input tcp/udp ext/int ports)
#squid routing:
 iptables -t nat -A PREROUTING  -d ! 192.168.20.0/24 --protocol tcp -i
$INT --dport 80 -j REDIRECT --to-ports 3128
echo 1 > /proc/sys/net/ipv4/ip_forward


as you can see, it's a very stupid script that it can't fail!!!
(it can be a security risk, it's ulgy.. but no problem about nat !)


now i'm making tests at home with this box, the same script, but only
one change:

the external device it's a dhcp client on eth0, not a pppoe ppp0 and you
know what?? IT WORKS!

so, it's nothing about the iptables script ¿WTF?... it's another thing
that i can't find... 

when i use ppp0 as internet connection, i run the script
from /etc/ppp/ip-up.d/firewall.sh for example. so it executes whenever
the ppp device it's going up, and whe have internet access.

the failure was that some websites didn't work, no MSN messenger (WTF?)
and other things like that... some things works, others don't... in a
way that i can't find any logic about it. that's why i'm asking for
documentation and not describing the entire situation.

the point that iptables don't change anything between the old and new
frameworks, tells me a lot. it tells me that i'm doing another even more
stupid error !! ;)

again
thanks!!

chary

Reply to:

Follow-Ups:
- Re: NAT problems
  - From: "John W. Foster" <johnwfoster@verizon.net>

References:
- NAT problems
  - From: Carlos Pasqualini - SETI Soluciones Informáticas <carlos@setionline.com.ar>
- Re: NAT problems
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
- Re: NAT problems
  - From: Carlos Pasqualini <charly@setionline.com.ar>
- Re: NAT problems
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Prev by Date: Re: NAT problems
Next by Date: Re: NAT problems
Previous by thread: Re: NAT problems
Next by thread: Re: NAT problems
Index(es):
- Date
- Thread