iptables, nat mystery - good stuff!
I've got a problem with my simple network and firewalling. Unless it is
a problem somewhere else.
I have a box set up as a firewall/router with Woody running kernel
2.4.20 and the iptables kernel configuration all set up. I have a
private network 192.168.1.0 set up behind the firewall, with at this
time only a single machine connected, a laptop also running Debian
Woody. That's a connection made on interface eth1. The interface eth0 is
to my cablemodem thence to my ISP, IOW, the Universe. Since I have for
the purposes of this exercize a fixed ip address on eth0, I want to do
SNAT to allow traffic initiated from the box behind the firewall to the
Universe, to pass, and responses from the Universe to be routed back
through the firewall to the internal NAT's box. Clear so far?
Pretty standard stuff, I'd 'av thought. Now it gets sticky. The laptop
a.k.a the "box behind the wall" can initiate a http query, and gets DNS
replies when for instance I do "lynx www.debian.org/". I can see that.
But then no data from the server Out There in the Universe gets back to
lynx (or Galeon, or Konqueror, or ...) and the connection just "hangs".
So, you think, "oh, that's easy. he's got a ruleset in his firewall
[iptables] that is stopping the replies". Well, maybe, but I don't see
that. On this firewall I have some debugging rules set up that log every
packet FORWARDed through the router-box To and FROM the Universe. These
log entries show "www.debian.org" trying to reply to the laptop and
being ACCEPTed for FORWARDing. Likewise they show the initial packets
going out from laptop. All seems well, except that in the laptop, if it
is getting the replies, it never seems to know it. What wicked thing
could be happening to my packets in-between the firewalling-box and the
laptop, I do not understand.
I can telnet into any Web host and am not blocked. I can ping out to any
host and get replies. What I cannot seem to get is HTTP and maybe
(probably) FTP traffic going.
I will *attach* the script which configures my firewall, that is,
configures iptables, to this posting. I thank in advance anyone
knowledgeable who takes the time to peruse, and also need to acknowledge
that it isn't original but is based on someone's work I found on the
'net. Also please realize I am very new to all this so it may look
incredibly stupid. Oh, and this script is to live in /etc/init.d/ in
case that isn't clear by looking at it.
BTW, somewhere along the line since most of the available iptables
documentation was written, including what's packaged for Debian, the
names of many add-on modules have been changed from ip_* to ipt_*, thus
making the docus confusing to try to use, to say the least. Does anybody
know about this (try `lsmod | grep 'ip_'` vs. `lsmod | grep 'ipt_'). And
where the 'eck did the bl__dy ipt_conntrac_ftp module go?
Soren Andersen
--
See my OpenPGP key at https://savannah.gnu.org/people/viewgpg.php?user_id=6050
GnuPG public key fingerprint | "Only when efforts to reform society have as
BD26 A5D8 D781 C96B 9936 | their point of departure the reformation of
310F 0573 A3D9 4E24 4EA6 | the inner life -- human revolution -- will
they lead us with certainty to a world of lasting peace and true human security."
-- Daisaku Ikeda
Reply to: