| View previous topic :: View next topic |
| Author |
Message |
genius
n00b
Joined: 14 Aug 2004
Posts: 19
|
 Posted: Wed Aug 25, 2004 6:36 pm Post subject: Iptables not forwarding |
 |
|
I have tried everything I can think of, but haven't figured this out. I am trying to use NAT/Masq to connect a few systems to a single LAN internet connection. The gateway system is configured as follows: eth0 = LAN address (could be dynamic or static- currently dynamic); eth1=192.168.5.1 (always static - it will never change).
IP Tables are configured as:
| Code: |
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 192.168.0.0/16
ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
The following modules are loaded (a lot more than necessary, but couldn't figure out why it wasn't working, so I loaded them all thinking maybe one of them might get it to work):
| Code: |
Module Size Used by
ipt_multiport 2560 0
ipt_LOG 6912 0
ipt_state 2496 0
ip_nat_tftp 3984 0
ip_nat_snmp_basic 11588 0
ip_nat_irc 5136 0
ip_nat_ftp 6224 0
ip_nat_amanda 3096 0
ip_conntrack_tftp 4144 0
ip_conntrack_irc 71920 1 ip_nat_irc
ip_conntrack_ftp 72560 1 ip_nat_ftp
ip_conntrack_amanda 69984 1 ip_nat_amanda
ipt_MASQUERADE 4736 1
iptable_nat 29692 7 ip_nat_tftp,ip_nat_snmp_basic,ip_nat_irc,ip_nat_ftp,ip_nat_amanda,ipt_MASQUERADE
ip_conntrack 44260 11 ipt_state,ip_nat_tftp,ip_nat_irc,ip_nat_ftp,ip_nat_amanda,ip_conntrack_tftp,ip_conntrack_irc,ip_conntrack_ftp,ip_conntrack_amanda,ipt_MASQUERADE,iptable_nat
iptable_filter 3264 1
ip_tables 19904 6 ipt_multiport,ipt_LOG,ipt_state,ipt_MASQUERADE,iptable_nat,iptable_filter
|
This is currently running 2.6.7-gentoo-r14 SMP kernel on an Opteron (x86_64). I plan on running OpenMosix kernel as soon as it is availalble on all nodes on the private network.
If anyone has any ideas, please let me know. |
|
| Back to top |
|
 |
lwithers
Guru
Joined: 31 Dec 2003
Posts: 300
Location: Reading, UK
|
| Posted: Wed Aug 25, 2004 7:01 pm Post subject: |
|
|
First, what is the output of "cat /proc/sys/net/ipv4/ip_forward"? If it's 0, then forwarding isn't enabled in the kernel, so do:
| Code: | | echo 1 >/proc/sysnet/ipv4/ip_forward |
If that's not the problem, post the commands you are using to do the NATing. I believe you would want something like this:
| Code: | | iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 |
Assuming that outgoing packets should be on eth0; obviously you'll have to put the external IP in place of 1.2.3.4. Or, if the external IP changes, then you should use:
| Code: | | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
|
|
| Back to top |
|
|
genius
n00b
Joined: 14 Aug 2004
Posts: 19
|
| Posted: Wed Aug 25, 2004 7:33 pm Post subject: |
|
|
I have done the following:
| Code: |
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
|
The second line is because it is on a dynamic address at the moment - once I have the system on a static IP, that will be changed to echo a "0".
The commands to set the ipforwarding (they have been stripped down to the bare minimum, of course, to minimize the complexity.):
| Code: |
iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
|
|
|
| Back to top |
|
|
lwithers
Guru
Joined: 31 Dec 2003
Posts: 300
Location: Reading, UK
|
| Posted: Wed Aug 25, 2004 7:39 pm Post subject: |
|
|
| Try flushing the FORWARD chain in case that is the problem. Also, what are the policies on the nat table chains? Finally, can you explain the topology of your network (i.e. what eth0 and eth1 are)? Thanks. |
|
| Back to top |
|
|
genius
n00b
Joined: 14 Aug 2004
Posts: 19
|
| Posted: Wed Aug 25, 2004 7:57 pm Post subject: |
|
|
I flush all three (input, forward, output) before any of the rules get set.
I am not sure what you are wanting with "policies on the nat table chains". *puzzled*
The topology is as follows:
| Code: |
Gateway System Other Systems
---------------------
/ \
/ \
[Internet] ----------> eth0 eth1 <----------->Local LAN (clients)
<dynamic> 192.168.5.1 192.168.5.X
\ /
\ /
-----------------------
|
Once the line has been connected, then eth0 will have a static IP - something like 134.68.1.112. You should get the idea. The main reason for setting this up is so that the clients have Internet access. All connections to this cluster will be solely through the gateway system. Clients are set up so that compiling is distributed from the main node with DistCC, and as indicated earlier, the clients will be running open-mosix (think load balancing everything from the gateway to the clients as long as the processes are not IO-bound). |
|
| Back to top |
|
|
lwithers
Guru
Joined: 31 Dec 2003
Posts: 300
Location: Reading, UK
|
| Posted: Wed Aug 25, 2004 11:16 pm Post subject: |
|
|
Well, the masquerade command will need to have the output interface set to eth0, right? Because as you've specified it, the NATing will only take place on packets headed for the local network. So change your masquerade line to have "-o eth0" and see if that helps.
If it doesn't, then flush the forward chain temporarily and see if it works then.
And for policies on the nat table, when you do "iptables -t nat -L", it should tell you what the policies are  You want them all as ACCEPT, I think. |
|
| Back to top |
|
|
genius
n00b
Joined: 14 Aug 2004
Posts: 19
|
| Posted: Thu Aug 26, 2004 5:45 pm Post subject: |
|
|
That fixed it. Thanks for all the help.
Don |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
