Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
NAT with kernel 2.6.20-r2
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
erzapito
Tux's lil' helper
Tux's lil' helper


Joined: 02 Feb 2007
Posts: 136

PostPosted: Sat Mar 10, 2007 4:26 pm    Post subject: NAT with kernel 2.6.20-r2 Reply with quote

Hello, I have iptables running with this rules.

Code:
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
LAN=eth0
WAN=eth1
AZUREUS_TCP=37896
AZUREUS_UDP=37896
AZUREUS_WEB=6887
AMULE_TCP=4662
AMULE_UDP=4672
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport http -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport ${AZUREUS_TCP} -j ACCEPT
iptables -A INPUT -p UDP --dport ${AZUREUS_UDP} -j ACCEPT
iptables -A INPUT -p UDP --dport ${AMULE_UDP} -j ACCEPT
iptables -A INPUT -p TCP --dport ${AMULE_TCP} -j ACCEPT
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
/etc/init.d/iptables save
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
echo "net.ipv4.ip_dynaddr = 1" >> /etc/sysctl.conf
/etc/init.d/iptables restart


The "iptables -L" and "iptables -t nat -L" commands output is this one:
Code:
localhost ~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere           
ACCEPT     0    --  anywhere             anywhere           
REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:37896
ACCEPT     udp  --  anywhere             anywhere            udp dpt:37896
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4672
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4662
DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023
DROP       udp  --  anywhere             anywhere            udp dpts:0:1023

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             192.168.0.0/24     
ACCEPT     0    --  192.168.0.0/24       anywhere           
ACCEPT     0    --  anywhere             192.168.0.0/24     

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
localhost ~ # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  0    --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   


My problem is that the NAT just doesn't works. When I try to open a web page, it just stays "waiting for...".
Any idea where I could start looking? Like how to analize what iptables is doing.

Thanks.
Back to top
View user's profile Send private message
loskornosdelsol
n00b
n00b


Joined: 10 Jan 2007
Posts: 9

PostPosted: Sun Mar 11, 2007 8:14 am    Post subject: Reply with quote

Hi,

have you executed this command
Code:
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
repeatedly? It would not be clean, if your "sysctl.conf" is filled with such lines. One entry is enough and avoids mistakes.

What is about your kernel configuration, what options did you enable to support iptables and nat?

I am wondering about "MASQUERADE 0 -- anywhere anywhere".
After executing "iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE", I get the result "MASQUERADE all -- anywhere anywhere", where protocol is "all" instead of "0".

Have you used this rule set successfully when running an older kernel?
Back to top
View user's profile Send private message
zietbukuel
l33t
l33t


Joined: 30 Dec 2005
Posts: 607

PostPosted: Mon Mar 12, 2007 7:28 am    Post subject: Reply with quote

I have this problem too...
Back to top
View user's profile Send private message
machspeed2200
n00b
n00b


Joined: 01 Feb 2007
Posts: 44
Location: Adelaide, South Australia

PostPosted: Tue Mar 13, 2007 1:50 am    Post subject: Reply with quote

I also had this problem.

I can't remember exactly what I did, but search NF_NAT in make menuconfig and enable it's dependencies.

It's all in the Networking -> Network Options -> Network Filtering (if I can remember correctly)

You also have to enable bridge routing (etables), there's a nat option in there. I'll post more info when I'm back in front of my Gentoo box...
Back to top
View user's profile Send private message
zietbukuel
l33t
l33t


Joined: 30 Dec 2005
Posts: 607

PostPosted: Tue Mar 13, 2007 4:55 am    Post subject: Reply with quote

Why do I need brigding support for NAT? :?
Back to top
View user's profile Send private message
Gentree
Watchman
Watchman


Joined: 01 Jul 2003
Posts: 5350
Location: France, Old Europe

PostPosted: Thu Mar 15, 2007 8:26 am    Post subject: Reply with quote

There are a whole pack of modules needed for this .

You'll be here all year if you keep posting "what do I need for...."

Your quickest solution is to go into networking in the kernel config and turn everything on as modules. Once you have it working use lsmod to see what gets loaded and then tidy up the unneeded modules if you like.

HTH 8)
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86
Back to top
View user's profile Send private message
zietbukuel
l33t
l33t


Joined: 30 Dec 2005
Posts: 607

PostPosted: Thu Mar 15, 2007 8:51 am    Post subject: Reply with quote

Thanks, I've managed to correct this issue :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum