| View previous topic :: View next topic |
| Author |
Message |
erzapito
Tux's lil' helper
Joined: 02 Feb 2007
Posts: 136
|
 Posted: Sat Mar 10, 2007 4:26 pm Post subject: NAT with kernel 2.6.20-r2 |
 |
|
Hello, I have iptables running with this rules.
| Code: | iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
LAN=eth0
WAN=eth1
AZUREUS_TCP=37896
AZUREUS_UDP=37896
AZUREUS_WEB=6887
AMULE_TCP=4662
AMULE_UDP=4672
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport http -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport ${AZUREUS_TCP} -j ACCEPT
iptables -A INPUT -p UDP --dport ${AZUREUS_UDP} -j ACCEPT
iptables -A INPUT -p UDP --dport ${AMULE_UDP} -j ACCEPT
iptables -A INPUT -p TCP --dport ${AMULE_TCP} -j ACCEPT
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
/etc/init.d/iptables save
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
echo "net.ipv4.ip_dynaddr = 1" >> /etc/sysctl.conf
/etc/init.d/iptables restart
|
The "iptables -L" and "iptables -t nat -L" commands output is this one:
| Code: | localhost ~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:37896
ACCEPT udp -- anywhere anywhere udp dpt:37896
ACCEPT udp -- anywhere anywhere udp dpt:4672
ACCEPT tcp -- anywhere anywhere tcp dpt:4662
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere 192.168.0.0/24
ACCEPT 0 -- 192.168.0.0/24 anywhere
ACCEPT 0 -- anywhere 192.168.0.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
localhost ~ # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination |
My problem is that the NAT just doesn't works. When I try to open a web page, it just stays "waiting for...".
Any idea where I could start looking? Like how to analize what iptables is doing.
Thanks. |
|
| Back to top |
|
 |
loskornosdelsol
n00b
Joined: 10 Jan 2007
Posts: 9
|
| Posted: Sun Mar 11, 2007 8:14 am Post subject: |
|
|
Hi,
have you executed this command | Code: | | echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf |
repeatedly? It would not be clean, if your "sysctl.conf" is filled with such lines. One entry is enough and avoids mistakes.
What is about your kernel configuration, what options did you enable to support iptables and nat?
I am wondering about "MASQUERADE 0 -- anywhere anywhere".
After executing "iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE", I get the result "MASQUERADE all -- anywhere anywhere", where protocol is "all" instead of "0".
Have you used this rule set successfully when running an older kernel? |
|
| Back to top |
|
|
zietbukuel
l33t
Joined: 30 Dec 2005
Posts: 607
|
| Posted: Mon Mar 12, 2007 7:28 am Post subject: |
|
|
| I have this problem too... |
|
| Back to top |
|
|
machspeed2200
n00b
Joined: 01 Feb 2007
Posts: 44
Location: Adelaide, South Australia
|
| Posted: Tue Mar 13, 2007 1:50 am Post subject: |
|
|
I also had this problem.
I can't remember exactly what I did, but search NF_NAT in make menuconfig and enable it's dependencies.
It's all in the Networking -> Network Options -> Network Filtering (if I can remember correctly)
You also have to enable bridge routing (etables), there's a nat option in there. I'll post more info when I'm back in front of my Gentoo box... |
|
| Back to top |
|
|
zietbukuel
l33t
Joined: 30 Dec 2005
Posts: 607
|
| Posted: Tue Mar 13, 2007 4:55 am Post subject: |
|
|
Why do I need brigding support for NAT?  |
|
| Back to top |
|
|
Gentree
Watchman
Joined: 01 Jul 2003
Posts: 5350
Location: France, Old Europe
|
| Posted: Thu Mar 15, 2007 8:26 am Post subject: |
|
|
There are a whole pack of modules needed for this .
You'll be here all year if you keep posting "what do I need for...."
Your quickest solution is to go into networking in the kernel config and turn everything on as modules. Once you have it working use lsmod to see what gets loaded and then tidy up the unneeded modules if you like.
HTH 
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
| Back to top |
|
|
zietbukuel
l33t
Joined: 30 Dec 2005
Posts: 607
|
| Posted: Thu Mar 15, 2007 8:51 am Post subject: |
|
|
Thanks, I've managed to correct this issue  |
|
| Back to top |
|
|
|
Networking & Security
