help with simple NAT forwarding

From: Mark Richards (editor_at_badtransit.com)
Date: 07/29/04

  • Next message: Brad S: "Requesting Direction regarding iptables" 
    Date: Wed, 28 Jul 2004 18:04:20 -0400

    I'm very new to iptables and have read as much of the literature as my
    weary brain can absorb. Still, I am having some difficulty with a
    simple NAT setup.

    My network consists of:

    ethernet --> ADSL -- > Linksys Router --> 3Com Switch --> clients

    ppoe
    assigned 192.168.1.0/24 network
    address

    The linksys router does the ppoe negotiation and, of course, the WAN ip
    is not static.

    I am attempting to configure an embedded device (called an AXIS 82) as a
    simple NAT MASQUERADE device. It's running the 2.4.26 kernel. The AXIS
    82 has two ethernet ports (eth0 and eth1). eth0 is static and is
    attached to the 3Com switch. I assigned 192.168.1.90 to eth0. eth1 is
    also set static and is assigned 192.168.0.90 (note that it's on a
    different subnet, as per some of the reading I've been doing regarding
    setting this up).

    I have udhcpd running on the device and it's able to give out ip
    addresses within the 192.168.0.20 - 192.168.0.100 range. Another linux
    box attached to the AXIS 82 eth1 port (through another switch) is able
    to get an ip address just fine.

    What I want to do is have a workstation attached to eth1 connect to the
    local LAN (192.168.1.0/24) via the AXIS 82's eth0 and therefore out to
    the WAN. I belive this is called "many to one" nat. I am assuming
    (hope this is correct) that my destination wants to be 192.168.1.90 (the
    eth0 ip address).

    What I'm doing currently is just for testing purposes. In its final
    configuration, the AXIS will attach to a cable modem (with a fixed ip
    address) instead of the internal LAN.

    Here's a diagram of what I want to do:

    INTERNET
    .
    .
    ADSL MODEM
    . {Dynamic WAN ADDRESS)
    .
    LINKSYS ROUTER
    . {192.168.1.0/24)
    .
    3COM SWITCH
    .
    .
    AXIS 82 ETH0 (192.168.1.90)
       {AXIS 82 running udhcpd and with iptables nat setup}
    AXIS 82 ETH1 (192.168.0.90)
    .
    .
    linux client 192.168.0.20 (supplied by AXIS 82)

    Here's what i'm using as a simple NAT setup on the axis 82:

    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
    iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j
    MASQUERADE

    iptables -A FORWARD -t filter -i eth1 -m state --state
    NEW,ESTABLISHED,RELATED -j ACCEPT

    iptables -A FORWARD -t filter -i eth0 -m state --state
    ESTABLISHED,RELATED -j ACCEPT

    Based on this setup, although my client at 192.168.0.20 gets an ip, when
    I try to ping anything out on the net i get "destination host unreachable".

    I should think if this were working I could ping 192.168.1.90, the eth0
    address, and get a reply. This also fails.

    The routing table for the client is:

    192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
    169.250.0.0 * 255.255.0.0 U 0 0 0 eth1

    The routing table for the AXIS 82 is:

    192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
    192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
    default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

    Any ideas? All thoughts are welcome. If I've done something stupid,
    don't be afraid to say so!

    Thanks!!

    -m-

  • Next message: Brad S: "Requesting Direction regarding iptables"