Re: IPTABLES MASQUERADE - WAN is OK but no LAN traffic...

On Mon, 28 Aug 2006 23:26:11 -0700, wisptech wrote:

Here is the masquerade section of rules that I have set up...

iptables -t nat -A POSTROUTING -s 172.19.0.0/24 -j SNAT --to
66.119.9.186

Well since you are using FORWARD I will assume (bad idea I know) that you
have more then one interface on this box.

Since POSTROUTING is done on all FORWARD'ed packets every packet no matter
where is started, when it exits the box it is being SNAT'ed to
66.119.9.186

eth0 -> PREROUTE -> FORWARD -> POSTROUTE -> eth1
eth0 <- POSTROUTE <- FORWARD <- PREROUTE <- eth1

The steps are simple;

Enter an interface
Do some PREROUTE rules
Route Packet (FORWARD)
Do some POSTROUTE rules
Exit other interface

You can fix this by using the '-o <interface>' option which is the
outbound interface. For example I will assume (I know) that eth0 is the
interface to the world. Your rules should then look like this

iptables -t nat -A POSTROUTING -o eth0 -s 172.19.0.0/24 -j SNAT --to 66.119.9.186

Then only packets that are exiting to the world will be SNATed and not
every packet that cross the box.

iptables -A FORWARD -t filter -m state --state NEW,ESTABLISHED,RELATED
-j ACCEP
iptables -A FORWARD -t filter -m state --state ESTABLISHED,RELATED -j
ACCEPT

Here again the first ACCEPT rule takes charge so the second does nothing.
If you want to allow only the NEW packets from your 172.19 network through
this box then you would have to change the first rule to;

iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

and you would change the second one to only allow related packets back
like this;

iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Can someone tell me what the heck I'm doing wrong?

That should get you started. If this BOX only has one interface then the
rules change again and you don't need FORWARD.

Take a look at this site. I think it might help you.

http://iptables-tutorial.frozentux.net/iptables-tutorial.html


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
.

Relevant Pages

  • Terminal Server Setup
    ... description GRE Tunnel Source Interface ... input packets with dribble condition detected ... output buffer failures, ... Serial1/0 is up, line protocol is up ...
    (comp.dcom.sys.cisco)
  • Re: Tuning ADSL lines on Ciscos roputer - LONG -
    ... Last clearing of "show interface" counters never ... minute input rate 0 bits/sec, ... input packets with dribble condition detected ... output buffer failures, ...
    (comp.dcom.sys.cisco)
  • Re: Terminal Server Setup
    ... description GRE Tunnel Source Interface ... input packets with dribble condition detected ... output buffer failures, ...
    (comp.dcom.sys.cisco)
  • Re: Excessive interface resets on Cisco 1841 and FIOS line
    ... huge amount of interface resets on the WAN interface, ... access-list 4 remark HTTP Access-class list ... input packets with dribble condition detected ... output buffer failures, ...
    (comp.dcom.sys.cisco)
  • Dell PowerEdge 850 bge(4) RELENG_6 (WAS: Re: bge(4) problem)
    ... But I have a problem with two dual port Broadcom cards plugged in into ... I cannot connect them to the 1000MBit switch (a Dell Powerswitch, ... the link speed negotation / interface link state change problems you describe on this platform persist. ... This number does not increment on these syn packets. ...
    (freebsd-current)