iptables masquerading/snat stop working upon moving to kernel 2.6
From: S P Arif Sahari Wibowo (arifsaha_at_yahoo.com)
Date: 08/22/05
- Next message: peter: "Re: help understand disk managment"
- Previous message: Lenard: "Re: help understand disk managment"
- Next in thread: Llanzlan Klazmon: "Re: iptables masquerading/snat stop working upon moving to kernel 2.6"
- Reply: Llanzlan Klazmon: "Re: iptables masquerading/snat stop working upon moving to kernel 2.6"
- Reply: Raqueeb Hassan: "Re: iptables masquerading/snat stop working upon moving to kernel 2.6"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 22 Aug 2005 13:39:44 GMT
Hi!
Upon moving from RH 9 (kernel 2.4.18 and 2.4.20) to WBEL 4 (RHEL
4 recompile, kernel 2.6.9), a simple masquerading snat stop
working. Packet reach the PREROUTING chain but never reach
POSTROUTING chain.
Any idea why and how to fix it?
Here is the iptables saved rules on the gateway machine:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
route -n (say 24.24.24.24 is the external IP):
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
24.24.24.24 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 24.24.24.24 0.0.0.0 UG 0 0 0 eth1
to get the logging, I added few rules:
*nat
-A PREROUTING -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix PRE--
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix POST--
COMMIT
*filter
-A INPUT -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix INP--
-A FORWARD -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix FOR--
COMMIT
This rules loaded by iptables without problem.
Now when a machine in local network (yes they got the correct IP
and gateway) try to reach the Internet, entry on PREROUTING
shows up, but no entry on POSTROUTING shows, the packet just
lost:
Aug 22 09:26:19 thegateway kernel: PRE--IN=eth0 OUT= MAC=00:20:ed:64:a2:89:00:50:ba:3e:bd:2e:80:00 SRC=192.168.1.5 DST=24.24.24.24 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=40000 DF PROTO=TCP SPT=1027 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 22 09:26:22 thegateway kernel: PRE--IN=eth0 OUT= MAC=00:20:ed:64:a2:89:00:50:ba:3e:bd:2e:80:00 SRC=192.168.1.5 DST=24.24.24.24 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=40002 DF PROTO=TCP SPT=1027 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 22 09:26:28 thegateway kernel: PRE--IN=eth0 OUT= MAC=00:20:ed:64:a2:89:00:50:ba:3e:bd:2e:80:00 SRC=192.168.1.5 DST=24.24.24.24 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=40004 DF PROTO=TCP SPT=1027 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Thanks!
--
Stephan Paul Arif Sahari Wibowo
_____ _____ _____ _____
/____ /____/ /____/ /____
_____/ / / / _____/ http://www.arifsaha.com/
- Next message: peter: "Re: help understand disk managment"
- Previous message: Lenard: "Re: help understand disk managment"
- Next in thread: Llanzlan Klazmon: "Re: iptables masquerading/snat stop working upon moving to kernel 2.6"
- Reply: Llanzlan Klazmon: "Re: iptables masquerading/snat stop working upon moving to kernel 2.6"
- Reply: Raqueeb Hassan: "Re: iptables masquerading/snat stop working upon moving to kernel 2.6"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
