MASQUERADING not working - iptables

MASQUERADING not working - iptables

Post by Peter BUS » Tue, 19 Feb 2002 02:45:06



I have a home network which connects to my
provider through a cable modem. My Pc is
connected to the cable modem with a network card
(eth1) and any other PC's connect to the internet
on my Linux Server through a hub connected to a
network card (eth0) on it.

I built Kernel 2.4.17 with iptables (vers. 1.2.5) and
ipchains. Masquerading works with ipchains, but
not with iptables. I can't ping my providers Gateway IP
from my PC but I can ping it from my Linux server.
I can ping the IP my provider assigned to me from
my PC.

I've tried all of the example lines of iptables rules given
in the howto pages and elsewhere :

i.e
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to <ext ip>
and one with
iptables -t nat -A POSTROUTING -p tcp -o eth1 -j SNAT --to <ext ip>:1-1023

Could anyone help ?

 
 
 

MASQUERADING not working - iptables

Post by SViso » Tue, 19 Feb 2002 05:52:14



> I have a home network which connects to my provider through a cable
> modem. My Pc is connected to the cable modem with a network card (eth1)
> and any other PC's connect to the internet on my Linux Server through a
> hub connected to a network card (eth0) on it.

...

You could try something like this:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A INPUT   -i eth1 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth1 -m state --state NEW,INVALID -j DROP

Do not forget to run:

echo 1 > /proc/sys/net/ipv4/ip_forward

_before_ iptables

// SVisor

 
 
 

MASQUERADING not working - iptables

Post by Ravi Parim » Tue, 19 Feb 2002 07:14:26



> I have a home network which connects to my
> provider through a cable modem. My Pc is
> connected to the cable modem with a network card
> (eth1) and any other PC's connect to the internet
> on my Linux Server through a hub connected to a
> network card (eth0) on it.

> I built Kernel 2.4.17 with iptables (vers. 1.2.5) and
> ipchains. Masquerading works with ipchains, but
> not with iptables. I can't ping my providers Gateway IP
> from my PC but I can ping it from my Linux server.
> I can ping the IP my provider assigned to me from
> my PC.

> I've tried all of the example lines of iptables rules given
> in the howto pages and elsewhere :

> i.e
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to <ext ip>
> and one with
> iptables -t nat -A POSTROUTING -p tcp -o eth1 -j SNAT --to <ext ip>:1-1023

> Could anyone help ?

What did you specify the DNS servers for the machines behind your gateway ?
They must be the same as the DNS servers provided by your ISP. Moreover,
check whether ip forwarding is enabled within the kernel..

--ravi

 
 
 

MASQUERADING not working - iptables

Post by Peter BUS » Tue, 19 Feb 2002 16:30:45


Quote:> What did you specify the DNS servers for the machines behind your gateway
?
> They must be the same as the DNS servers provided by your ISP. Moreover,
> check whether ip forwarding is enabled within the kernel..

> --ravi

I specified both of their DNS servers and my internal
network IP (192.168.1.1) for the DNS. For the Gateway
specification of the PC I specified the Gateway of my
ISP and again my internal network IP. It does work with
ipchains.

Thanks,
Peter

 
 
 

MASQUERADING not working - iptables

Post by g00n » Tue, 19 Feb 2002 17:22:10



Quote:> I have a home network which connects to my
> provider through a cable modem. My Pc is
> connected to the cable modem with a network card
> (eth1) and any other PC's connect to the internet
> on my Linux Server through a hub connected to a
> network card (eth0) on it.

> I built Kernel 2.4.17 with iptables (vers. 1.2.5) and
> ipchains. Masquerading works with ipchains, but
> not with iptables. I can't ping my providers Gateway IP
> from my PC but I can ping it from my Linux server.
> I can ping the IP my provider assigned to me from
> my PC.

> I've tried all of the example lines of iptables rules given
> in the howto pages and elsewhere :

> i.e
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to <ext ip>
> and one with
> iptables -t nat -A POSTROUTING -p tcp -o eth1 -j SNAT --to <ext ip>:1-1023

> Could anyone help ?

$TABLES -t nat -A POSTROUTING -s $HOME_NET -o $OUT_IF -j SNAT --to
$OUTSIDE_IP

is the line i have.. and you're NATing the traffic, not MASQing it..

$HOME_NET = 192.168.0.0/24
$OUT_IF = eth0 (my external nic)
$OUTSIDE_IP = my public IP

hope that helps..

 
 
 

MASQUERADING not working - iptables

Post by Peter BUS » Tue, 19 Feb 2002 19:08:54


Sorry. I tried that to.
 
 
 

MASQUERADING not working - iptables

Post by Peter BUS » Wed, 20 Feb 2002 05:52:52


Maybe it would help if I added that I am using SuSE Linux 7.3.
 
 
 

MASQUERADING not working - iptables

Post by Allen Brand » Mon, 25 Feb 2002 06:46:48


HI Peter,
I read that if you have ipchains working, then iptables will not start. It
deactivates it.

Please see:

http://www.e-infomax.com/ipmasq/howto/m-html/ipmasq-HOWTO-m.html

An Excerpt:
3.4.1. Configuring IP Masquerade on Linux 2.4.x Kernels

"Please note that IPCHAINS is no longer the primary firewall configuration tool
for the 2.4.x kernels. The new kernels now use the IPTABLES toolkit though the
new 2.4.x kernels CAN still read and enable old IPCHAINS or IPFWADM rulesets
via a compatiblity module. It should be noted that when in this mode, NO
IPTABLES modules can be loaded. It should also be noted that none of the 2.2.x
IPMASQ modules are compatible with 2.4.x kernels. For a more detailed reason
for these changes, please see the Chapter 7 section."

Hope that helps. After you sort your problems, maybe you can help me out ;-)

HTH
Al Brandt


> > What did you specify the DNS servers for the machines behind your gateway
> ?
> > They must be the same as the DNS servers provided by your ISP. Moreover,
> > check whether ip forwarding is enabled within the kernel..

> > --ravi

> I specified both of their DNS servers and my internal
> network IP (192.168.1.1) for the DNS. For the Gateway
> specification of the PC I specified the Gateway of my
> ISP and again my internal network IP. It does work with
> ipchains.

> Thanks,
> Peter

 
 
 

MASQUERADING not working - iptables

Post by Erik Halsiu » Tue, 14 May 2002 18:34:57



> I built Kernel 2.4.17 with iptables (vers. 1.2.5) and
> ipchains. Masquerading works with ipchains, but
> not with iptables. I can't ping my providers Gateway IP
> from my PC but I can ping it from my Linux server.
> I can ping the IP my provider assigned to me from
> my PC.

Did you include MASQUERADE target support when configuring the kernel? If
you are using xconfig you can find it under [Networking Options]->[IP:
Netfilter Configuration]->[Full NAT]

Remember insmod the masq module if you choose to compile MASQUERADE target
support as a module.

// Erik Halsius

--

.signature:

        "There's never time to do it right,
         but there's always time to do it over."

 
 
 

1. IP Masquerading works, but does not masquerade from within the local network

I've got a box running Redhat 6.1 working as a gateway for our home network.
It's connected to a cable modem, and we've only got one IP address, so it's
doing IP forwarding and masquerading for us.

Now, consider this situation: I've got a webcam running on one of my windows
boxes, whose IP address is 192.168.0.1 (for instance). The webcam is on port
8888, and I've got the linux box set up to forward this port along from
port, say, 9999, using a line much like

ipmasqadm portfw -a -P tcp -L xxx.xxx.xxx.xxx 9999 -R 192.168.0.1 8888

in my rc.local.

This works very well for people connecting in from outside - they'd use a
URL like:

http://xxx.xxx.xxx.xxx:9999/video/frame

but if I try and use that URL from inside the local network, it doesn't
connect, I'd have to use:

http://192.168.0.1:8888/video/frame

which is rather annoying as it makes it difficult to test things (I have to
VNC out to work and boot up a browser there)

I'm fairly sure the problem isn't with the webcam software - I've had the
same problem when trying to connected to an apache server inside the network
as well.

any ideas?

cheers,

Tim


2. Viewing Subdirectories

3. iptables masquerading/snat stop working upon moving to kernel 2.6

4. Can't login graphically to RH 7.2 except as root

5. iptables with masquerading not allowing ftp, real audio, quake, etc.?

6. QUESTION: configuring mouse systems busmouse

7. IPTables, Masquerading, dialup: works 50% :(

8. promiscuous mode: pppd

9. Is iptables working for masquerade?

10. iptables v1.2.2: can't initialize iptables table `filter': Table does not exist

11. Help with iptables - RH 8.0 - stopped working after "iptables -F"

12. iptables v1.2.2: can't initialize iptables table `filter': Table does not exist

13. IP MASQuerading NOT Masquerading?