> I *thought* I had a good grip on how networking, NAT, and masquerading
> work, but this has me stumped. I just upgraded to the latest 2.4.0-test
> kernel and have started playing with netfilter and iptables.
> My network looks like this:
> inside "firewall" outside
> PC LAN Linux
> 192.168.2.2 192.168.2.1 -------> INTERNET
> 192.168.2.3 ----> 184.108.40.206
> eth1 eth0
> I'm trying to masquerade the machines at 192.168.2.2 and 192.168.2.3.
> The iptables HOWTO says to use:
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> to masquerade, but that doesn't work. It also suggests using SNAT for
> static IP addresses (my internet address is static), so I've tried:
> iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j SNAT --to
> Running tcpdump on the inside and outside interfaces while trying to hit
> the internet from the inside and see lots of traffic on the inside but
> nothing across eth0. I added rules allowing traffic from 192.168.2.1 on
> both the INPUT and OUTPUT chains of the filter table.
> So what rules in which tables do I need to put into place to allow
> 192.168.2.2 to talk to the internet masqueraded through my linux
> In the meantime I've places the ipchains.o module into the kernel and
> continue using the old rules from my 2.2.X kernel.
> Any assistance is appreciated.
I had my problems also from kernel2.2 to kernel2.4test1:
make sure your forward-chain in the standard filter-table contains
entries for forwarding traffic from eth0 to eth1 and vice versa,
( iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT )
( iptables -A FORWARD -i eth1 -o eth0 -d ! 192.168.0.0/16 -j ACCEPT )
or set the default policy of the FORWARD-chain of the filter-table to
"ACCEPT": ( iptables -P FORWARD ACCEPT )
in both cases, all packets wanting to the outside internet(target
ip-address) and coming from eth1 are FORWARDED to eth0 and all packets
coming from the internet over eth0(after REVERSE-SNAT) are forwarded to
the way for SNAT is the following:
packet from 192.168.2.2 -> PREROUTING-CHAIN -> FORWARD-CHAIN
->POSTROUTING-CHAIN -> INTERNET
INTERNET-REPLY-packet -> PREROUTING-CHAIN -> FORWARD-CHAIN ->
POSTROUTING-CHAIN -> packet arrives 192.168.2.2
1) you're sending a packet from 192.168.2.2 to you gateway 192.168.2.1
The packet goes FIRST through the PREROUTING-CHAIN in the nat-table.
Make sure, the packet comes through this chain("iptables -t nat -A
PREROUTING -i eth1 -s 192.168.2.0/24 -j ACCEPT")
2) Then it goes though the FORWARD-chain, so you must forward packets
with a destination other than you private net : "iptables -A FORWARD -i
eth1 -o eth0 -d ! 192.168.0.0/16 -j ACCEPT"
3) Last it goes through the POSTROUTING-CHAIN of the nat-table, where
the SNAT takes place: "iptables -t nat -A POSTROUTING -o eth0 -s
192.168.2.0/24 --to-source 220.127.116.11
Ok, the packet is now succesfully SNAT'ed to the internet, and now the
reverse procedure, a reply packet to your inside private net:
1) the packet comes into eth0 and goes to the PREROUTING-CHAIN:
"iptables -t nat -A PREROUTING -i eth0 -d 18.104.22.168 -j ACCEPT"
2) the packet comes into the FORWARD-CHAIN:
"iptables -A FORWARD -i eth0 -o eth1 -d 192.168.2.0/24 -j ACCEPT"
3) the packet comes into the POSTROUTING-CHAIN:
"iptables -t nat -A POSTROUTING -o eth1 -j ACCEPT
Now, the packet is successfully coming in on your targets computer
hope that help