masquerading w/ netfilter and 2.3.X/2.4.X

masquerading w/ netfilter and 2.3.X/2.4.X

Post by Evan Da » Fri, 07 Jul 2000 04:00:00



I *thought* I had a good grip on how networking, NAT, and masquerading
work, but this has me stumped.  I just upgraded to the latest 2.4.0-test
kernel and have started playing with netfilter and iptables.

My network looks like this:

inside               "firewall"             outside
  PC LAN                Linux
192.168.2.2     192.168.2.1       -------> INTERNET
192.168.2.3 ---->           1.2.3.4
                eth1           eth0

I'm trying to masquerade the machines at 192.168.2.2 and 192.168.2.3.
The iptables HOWTO says to use:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

to masquerade, but that doesn't work.  It also suggests using SNAT for
static IP addresses (my internet address is static), so I've tried:

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j SNAT --to
    1.2.3.4:32768-65535

Running tcpdump on the inside and outside interfaces while trying to hit
the internet from the inside and see lots of traffic on the inside but
nothing across eth0.  I added rules allowing traffic from 192.168.2.1 on
both the INPUT and OUTPUT chains of the filter table.

So what rules in which tables do I need to put into place to allow
192.168.2.2 to talk to the internet masqueraded through my linux
machine?

In the meantime I've places the ipchains.o module into the kernel and
continue using the old rules from my 2.2.X kernel.

Any assistance is appreciated.

-Evan

 
 
 

masquerading w/ netfilter and 2.3.X/2.4.X

Post by Michael M?cke » Sat, 15 Jul 2000 04:00:00



> I *thought* I had a good grip on how networking, NAT, and masquerading
> work, but this has me stumped.  I just upgraded to the latest 2.4.0-test
> kernel and have started playing with netfilter and iptables.

> My network looks like this:

> inside               "firewall"             outside
>   PC LAN                Linux
> 192.168.2.2     192.168.2.1       -------> INTERNET
> 192.168.2.3 ---->           1.2.3.4
>                 eth1           eth0

> I'm trying to masquerade the machines at 192.168.2.2 and 192.168.2.3.
> The iptables HOWTO says to use:

> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

> to masquerade, but that doesn't work.  It also suggests using SNAT for
> static IP addresses (my internet address is static), so I've tried:

> iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j SNAT --to
>     1.2.3.4:32768-65535

> Running tcpdump on the inside and outside interfaces while trying to hit
> the internet from the inside and see lots of traffic on the inside but
> nothing across eth0.  I added rules allowing traffic from 192.168.2.1 on
> both the INPUT and OUTPUT chains of the filter table.

> So what rules in which tables do I need to put into place to allow
> 192.168.2.2 to talk to the internet masqueraded through my linux
> machine?

> In the meantime I've places the ipchains.o module into the kernel and
> continue using the old rules from my 2.2.X kernel.

> Any assistance is appreciated.

> -Evan


hi evan,

I had my problems also from kernel2.2 to kernel2.4test1:

make sure your forward-chain in the standard filter-table contains
entries for forwarding traffic from eth0 to eth1 and vice versa,
( iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT )
( iptables -A FORWARD -i eth1 -o eth0 -d ! 192.168.0.0/16 -j ACCEPT )

or set the default policy of the FORWARD-chain of the filter-table to
"ACCEPT": ( iptables -P FORWARD ACCEPT )
in both cases, all packets wanting to the outside internet(target
ip-address) and coming from eth1 are FORWARDED to eth0 and all packets
coming from the internet over eth0(after REVERSE-SNAT) are forwarded to
eth1...

the way for SNAT is the following:

packet from 192.168.2.2 -> PREROUTING-CHAIN -> FORWARD-CHAIN
->POSTROUTING-CHAIN   -> INTERNET

INTERNET-REPLY-packet  -> PREROUTING-CHAIN -> FORWARD-CHAIN ->
POSTROUTING-CHAIN  ->  packet arrives 192.168.2.2

1)  you're sending a packet from 192.168.2.2 to you gateway 192.168.2.1
    The packet goes FIRST through the PREROUTING-CHAIN in the nat-table.
    Make sure, the packet comes through this chain("iptables -t nat -A
PREROUTING -i eth1 -s 192.168.2.0/24 -j ACCEPT")

2)  Then it goes though the FORWARD-chain, so you must forward packets
with a destination other than you private net :  "iptables -A FORWARD -i
eth1 -o eth0 -d ! 192.168.0.0/16 -j ACCEPT"

3)  Last it goes through the POSTROUTING-CHAIN of the nat-table, where
the SNAT takes place:   "iptables -t nat -A POSTROUTING -o eth0 -s
192.168.2.0/24 --to-source 1.2.3.4

Ok, the packet is now succesfully SNAT'ed to the internet, and now the
reverse procedure, a reply packet to your inside private net:

1) the packet comes into eth0 and goes to the PREROUTING-CHAIN:
   "iptables -t nat -A PREROUTING -i eth0 -d 1.2.3.4 -j ACCEPT"

2) the packet comes into the FORWARD-CHAIN:
   "iptables -A FORWARD -i eth0 -o eth1 -d 192.168.2.0/24 -j ACCEPT"

3) the packet comes into the POSTROUTING-CHAIN:
   "iptables -t nat -A POSTROUTING -o eth1 -j ACCEPT  

Now, the packet is successfully coming in on your targets computer
192.168.2.2

hope that help

mimo


 
 
 

1. Ip masquerading 2.3.x/(2.4.x)

Hi-

I want to make the move from the 2.2.x kernels to the 2.3.x/2.4.x, but I
absolutely need IP masquerading. I've read the HOWTOs at
netfilter.kernelnotes.org, and I understand ipnatctl is what does the
masquerading in these kernels (although support for the current
ipchains, that I use at present, will still be p[resent for a while).
I'm willing to convert to ipnatctl, but the problem is I cannot find it
anywhere! The iptables-1.0.0 distribution that's available at the site
doesn't contain it, and a web search only came up with a development
Mandrake rpm, which I would have fiddled with, but wasn't even on the
server any more (I'm a Slackware user, thus I prefer source
distribution).

Is ipnatctl in the 2.3.99pre kernel sources proper (although this
doesn't seem right)? Or where else can I find it?

MST

2. emacs & libgcc

3. 2.4 Netfilter/iptables/IP masquerade howto help

4. Hard Drive Partition Question

5. SLIP for Solaris 2.3 or 2.4

6. gcc: Internal compiler error

7. Passing Sockets under Solaris 2.3/2.4

8. Future Domain TMC-3260 supported?

9. "textedit" under Solaris 2.3 and 2.4

10. Upgrading from Solaris 2.3 to 2.4 ....

11. 2.3 -> 2.4 upgrade woes

12. Trouble upgrading from 2.3 to 2.4 on SPARC

13. Re-post: Non-compatability 2.3->2.4 ??