'snat' snats everything! (almost)

'snat' snats everything! (almost)

Post by Mark Athert » Mon, 15 Oct 2001 05:38:44



I have got some way with setting up iptables for firewalling and NAT
for my LAN. I have read most of the howtos, faqs and example iptables
setup scripts but I am now stuck!

I have set up iptables like this:
#!/bin/sh
IPT="/sbin/iptables -v"               # Location of iptables binary plus
options.
LAN_IF=eth0                     # LAN interface
WAN_IF=ppp0                     # WAN interface
LAN_IP=192.168.0.0/8            # LAN IP addresses
WAN_IP=staticipaddress          # WAN IP address

# Change source IP address of Internet traffic before forwarding.
$IPT -t nat -A POSTROUTING -o $WAN_IF -j SNAT --to-source $WAN_IP

# Activate forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward

This works in that I can access the Internet from another machine on
the LAN (also news and ping). However it _doesn't_ work as expected in
that:

New (i.e. opened after running the iptables script) ssh sessions
connections fail to connect, but old ones continue to work OK.

However smb works fine, even if Samba is restarted after running the
script.

I thought that entries in the POSTROUTING table only acted on packets
that were on their way out of the box. Any explanations and
suggestions for getting ssh to work would be welcome.

Mark Atherton

 
 
 

'snat' snats everything! (almost)

Post by Mark Athert » Mon, 15 Oct 2001 16:25:47


Quote:Yesterday I wrote...
>This works in that I can access the Internet from another machine on
>the LAN (also news and ping). However it _doesn't_ work as expected in
>that:

>New (i.e. opened after running the iptables script) ssh sessions
>connections fail to connect, but old ones continue to work OK.

>However smb works fine, even if Samba is restarted after running the
>script.

>I thought that entries in the POSTROUTING table only acted on packets
>that were on their way out of the box. Any explanations and
>suggestions for getting ssh to work would be welcome.

>Mark Atherton

As usual the error turns out to be mine or Win98 rather than Linux. I
have discovered that when the Win98 PC I was using PuTTY on for ssh to
the Linux PC had an incorrect hosts file. Therefore when I was trying
to ssh between PCs the Linux machine was querying my internet DNS
server. This caused the modem activity and the ultimate failure of ssh
connection (since my ISPs DNS server doesn't have the correct IP
address!)

Sorry for bothering the group, I'll think (longer) before I post next
time!

Mark Atherton

 
 
 

'snat' snats everything! (almost)

Post by Mark Athert » Mon, 15 Oct 2001 16:44:17


Quote:Yesterday I wrote...
>This works in that I can access the Internet from another machine on
>the LAN (also news and ping). However it _doesn't_ work as expected in
>that:

>New (i.e. opened after running the iptables script) ssh sessions
>connections fail to connect, but old ones continue to work OK.

>However smb works fine, even if Samba is restarted after running the
>script.

>I thought that entries in the POSTROUTING table only acted on packets
>that were on their way out of the box. Any explanations and
>suggestions for getting ssh to work would be welcome.

>Mark Atherton

As usual the error turns out to be mine or Win98 rather than Linux. I
have discovered that when the Win98 PC I was using PuTTY on for ssh to
the Linux PC had an incorrect hosts file. Therefore when I was trying
to ssh between PCs the Linux machine was querying my internet DNS
server. This caused the modem activity and the ultimate failure of ssh
connection (since my ISPs DNS server doesn't have the correct IP
address!)

Sorry for bothering the group, I'll think (longer) before I post next
time!

Mark Atherton

 
 
 

1. iptables SNAT & DNAT won't accept name

I would like to use ***NAME*** instead of IP address
in the "--to NAME:port" part of iptable command, but
it fails, example :-

      iptables -t nat -A PREROUTING ..... -j SNAT NAME:port

does not work. However,

    iptables -t nat -A PREROUTING ..... -j SNAT IP:port

works. So now, is it expected behaviour and how do I work
around it ?

2. Easy question: Can someone confirm my routing rules...

3. iptables masquerading/snat stop working upon moving to kernel 2.6

4. Dislabel problems!!

5. simultanious snat && dnat?

6. ftp.linuxppc.org site down today :-(

7. A problem about iptables SNAT

8. one-line-patch against SCSI-Read-Error-BUG()

9. iptables: fake ip using DNAT and SNAT

10. iptables SNAT vs MASQUERADE

11. NAT, SNAT, Masquerading, Proxies and Routing. Huh??

12. SNAT matching question

13. IPTABLES - SNAT / blocking ports