[gentoo-user] iptables configuration problem

[gentoo-user] iptables configuration problem

[Chuanwen Wu]

Hi,guys!
I use iptables to let the PCs in the subnet to connect the internet outside.

And i write a simple script,but it doesn't work:

#!/bin/sh
iptables -F
#Define packets from Internet server to Intranet
iptables -A FORWARD -d 198.168.1.0/24 -i eth0 -j ACCEPT
#Define packets from Intranet to Internet
iptables -A FORWARD -s 198.168.1.0/24 -i eth1 -j ACCEPT


Here is the result of iptables -L:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             198.168.1.0/24
ACCEPT     all  --  198.168.1.0/24       anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


The eth0 here has the real ip,and the eth1 have a subnet ip:192.168.1.21.
How to fix this problem?All I need now is just to let my office
machine to use the internet!
Thanks in advanced!!
-- 
wcw
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables configuration problem

[Fabio A Correa]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Wu,

Instead of the commands you posted, you should use

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE

Long explanation:

The first command enables the kernel to _forward_ packets from eth0 to eth1 and vice versa. To
do the actual forwarding, the second command is used:

- --table nat : Network address translation table.
- -A POSTROUTING for altering packets as they are about to go out, after it is determined that
they are to be forwarded by means of the first instruction.
- -j MASQUERADE Masquerade the addresses of computer in the subnet with the address of the routing
computer.

The kernel takes care of the subtle details on masquerading.

I hope this helps!!!

- --
Fabio A. Correa D.

Physics Dept, Universidad Nacional, Bogota, Colombia
facorread@gmail.com
ffaaccdd@yahoo.co.uk         facorread@unal.edu.co
My webpage and OpenPGP key at http://facorread.150m.com
facorread@alexandria.cc is not working anymore!!!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGRyjPYOZCB4zf2uQRAp2eAJwIYrXAQqldgZjRN0u+uDOW8t/aTgCeOQOb
RTmVGHOHQQWUzVxkZomHhHo=
=xvIZ
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables configuration problem

[Chuanwen Wu]

2007/5/13, Fabio A Correa <facorread@gmail.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Wu,
>
> Instead of the commands you posted, you should use
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE
>
I have tried.But still not work.
Here is the information after execute your advice:
-------------------------------------------------------------------------------------------------
[root@localhost ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@localhost ~]# iptables --table nat -A POSTROUTING -s
192.168.1.0/24 -j MASQUERADE
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@localhost ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.1.0/24       anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

------------------------------------------------------------------------------
Then in my other PCs,I still can't ping the website outside.
Why?


> Long explanation:
>
> The first command enables the kernel to _forward_ packets from eth0 to eth1 and vice versa. To
> do the actual forwarding, the second command is used:
>
> - --table nat : Network address translation table.
> - -A POSTROUTING for altering packets as they are about to go out, after it is determined that
> they are to be forwarded by means of the first instruction.
> - -j MASQUERADE Masquerade the addresses of computer in the subnet with the address of the routing
> computer.
>
> The kernel takes care of the subtle details on masquerading.
>
> I hope this helps!!!
>
> - --
> Fabio A. Correa D.
>
> Physics Dept, Universidad Nacional, Bogota, Colombia
> facorread@gmail.com
> ffaaccdd@yahoo.co.uk         facorread@unal.edu.co
> My webpage and OpenPGP key at http://facorread.150m.com
> facorread@alexandria.cc is not working anymore!!!
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGRyjPYOZCB4zf2uQRAp2eAJwIYrXAQqldgZjRN0u+uDOW8t/aTgCeOQOb
> RTmVGHOHQQWUzVxkZomHhHo=
> =xvIZ
> -----END PGP SIGNATURE-----
> --
> gentoo-user@gentoo.org mailing list
>
>
Thank you for your details!!!

-- 
wcw
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables configuration problem

[Norberto Bensa]

Chuanwen Wu wrote:
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  192.168.1.0/24       anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> ---------------------------------------------------------------------------
>--- Then in my other PCs,I still can't ping the website outside.
> Why?

Have setup a default gateway in those boxes?

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables configuration problem

[Norberto Bensa]

Chuanwen Wu wrote:
> I have tried set all the gw in my subnet to 192.168.1.254 or 192.168.1.1.
> Is't all right?

I don't know, it depends on what's your gw's IP is. 

Let's say you have this setup:


GW: 192.168.1.1

Other PCs are: 192.168.1.2... 192.168.1.3... and so on.


On the GW you need:

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE
(note: change ethX by the NIC your internet connection is on. If your 
cablemodem/adsl/whatever is on eth3 -for example- change ethX to eth3)


On the others PC you need to set GW to 192.168.1.1


I hope this helps.

Best regards,
Norberto
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables configuration problem

[Chuanwen Wu]

2007/5/14, Norberto Bensa <nbensa@gmx.net>:
> Chuanwen Wu wrote:
> > I have tried set all the gw in my subnet to 192.168.1.254 or 192.168.1.1.
> > Is't all right?
>
> I don't know, it depends on what's your gw's IP is.
>
> Let's say you have this setup:
>
>
> GW: 192.168.1.1
>
> Other PCs are: 192.168.1.2... 192.168.1.3... and so on.
>
>
> On the GW you need:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE
> (note: change ethX by the NIC your internet connection is on. If your
> cablemodem/adsl/whatever is on eth3 -for example- change ethX to eth3)
>
>
> On the others PC you need to set GW to 192.168.1.1
>
>
> I hope this helps.
>
> Best regards,
> Norberto
>
Thank you!I think i have done what you meant.
Here is the information:

/etc/conf.d/net in the server
config_eth0=( "202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255" )
routes_eth0=( "default gw 202.114.10.129" )

config_eth1=( "192.168.1.63 netmask 255.255.255.0 brd 192.168.1.255" )
routes_eth1=( "default gw 192.168.1.1" )


/etc/conf.d/net in one PC
config_eth0=( "192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255" )
routes_eth0=( "default gw 192.168.1.1" )

-- 
wcw
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables configuration problem

[Norberto Bensa]

On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote:
> Thank you!I think i have done what you meant.
> Here is the information:
>
>
> /etc/conf.d/net in the server
> config_eth0=( "202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255" )
> routes_eth0=( "default gw 202.114.10.129" )

OK

>
> config_eth1=( "192.168.1.63 netmask 255.255.255.0 brd 192.168.1.255" )
> routes_eth1=( "default gw 192.168.1.1" )

You don't need a route here.


> /etc/conf.d/net in one PC
> config_eth0=( "192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255" )
> routes_eth0=( "default gw 192.168.1.1" )

No. GW should be 192.168.1.63, which is the IP address of your gateway.


HTH,
Norberto

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables configuration problem

[Dan Farrell]

Greetings all.  Hope the weather in bejing is pleasant, Mr Wu.  

On Mon, 14 May 2007 11:58:34 -0300 (ART)
"Norberto Bensa" <nbensa@gmx.net> wrote:

> On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote:
> > Thank you!I think i have done what you meant.
> > Here is the information:
> >
> >
> > /etc/conf.d/net in the server
> > config_eth0=( "202.114.10.134 netmask 255.255.255.0 brd
> > 202.114.10.255" ) routes_eth0=( "default gw 202.114.10.129" )
> 
> OK

> >
> > config_eth1=( "192.168.1.63 netmask 255.255.255.0 brd
> > 192.168.1.255" ) routes_eth1=( "default gw 192.168.1.1" )
> 
> You don't need a route here.
More exactly, a route to the subnet 192.168.1.0/24 will automatically
be created through eth1.  A _gateway_ in this case is not necessary
because eth1 lives on that subnet.  
> 
> > /etc/conf.d/net in one PC
> > config_eth0=( "192.168.1.35 netmask 255.255.255.0 brd
> > 192.168.1.255" ) routes_eth0=( "default gw 192.168.1.1" )
> 
> No. GW should be 192.168.1.63, which is the IP address of your
> gateway.
> HTH,
> Norberto
> 
First, the firewall configuration.  Your first message said:
> The eth0 here has the real ip,and the eth1 have a subnet
> ip:192.168.1.21.
But here you show that you set it to .63, as Norberto pointed out.  I
assume that was just a typographical error in the first email. Moving
on, the default route for the firewall is probably to the outside
world, and if you can ping google.com, it works.  

Second, the client configuration.  The route for the subnet it's on
(192.168.1/24) is automatically created, as before.  The default route
is the IP of the firewall/gateway it's behind, namely 192.168.1.63 as
Norberto said.  The machine that's forwarding packets to the internet
for these hosts now provides the route to the outside world for these
hosts.

Third, you must tell your client PCs nameservers, so that they can
resolve domain names.  If you fail to do so, even though a ping of
google.com, for example, fails, a ping of its ip address
(64.233.167.99, in my case) will work.

Fourth, you must check your firewall (that is, iptables) configuration
to be sure your iptables all refer to the correct subnet.  
> iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE
that wasn't right -- obviously the subnet should be your own.  

Since the firewall you're building knows all the information the hosts
need to know (subnet information, routes, etc) you may wish to set up a
rudimentary DHCP server on it, so that additional hosts can be added
without configuration by the user.  You may also wish to  impliment a
caching, recursive nameserver for enhanced efficiency.  DNSMasq can do
both.  

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables configuration problem

[Chuanwen Wu]

Thank Norberto and Dan Farrell!I think i had a misunderstand and made
some mistakes.I hope I have correct it now.

/etc/conf.d/net in the server
config_eth0=( "202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255" )
routes_eth0=( "default gw 202.114.10.129" )

config_eth1=( "192.168.1.1 netmask 255.255.255.0 brd 192.168.1.255" )

/etc/conf.d/net in a PC
config_eth0=( "192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255" )
routes_eth0=( "default gw 192.168.1.1" )

2007/5/15, Dan Farrell <dan@spore.ath.cx>:
> Greetings all.  Hope the weather in bejing is pleasant, Mr Wu.
>
> On Mon, 14 May 2007 11:58:34 -0300 (ART)
> "Norberto Bensa" <nbensa@gmx.net> wrote:
>
> > On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote:
> > > Thank you!I think i have done what you meant.
> > > Here is the information:
> > >
> > >
> > > /etc/conf.d/net in the server
> > > config_eth0=( "202.114.10.134 netmask 255.255.255.0 brd
> > > 202.114.10.255" ) routes_eth0=( "default gw 202.114.10.129" )
> >
> > OK
>
> > >
> > > config_eth1=( "192.168.1.63 netmask 255.255.255.0 brd
> > > 192.168.1.255" ) routes_eth1=( "default gw 192.168.1.1" )
> >
> > You don't need a route here.
> More exactly, a route to the subnet 192.168.1.0/24 will automatically
> be created through eth1.  A _gateway_ in this case is not necessary
> because eth1 lives on that subnet.
> >
> > > /etc/conf.d/net in one PC
> > > config_eth0=( "192.168.1.35 netmask 255.255.255.0 brd
> > > 192.168.1.255" ) routes_eth0=( "default gw 192.168.1.1" )
> >
> > No. GW should be 192.168.1.63, which is the IP address of your
> > gateway.
> > HTH,
> > Norberto
> >
> First, the firewall configuration.  Your first message said:
> > The eth0 here has the real ip,and the eth1 have a subnet
> > ip:192.168.1.21.
> But here you show that you set it to .63, as Norberto pointed out.  I
> assume that was just a typographical error in the first email. Moving
> on, the default route for the firewall is probably to the outside
> world, and if you can ping google.com, it works.
>
> Second, the client configuration.  The route for the subnet it's on
> (192.168.1/24) is automatically created, as before.  The default route
> is the IP of the firewall/gateway it's behind, namely 192.168.1.63 as
> Norberto said.  The machine that's forwarding packets to the internet
> for these hosts now provides the route to the outside world for these
> hosts.
>
> Third, you must tell your client PCs nameservers, so that they can
> resolve domain names.  If you fail to do so, even though a ping of
> google.com, for example, fails, a ping of its ip address
> (64.233.167.99, in my case) will work.

All my PCs have the same /etc/resove.conf file with the server.And now
the PC can't ping through 66.249.89.99(of course,the server can).

>
> Fourth, you must check your firewall (that is, iptables) configuration
> to be sure your iptables all refer to the correct subnet.
> > iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE
> that wasn't right -- obviously the subnet should be your own.

I have already corrected it to "iptables --table nat -A POSTROUTING -s
192.168.1.0/24 -j MASQUERADE" from the first time.

>
> Since the firewall you're building knows all the information the hosts
> need to know (subnet information, routes, etc) you may wish to set up a
> rudimentary DHCP server on it, so that additional hosts can be added
> without configuration by the user.  You may also wish to  impliment a
> caching, recursive nameserver for enhanced efficiency.  DNSMasq can do
> both.
Thanks for your advice!
> --
> gentoo-user@gentoo.org mailing list
>
>
When a PC ping 66.249.89.99,I got these information from the server:

# tcpdump -n -i eth1 net 192.168.1.0/24 and port not 22 and not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
10:01:08.214160 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id
35391, seq 599, length 64
10:01:09.214014 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id
35391, seq 600, length 64
10:01:10.213899 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id
35391, seq 601, length 64
10:01:11.213792 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id
35391, seq 602, length 64
10:01:12.213676 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id
35391, seq 603, length 64

5 packets captured
5 packets received by filter
0 packets dropped by kernel


And

# tcpdump -n -i eth0 net 202.114.10.134 and port not 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes


Does it mean that eth1(the interface in my subnet) receive the request
but don't post forward it?
-- 
wcw
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables configuration problem

[Dan Farrell]

On Tue, 15 May 2007 10:35:38 +0800
"Chuanwen Wu" <wcw8410@gmail.com> wrote:

> Does it mean that eth1(the interface in my subnet) receive the request
> but don't post forward it?

Perhaps you should attach the output of "iptables -t nat -L -v;
iptables -L -v;" so I can see the rules... while you're at it,
edit /etc/sysctl.conf so that forwarding is enabled every time you
reboot, and make sure it's still enabled now.  
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables configuration problem

[Chuanwen Wu]

2007/5/15, Dan Farrell <dan@spore.ath.cx>:
> On Tue, 15 May 2007 10:35:38 +0800
> "Chuanwen Wu" <wcw8410@gmail.com> wrote:
>
> > Does it mean that eth1(the interface in my subnet) receive the request
> > but don't post forward it?
>
> Perhaps you should attach the output of "iptables -t nat -L -v;
> iptables -L -v;" so I can see the rules... while you're at it,
# iptables -L -v
Chain INPUT (policy ACCEPT 24414 packets, 3853K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 33323 packets, 7123K bytes)
 pkts bytes target     prot opt in     out     source
destination



 # iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 7546 packets, 1103K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 340 packets, 28034 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  any    any     192.168.1.0/24
anywhere

Chain OUTPUT (policy ACCEPT 350 packets, 28746 bytes)
 pkts bytes target     prot opt in     out     source
destination


> edit /etc/sysctl.conf so that forwarding is enabled every time you
> reboot, and make sure it's still enabled now.

Oh!God!My must forget to enabled forwarding after last night!
Now,the PCs in the subnet can connect internal!

By the way,do you mean to change  " #net.ipv4.ip_forward = 0(default
in /etc/sysctl.conf)" to "net.ipv4.ip_forward = 1"?
> --
> gentoo-user@gentoo.org mailing list
>
>


-- 
wcw
-- 
gentoo-user@gentoo.org mailing list