* Running iptables behind router
@ 2004-02-16 23:55 Kean Pedersen
2004-02-17 12:39 ` Alexis
0 siblings, 1 reply; 9+ messages in thread
From: Kean Pedersen @ 2004-02-16 23:55 UTC (permalink / raw)
To: netfilter
Hi, I have some problems setting up iptables on a linux box, acting as a
router between two networks. I have an internet connection through a
hardware router, which I have no access to. This router uses NAT, and
has an interface on 192.168.1.1. So far I've had my LAN on
192.168.1.0/24, with no problems, but would like to split it into two
LANs, one on 192.168.1.0/24, having the hardware router and some hosts,
and another one on 192.168.2.0/24, acting as an "internal" LAN.
I'd then like to connect these two LANs with a linux box running
iptables, so the both LANs have access to the internet through the
hardware router.
I sat up the iptables machine (which have two NICs) to the IPs
192.168.1.100 and 192.168.2.100, one on each interface. How should I set
up iptables, so the 192.168.2.0/24 range have access through iptables,
and further through the hardware router onto the internet? Only outbound
connections will be made. (Inbound connections are mapped in the
hardware router to 192.168.1.x to specific hosts, no problem there).
The computers on the 192.168.2.0/24 range should be able to make
connections to the 192.168.1.0/24 range, but not the other way around.
Any help is appreciated.
--
Kean Pedersen
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Running iptables behind router
2004-02-16 23:55 Running iptables behind router Kean Pedersen
@ 2004-02-17 12:39 ` Alexis
2004-02-24 0:13 ` Kean Pedersen
0 siblings, 1 reply; 9+ messages in thread
From: Alexis @ 2004-02-17 12:39 UTC (permalink / raw)
To: Kean Pedersen; +Cc: netfilter
yes, do this
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -p FORWARD DROP
iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
then, you have 2 options
1 to use 1 ip of 192.168.1 to nat all the .2 network, or use a pool,
its your choice
1st case
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to
192.168.1.254
or
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
2nd case
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to
192.168.1.50-192.168.1.60
Hello Kean,
Monday, February 16, 2004, 8:55:14 PM, you wrote:
KP> Hi, I have some problems setting up iptables on a linux box, acting as a
KP> router between two networks. I have an internet connection through a
KP> hardware router, which I have no access to. This router uses NAT, and
KP> has an interface on 192.168.1.1. So far I've had my LAN on
KP> 192.168.1.0/24, with no problems, but would like to split it into two
KP> LANs, one on 192.168.1.0/24, having the hardware router and some hosts,
KP> and another one on 192.168.2.0/24, acting as an "internal" LAN.
KP> I'd then like to connect these two LANs with a linux box running
KP> iptables, so the both LANs have access to the internet through the
KP> hardware router.
KP> I sat up the iptables machine (which have two NICs) to the IPs
KP> 192.168.1.100 and 192.168.2.100, one on each interface. How should I set
KP> up iptables, so the 192.168.2.0/24 range have access through iptables,
KP> and further through the hardware router onto the internet? Only outbound
KP> connections will be made. (Inbound connections are mapped in the
KP> hardware router to 192.168.1.x to specific hosts, no problem there).
KP> The computers on the 192.168.2.0/24 range should be able to make
KP> connections to the 192.168.1.0/24 range, but not the other way around.
KP> Any help is appreciated.
KP> --
KP> Kean Pedersen
--
Best regards,
Alexis mailto:alexis@attla.net.ar
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Running iptables behind router
2004-02-17 12:39 ` Alexis
@ 2004-02-24 0:13 ` Kean Pedersen
2004-02-24 4:31 ` John A. Sullivan III
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Kean Pedersen @ 2004-02-24 0:13 UTC (permalink / raw)
To: netfilter
Okay... I have tried the solutions, but still can't connect from
192.168.2 to 192.168.1
I can connect fine to 192.168.1.3 (the ip of eth0 on NAT box) from
192.168.2.101 (the only machine apart from the NAT box on .2 network).
My network right now is:
Hardware router(192.168.1.1), the only access to Internet.
Desktop (192.168.1.42)
Server/NAT box (eth0:192.168.1.3 and eth1:192.168.2.1)
Laptop (192.168.2.101)
The hardware router, desktop and server:eth0 are on one switch, while
laptop and server:eth1 are on another switch.
Info from the server:
# uname -a
Linux luftguitar 2.4.25 #1 man feb 23 23:45:36 CET 2004 i586 GNU/Linux
# iptables -V
iptables v1.2.9
# iptables -t nat -L -v; iptables -L -v
Chain PREROUTING (policy ACCEPT 603 packets, 52677 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 630 packets, 49138 bytes)
pkts bytes target prot opt in out source destination
2 84 MASQUERADE all -- any any 192.168.2.0/24 anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 48705 packets, 4302K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 97 packets, 8120 bytes)
pkts bytes target prot opt in out source destination
4 336 LOG all -- any any anywhere anywhere LOG level warning
2 168 ACCEPT all -- any any 192.168.2.0/24 anywhere
Chain OUTPUT (policy ACCEPT 54057 packets, 13M bytes)
pkts bytes target prot opt in out source destination
# lsmod
Module Size Used by Not tainted
ipt_LOG 3256 1 (autoclean)
ipt_state 472 0 (autoclean)
ipt_MASQUERADE 1208 1 (autoclean)
iptable_nat 14414 1 (autoclean) [ipt_MASQUERADE]
ip_conntrack 18468 0 (autoclean) [ipt_state ipt_MASQUERADE iptable_nat]
iptable_filter 1612 1 (autoclean)
ip_tables 11360 7 [ipt_LOG ipt_state ipt_MASQUERADE iptable_nat iptable_filter]
(and I have enabled ip forwarding)
I then try a ping from my laptop (192.168.2.101) to my desktop (192.168.1.42),
but all packes are lost. The packet count on iptables -L -v goes up for
postrouting/masquerade and forward/accept.
Looking in syslog the following is logged:
Feb 24 00:49:02 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101
DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=65281 SEQ=0
Feb 24 00:49:02 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42
DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=34538 PROTO=ICMP
TYPE=0 CODE=0 ID=65281 SEQ=0
Feb 24 00:49:03 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101
DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=65281 SEQ=256
Feb 24 00:49:03 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42
DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=34539 PROTO=ICMP
TYPE=0 CODE=0 ID=65281 SEQ=256
I can ping the server on 192.168.2.1 and 192.168.1.3 fine from
192.168.2.101, but cannot reach the desktop (192.168.1.42) or the
hardware router 192.168.1.1, and thus not the Internet.
--
Kean Pedesen
On Tue, Feb 17, 2004 at 09:39:07AM -0300, Alexis wrote:
> yes, do this
>
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables -p FORWARD DROP
>
> iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
>
> then, you have 2 options
>
> 1 to use 1 ip of 192.168.1 to nat all the .2 network, or use a pool,
> its your choice
>
> 1st case
> iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to
> 192.168.1.254
>
> or
>
> iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
>
>
> 2nd case
>
> iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to
> 192.168.1.50-192.168.1.60
>
>
>
>
> Hello Kean,
>
> Monday, February 16, 2004, 8:55:14 PM, you wrote:
>
> KP> Hi, I have some problems setting up iptables on a linux box, acting as a
> KP> router between two networks. I have an internet connection through a
> KP> hardware router, which I have no access to. This router uses NAT, and
> KP> has an interface on 192.168.1.1. So far I've had my LAN on
> KP> 192.168.1.0/24, with no problems, but would like to split it into two
> KP> LANs, one on 192.168.1.0/24, having the hardware router and some hosts,
> KP> and another one on 192.168.2.0/24, acting as an "internal" LAN.
>
> KP> I'd then like to connect these two LANs with a linux box running
> KP> iptables, so the both LANs have access to the internet through the
> KP> hardware router.
>
> KP> I sat up the iptables machine (which have two NICs) to the IPs
> KP> 192.168.1.100 and 192.168.2.100, one on each interface. How should I set
> KP> up iptables, so the 192.168.2.0/24 range have access through iptables,
> KP> and further through the hardware router onto the internet? Only outbound
> KP> connections will be made. (Inbound connections are mapped in the
> KP> hardware router to 192.168.1.x to specific hosts, no problem there).
>
> KP> The computers on the 192.168.2.0/24 range should be able to make
> KP> connections to the 192.168.1.0/24 range, but not the other way around.
>
> KP> Any help is appreciated.
>
> KP> --
> KP> Kean Pedersen
>
>
> --
> Best regards,
> Alexis mailto:alexis@attla.net.ar
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Running iptables behind router
2004-02-24 0:13 ` Kean Pedersen
@ 2004-02-24 4:31 ` John A. Sullivan III
2004-02-24 12:07 ` Kean Pedersen
2004-02-24 11:06 ` Antony Stone
2004-02-24 14:13 ` Jeffrey Laramie
2 siblings, 1 reply; 9+ messages in thread
From: John A. Sullivan III @ 2004-02-24 4:31 UTC (permalink / raw)
To: Kean Pedersen; +Cc: netfilter
Hmmm . . . I've always used SNAT instead of MASQUERADE. Is it my
imagination or are the SEQ numbers very strange in your log. I wonder
if there is some kind of loop. What happens if you add an interface
restriction to your MASQUERADE rule, i.e., from 192.168.2.0/24 -o eth0?
What happens if you SNAT instead of MASQUERADE?
On Mon, 2004-02-23 at 19:13, Kean Pedersen wrote:
> Okay... I have tried the solutions, but still can't connect from
> 192.168.2 to 192.168.1
>
> I can connect fine to 192.168.1.3 (the ip of eth0 on NAT box) from
> 192.168.2.101 (the only machine apart from the NAT box on .2 network).
>
> My network right now is:
>
> Hardware router(192.168.1.1), the only access to Internet.
> Desktop (192.168.1.42)
> Server/NAT box (eth0:192.168.1.3 and eth1:192.168.2.1)
> Laptop (192.168.2.101)
>
> The hardware router, desktop and server:eth0 are on one switch, while
> laptop and server:eth1 are on another switch.
>
> Info from the server:
> # uname -a
> Linux luftguitar 2.4.25 #1 man feb 23 23:45:36 CET 2004 i586 GNU/Linux
>
> # iptables -V
> iptables v1.2.9
>
> # iptables -t nat -L -v; iptables -L -v
> Chain PREROUTING (policy ACCEPT 603 packets, 52677 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 630 packets, 49138 bytes)
> pkts bytes target prot opt in out source destination
> 2 84 MASQUERADE all -- any any 192.168.2.0/24 anywhere
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain INPUT (policy ACCEPT 48705 packets, 4302K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy DROP 97 packets, 8120 bytes)
> pkts bytes target prot opt in out source destination
> 4 336 LOG all -- any any anywhere anywhere LOG level warning
> 2 168 ACCEPT all -- any any 192.168.2.0/24 anywhere
>
> Chain OUTPUT (policy ACCEPT 54057 packets, 13M bytes)
> pkts bytes target prot opt in out source destination
>
> # lsmod
> Module Size Used by Not tainted
> ipt_LOG 3256 1 (autoclean)
> ipt_state 472 0 (autoclean)
> ipt_MASQUERADE 1208 1 (autoclean)
> iptable_nat 14414 1 (autoclean) [ipt_MASQUERADE]
> ip_conntrack 18468 0 (autoclean) [ipt_state ipt_MASQUERADE iptable_nat]
> iptable_filter 1612 1 (autoclean)
> ip_tables 11360 7 [ipt_LOG ipt_state ipt_MASQUERADE iptable_nat iptable_filter]
>
> (and I have enabled ip forwarding)
>
> I then try a ping from my laptop (192.168.2.101) to my desktop (192.168.1.42),
> but all packes are lost. The packet count on iptables -L -v goes up for
> postrouting/masquerade and forward/accept.
> Looking in syslog the following is logged:
>
> Feb 24 00:49:02 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101
> DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=65281 SEQ=0
> Feb 24 00:49:02 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42
> DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=34538 PROTO=ICMP
> TYPE=0 CODE=0 ID=65281 SEQ=0
> Feb 24 00:49:03 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101
> DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=65281 SEQ=256
> Feb 24 00:49:03 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42
> DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=34539 PROTO=ICMP
> TYPE=0 CODE=0 ID=65281 SEQ=256
>
> I can ping the server on 192.168.2.1 and 192.168.1.3 fine from
> 192.168.2.101, but cannot reach the desktop (192.168.1.42) or the
> hardware router 192.168.1.1, and thus not the Internet.
>
> --
> Kean Pedesen
>
>
> On Tue, Feb 17, 2004 at 09:39:07AM -0300, Alexis wrote:
> > yes, do this
> >
> >
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > iptables -p FORWARD DROP
> >
> > iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
> >
> > then, you have 2 options
> >
> > 1 to use 1 ip of 192.168.1 to nat all the .2 network, or use a pool,
> > its your choice
> >
> > 1st case
> > iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to
> > 192.168.1.254
> >
> > or
> >
> > iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
> >
> >
> > 2nd case
> >
> > iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to
> > 192.168.1.50-192.168.1.60
> >
> >
> >
> >
> > Hello Kean,
> >
> > Monday, February 16, 2004, 8:55:14 PM, you wrote:
> >
> > KP> Hi, I have some problems setting up iptables on a linux box, acting as a
> > KP> router between two networks. I have an internet connection through a
> > KP> hardware router, which I have no access to. This router uses NAT, and
> > KP> has an interface on 192.168.1.1. So far I've had my LAN on
> > KP> 192.168.1.0/24, with no problems, but would like to split it into two
> > KP> LANs, one on 192.168.1.0/24, having the hardware router and some hosts,
> > KP> and another one on 192.168.2.0/24, acting as an "internal" LAN.
> >
> > KP> I'd then like to connect these two LANs with a linux box running
> > KP> iptables, so the both LANs have access to the internet through the
> > KP> hardware router.
> >
> > KP> I sat up the iptables machine (which have two NICs) to the IPs
> > KP> 192.168.1.100 and 192.168.2.100, one on each interface. How should I set
> > KP> up iptables, so the 192.168.2.0/24 range have access through iptables,
> > KP> and further through the hardware router onto the internet? Only outbound
> > KP> connections will be made. (Inbound connections are mapped in the
> > KP> hardware router to 192.168.1.x to specific hosts, no problem there).
> >
> > KP> The computers on the 192.168.2.0/24 range should be able to make
> > KP> connections to the 192.168.1.0/24 range, but not the other way around.
> >
> > KP> Any help is appreciated.
> >
> > KP> --
> > KP> Kean Pedersen
> >
> >
> > --
> > Best regards,
> > Alexis mailto:alexis@attla.net.ar
> >
> >
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Running iptables behind router
2004-02-24 0:13 ` Kean Pedersen
2004-02-24 4:31 ` John A. Sullivan III
@ 2004-02-24 11:06 ` Antony Stone
2004-02-24 14:13 ` Jeffrey Laramie
2 siblings, 0 replies; 9+ messages in thread
From: Antony Stone @ 2004-02-24 11:06 UTC (permalink / raw)
To: netfilter
On Tuesday 24 February 2004 12:13 am, Kean Pedersen wrote:
> My network right now is:
>
> Hardware router(192.168.1.1), the only access to Internet.
> Desktop (192.168.1.42)
> Server/NAT box (eth0:192.168.1.3 and eth1:192.168.2.1)
> Laptop (192.168.2.101)
>
> The hardware router, desktop and server:eth0 are on one switch, while
> laptop and server:eth1 are on another switch.
>
> I then try a ping from my laptop (192.168.2.101) to my desktop
> (192.168.1.42), but all packes are lost. The packet count on iptables -L -v
> goes up for postrouting/masquerade and forward/accept.
What's the routing table on 192.168.1.42? Can the reply packets find their
way back to 192.168.2.101 again?
Antony.
--
Success is a lousy teacher. It seduces smart people into thinking they can't
lose.
- William H Gates III
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Running iptables behind router
2004-02-24 4:31 ` John A. Sullivan III
@ 2004-02-24 12:07 ` Kean Pedersen
2004-02-25 18:40 ` John A. Sullivan III
0 siblings, 1 reply; 9+ messages in thread
From: Kean Pedersen @ 2004-02-24 12:07 UTC (permalink / raw)
To: netfilter
Almost same result:
MASQUERADE -o eth0:
Feb 24 12:57:47 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52225 SEQ=0
Feb 24 12:57:47 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=35954 PROTO=ICMP TYPE=0 CODE=0 ID=52225 SEQ=0
Feb 24 12:57:48 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52225 SEQ=256
Feb 24 12:57:48 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=35955 PROTO=ICMP TYPE=0 CODE=0 ID=52225 SEQ=256
Feb 24 12:57:49 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52225 SEQ=512
Feb 24 12:57:49 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=35956 PROTO=ICMP TYPE=0 CODE=0 ID=52225 SEQ=512
Feb 24 12:57:50 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52225 SEQ=768
Feb 24 12:57:50 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=35957 PROTO=ICMP TYPE=0 CODE=0 ID=52225 SEQ=768
Chain INPUT (policy ACCEPT 117K packets, 25M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 540 packets, 45332 bytes)
pkts bytes target prot opt in out source destination
890 74760 LOG all -- any any anywhere anywhere LOG level warning
445 37380 ACCEPT all -- any any 192.168.2.0/24 anywhere
Chain OUTPUT (policy ACCEPT 116K packets, 20M bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 6774 packets, 630K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 10584 packets, 744K bytes)
pkts bytes target prot opt in out source destination
4 336 MASQUERADE all -- any eth0 192.168.2.0/24 anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
SNAT:
Chain INPUT (policy ACCEPT 119K packets, 25M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 544 packets, 45668 bytes)
pkts bytes target prot opt in out source destination
898 75432 LOG all -- any any anywhere anywhere LOG level warning
449 37716 ACCEPT all -- any any 192.168.2.0/24 anywhere
Chain OUTPUT (policy ACCEPT 117K packets, 20M bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 6790 packets, 632K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 10602 packets, 745K bytes)
pkts bytes target prot opt in out source destination
5 434 SNAT all -- any any 192.168.2.0/24 anywhere to:192.168.1.254
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Feb 24 12:59:14 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52481 SEQ=0
Feb 24 12:59:14 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=28144 PROTO=ICMP TYPE=0 CODE=0 ID=52481 SEQ=0
Feb 24 12:59:15 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52481 SEQ=256
Feb 24 12:59:15 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=28145 PROTO=ICMP TYPE=0 CODE=0 ID=52481 SEQ=256
SNAT with -o eth0:
Feb 24 13:00:25 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52993 SEQ=0
Feb 24 13:00:25 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=28152 PROTO=ICMP TYPE=0 CODE=0 ID=52993 SEQ=0
Feb 24 13:00:26 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52993 SEQ=256
Feb 24 13:00:26 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=28153 PROTO=ICMP TYPE=0 CODE=0 ID=52993 SEQ=256
On Mon, Feb 23, 2004 at 11:31:16PM -0500, John A. Sullivan III wrote:
> Hmmm . . . I've always used SNAT instead of MASQUERADE. Is it my
> imagination or are the SEQ numbers very strange in your log. I wonder
> if there is some kind of loop. What happens if you add an interface
> restriction to your MASQUERADE rule, i.e., from 192.168.2.0/24 -o eth0?
> What happens if you SNAT instead of MASQUERADE?
>
> On Mon, 2004-02-23 at 19:13, Kean Pedersen wrote:
> > Okay... I have tried the solutions, but still can't connect from
> > 192.168.2 to 192.168.1
> >
> > I can connect fine to 192.168.1.3 (the ip of eth0 on NAT box) from
> > 192.168.2.101 (the only machine apart from the NAT box on .2 network).
> >
> > My network right now is:
> >
> > Hardware router(192.168.1.1), the only access to Internet.
> > Desktop (192.168.1.42)
> > Server/NAT box (eth0:192.168.1.3 and eth1:192.168.2.1)
> > Laptop (192.168.2.101)
> >
> > The hardware router, desktop and server:eth0 are on one switch, while
> > laptop and server:eth1 are on another switch.
> >
> > Info from the server:
> > # uname -a
> > Linux luftguitar 2.4.25 #1 man feb 23 23:45:36 CET 2004 i586 GNU/Linux
> >
> > # iptables -V
> > iptables v1.2.9
> >
> > # iptables -t nat -L -v; iptables -L -v
> > Chain PREROUTING (policy ACCEPT 603 packets, 52677 bytes)
> > pkts bytes target prot opt in out source destination
> >
> > Chain POSTROUTING (policy ACCEPT 630 packets, 49138 bytes)
> > pkts bytes target prot opt in out source destination
> > 2 84 MASQUERADE all -- any any 192.168.2.0/24 anywhere
> >
> > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source destination
> >
> > Chain INPUT (policy ACCEPT 48705 packets, 4302K bytes)
> > pkts bytes target prot opt in out source destination
> >
> > Chain FORWARD (policy DROP 97 packets, 8120 bytes)
> > pkts bytes target prot opt in out source destination
> > 4 336 LOG all -- any any anywhere anywhere LOG level warning
> > 2 168 ACCEPT all -- any any 192.168.2.0/24 anywhere
> >
> > Chain OUTPUT (policy ACCEPT 54057 packets, 13M bytes)
> > pkts bytes target prot opt in out source destination
> >
> > # lsmod
> > Module Size Used by Not tainted
> > ipt_LOG 3256 1 (autoclean)
> > ipt_state 472 0 (autoclean)
> > ipt_MASQUERADE 1208 1 (autoclean)
> > iptable_nat 14414 1 (autoclean) [ipt_MASQUERADE]
> > ip_conntrack 18468 0 (autoclean) [ipt_state ipt_MASQUERADE iptable_nat]
> > iptable_filter 1612 1 (autoclean)
> > ip_tables 11360 7 [ipt_LOG ipt_state ipt_MASQUERADE iptable_nat iptable_filter]
> >
> > (and I have enabled ip forwarding)
> >
> > I then try a ping from my laptop (192.168.2.101) to my desktop (192.168.1.42),
> > but all packes are lost. The packet count on iptables -L -v goes up for
> > postrouting/masquerade and forward/accept.
> > Looking in syslog the following is logged:
> >
> > Feb 24 00:49:02 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101
> > DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
> > TYPE=8 CODE=0 ID=65281 SEQ=0
> > Feb 24 00:49:02 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42
> > DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=34538 PROTO=ICMP
> > TYPE=0 CODE=0 ID=65281 SEQ=0
> > Feb 24 00:49:03 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101
> > DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
> > TYPE=8 CODE=0 ID=65281 SEQ=256
> > Feb 24 00:49:03 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42
> > DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=34539 PROTO=ICMP
> > TYPE=0 CODE=0 ID=65281 SEQ=256
> >
> > I can ping the server on 192.168.2.1 and 192.168.1.3 fine from
> > 192.168.2.101, but cannot reach the desktop (192.168.1.42) or the
> > hardware router 192.168.1.1, and thus not the Internet.
> >
> > --
> > Kean Pedesen
> >
> >
> > On Tue, Feb 17, 2004 at 09:39:07AM -0300, Alexis wrote:
> > > yes, do this
> > >
> > >
> > > echo 1 > /proc/sys/net/ipv4/ip_forward
> > >
> > > iptables -p FORWARD DROP
> > >
> > > iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
> > >
> > > then, you have 2 options
> > >
> > > 1 to use 1 ip of 192.168.1 to nat all the .2 network, or use a pool,
> > > its your choice
> > >
> > > 1st case
> > > iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to
> > > 192.168.1.254
> > >
> > > or
> > >
> > > iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
> > >
> > >
> > > 2nd case
> > >
> > > iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to
> > > 192.168.1.50-192.168.1.60
> > >
> > >
> > >
> > >
> > > Hello Kean,
> > >
> > > Monday, February 16, 2004, 8:55:14 PM, you wrote:
> > >
> > > KP> Hi, I have some problems setting up iptables on a linux box, acting as a
> > > KP> router between two networks. I have an internet connection through a
> > > KP> hardware router, which I have no access to. This router uses NAT, and
> > > KP> has an interface on 192.168.1.1. So far I've had my LAN on
> > > KP> 192.168.1.0/24, with no problems, but would like to split it into two
> > > KP> LANs, one on 192.168.1.0/24, having the hardware router and some hosts,
> > > KP> and another one on 192.168.2.0/24, acting as an "internal" LAN.
> > >
> > > KP> I'd then like to connect these two LANs with a linux box running
> > > KP> iptables, so the both LANs have access to the internet through the
> > > KP> hardware router.
> > >
> > > KP> I sat up the iptables machine (which have two NICs) to the IPs
> > > KP> 192.168.1.100 and 192.168.2.100, one on each interface. How should I set
> > > KP> up iptables, so the 192.168.2.0/24 range have access through iptables,
> > > KP> and further through the hardware router onto the internet? Only outbound
> > > KP> connections will be made. (Inbound connections are mapped in the
> > > KP> hardware router to 192.168.1.x to specific hosts, no problem there).
> > >
> > > KP> The computers on the 192.168.2.0/24 range should be able to make
> > > KP> connections to the 192.168.1.0/24 range, but not the other way around.
> > >
> > > KP> Any help is appreciated.
> > >
> > > KP> --
> > > KP> Kean Pedersen
> > >
> > >
> > > --
> > > Best regards,
> > > Alexis mailto:alexis@attla.net.ar
> > >
> > >
> --
> John A. Sullivan III
> Chief Technology Officer
> Nexus Management
> +1 207-985-7880
> john.sullivan@nexusmgmt.com
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Running iptables behind router
2004-02-24 0:13 ` Kean Pedersen
2004-02-24 4:31 ` John A. Sullivan III
2004-02-24 11:06 ` Antony Stone
@ 2004-02-24 14:13 ` Jeffrey Laramie
2 siblings, 0 replies; 9+ messages in thread
From: Jeffrey Laramie @ 2004-02-24 14:13 UTC (permalink / raw)
To: netfilter
On Monday 23 February 2004 19:13, Kean Pedersen wrote:
> Okay... I have tried the solutions, but still can't connect from
> 192.168.2 to 192.168.1
>
> I can connect fine to 192.168.1.3 (the ip of eth0 on NAT box) from
> 192.168.2.101 (the only machine apart from the NAT box on .2 network).
>
> My network right now is:
>
> Hardware router(192.168.1.1), the only access to Internet.
> Desktop (192.168.1.42)
> Server/NAT box (eth0:192.168.1.3 and eth1:192.168.2.1)
> Laptop (192.168.2.101)
>
> The hardware router, desktop and server:eth0 are on one switch, while
> laptop and server:eth1 are on another switch.
>
> Info from the server:
> # uname -a
> Linux luftguitar 2.4.25 #1 man feb 23 23:45:36 CET 2004 i586 GNU/Linux
>
> # iptables -V
> iptables v1.2.9
>
> # iptables -t nat -L -v; iptables -L -v
> Chain PREROUTING (policy ACCEPT 603 packets, 52677 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 630 packets, 49138 bytes)
> pkts bytes target prot opt in out source
> destination 2 84 MASQUERADE all -- any any 192.168.2.0/24
> anywhere
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain INPUT (policy ACCEPT 48705 packets, 4302K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy DROP 97 packets, 8120 bytes)
> pkts bytes target prot opt in out source
> destination 4 336 LOG all -- any any anywhere
> anywhere LOG level warning 2 168 ACCEPT all -- any
> any 192.168.2.0/24 anywhere
You are only allowing forwarding from the 192.168.2.x subnet. You need to add
another rule like this for the 192.168.1.x subnet so it can reply/connect to
192.168.2.x.
Jeff
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Running iptables behind router
2004-02-24 12:07 ` Kean Pedersen
@ 2004-02-25 18:40 ` John A. Sullivan III
2004-02-25 19:41 ` Kean Pedersen
0 siblings, 1 reply; 9+ messages in thread
From: John A. Sullivan III @ 2004-02-25 18:40 UTC (permalink / raw)
To: Kean Pedersen; +Cc: netfilter
Ah! Blinded by my own assumptions! I also always have rules to allow
RELATED and ESTABLISHED traffic. As others on the list have pointed
out, it looks like you have no rule here to allow return traffic.
Assuming you are using connection tracking, you will want a rule in your
forward chain similar to:
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
On Tue, 2004-02-24 at 07:07, Kean Pedersen wrote:
> Almost same result:
>
> MASQUERADE -o eth0:
>
> Feb 24 12:57:47 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52225 SEQ=0
> Feb 24 12:57:47 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=35954 PROTO=ICMP TYPE=0 CODE=0 ID=52225 SEQ=0
> Feb 24 12:57:48 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52225 SEQ=256
> Feb 24 12:57:48 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=35955 PROTO=ICMP TYPE=0 CODE=0 ID=52225 SEQ=256
> Feb 24 12:57:49 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52225 SEQ=512
> Feb 24 12:57:49 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=35956 PROTO=ICMP TYPE=0 CODE=0 ID=52225 SEQ=512
> Feb 24 12:57:50 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52225 SEQ=768
> Feb 24 12:57:50 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=35957 PROTO=ICMP TYPE=0 CODE=0 ID=52225 SEQ=768
>
>
> Chain INPUT (policy ACCEPT 117K packets, 25M bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy DROP 540 packets, 45332 bytes)
> pkts bytes target prot opt in out source destination
> 890 74760 LOG all -- any any anywhere anywhere LOG level warning
> 445 37380 ACCEPT all -- any any 192.168.2.0/24 anywhere
>
> Chain OUTPUT (policy ACCEPT 116K packets, 20M bytes)
> pkts bytes target prot opt in out source destination
>
> Chain PREROUTING (policy ACCEPT 6774 packets, 630K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 10584 packets, 744K bytes)
> pkts bytes target prot opt in out source destination
> 4 336 MASQUERADE all -- any eth0 192.168.2.0/24 anywhere
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
>
> SNAT:
>
> Chain INPUT (policy ACCEPT 119K packets, 25M bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy DROP 544 packets, 45668 bytes)
> pkts bytes target prot opt in out source destination
> 898 75432 LOG all -- any any anywhere anywhere LOG level warning
> 449 37716 ACCEPT all -- any any 192.168.2.0/24 anywhere
>
> Chain OUTPUT (policy ACCEPT 117K packets, 20M bytes)
> pkts bytes target prot opt in out source destination
>
> Chain PREROUTING (policy ACCEPT 6790 packets, 632K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 10602 packets, 745K bytes)
> pkts bytes target prot opt in out source destination
> 5 434 SNAT all -- any any 192.168.2.0/24 anywhere to:192.168.1.254
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Feb 24 12:59:14 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52481 SEQ=0
> Feb 24 12:59:14 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=28144 PROTO=ICMP TYPE=0 CODE=0 ID=52481 SEQ=0
> Feb 24 12:59:15 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52481 SEQ=256
> Feb 24 12:59:15 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=28145 PROTO=ICMP TYPE=0 CODE=0 ID=52481 SEQ=256
>
>
> SNAT with -o eth0:
>
> Feb 24 13:00:25 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52993 SEQ=0
> Feb 24 13:00:25 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=28152 PROTO=ICMP TYPE=0 CODE=0 ID=52993 SEQ=0
> Feb 24 13:00:26 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101 DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52993 SEQ=256
> Feb 24 13:00:26 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42 DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=28153 PROTO=ICMP TYPE=0 CODE=0 ID=52993 SEQ=256
>
>
>
> On Mon, Feb 23, 2004 at 11:31:16PM -0500, John A. Sullivan III wrote:
> > Hmmm . . . I've always used SNAT instead of MASQUERADE. Is it my
> > imagination or are the SEQ numbers very strange in your log. I wonder
> > if there is some kind of loop. What happens if you add an interface
> > restriction to your MASQUERADE rule, i.e., from 192.168.2.0/24 -o eth0?
> > What happens if you SNAT instead of MASQUERADE?
> >
> > On Mon, 2004-02-23 at 19:13, Kean Pedersen wrote:
> > > Okay... I have tried the solutions, but still can't connect from
> > > 192.168.2 to 192.168.1
> > >
> > > I can connect fine to 192.168.1.3 (the ip of eth0 on NAT box) from
> > > 192.168.2.101 (the only machine apart from the NAT box on .2 network).
> > >
> > > My network right now is:
> > >
> > > Hardware router(192.168.1.1), the only access to Internet.
> > > Desktop (192.168.1.42)
> > > Server/NAT box (eth0:192.168.1.3 and eth1:192.168.2.1)
> > > Laptop (192.168.2.101)
> > >
> > > The hardware router, desktop and server:eth0 are on one switch, while
> > > laptop and server:eth1 are on another switch.
> > >
> > > Info from the server:
> > > # uname -a
> > > Linux luftguitar 2.4.25 #1 man feb 23 23:45:36 CET 2004 i586 GNU/Linux
> > >
> > > # iptables -V
> > > iptables v1.2.9
> > >
> > > # iptables -t nat -L -v; iptables -L -v
> > > Chain PREROUTING (policy ACCEPT 603 packets, 52677 bytes)
> > > pkts bytes target prot opt in out source destination
> > >
> > > Chain POSTROUTING (policy ACCEPT 630 packets, 49138 bytes)
> > > pkts bytes target prot opt in out source destination
> > > 2 84 MASQUERADE all -- any any 192.168.2.0/24 anywhere
> > >
> > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> > > pkts bytes target prot opt in out source destination
> > >
> > > Chain INPUT (policy ACCEPT 48705 packets, 4302K bytes)
> > > pkts bytes target prot opt in out source destination
> > >
> > > Chain FORWARD (policy DROP 97 packets, 8120 bytes)
> > > pkts bytes target prot opt in out source destination
> > > 4 336 LOG all -- any any anywhere anywhere LOG level warning
> > > 2 168 ACCEPT all -- any any 192.168.2.0/24 anywhere
> > >
> > > Chain OUTPUT (policy ACCEPT 54057 packets, 13M bytes)
> > > pkts bytes target prot opt in out source destination
> > >
> > > # lsmod
> > > Module Size Used by Not tainted
> > > ipt_LOG 3256 1 (autoclean)
> > > ipt_state 472 0 (autoclean)
> > > ipt_MASQUERADE 1208 1 (autoclean)
> > > iptable_nat 14414 1 (autoclean) [ipt_MASQUERADE]
> > > ip_conntrack 18468 0 (autoclean) [ipt_state ipt_MASQUERADE iptable_nat]
> > > iptable_filter 1612 1 (autoclean)
> > > ip_tables 11360 7 [ipt_LOG ipt_state ipt_MASQUERADE iptable_nat iptable_filter]
> > >
> > > (and I have enabled ip forwarding)
> > >
> > > I then try a ping from my laptop (192.168.2.101) to my desktop (192.168.1.42),
> > > but all packes are lost. The packet count on iptables -L -v goes up for
> > > postrouting/masquerade and forward/accept.
> > > Looking in syslog the following is logged:
> > >
> > > Feb 24 00:49:02 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101
> > > DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
> > > TYPE=8 CODE=0 ID=65281 SEQ=0
> > > Feb 24 00:49:02 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42
> > > DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=34538 PROTO=ICMP
> > > TYPE=0 CODE=0 ID=65281 SEQ=0
> > > Feb 24 00:49:03 server kernel: IN=eth1 OUT=eth0 SRC=192.168.2.101
> > > DST=192.168.1.42 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
> > > TYPE=8 CODE=0 ID=65281 SEQ=256
> > > Feb 24 00:49:03 server kernel: IN=eth0 OUT=eth1 SRC=192.168.1.42
> > > DST=192.168.2.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=34539 PROTO=ICMP
> > > TYPE=0 CODE=0 ID=65281 SEQ=256
> > >
> > > I can ping the server on 192.168.2.1 and 192.168.1.3 fine from
> > > 192.168.2.101, but cannot reach the desktop (192.168.1.42) or the
> > > hardware router 192.168.1.1, and thus not the Internet.
> > >
> > > --
> > > Kean Pedesen
> > >
> > >
> > > On Tue, Feb 17, 2004 at 09:39:07AM -0300, Alexis wrote:
> > > > yes, do this
> > > >
> > > >
> > > > echo 1 > /proc/sys/net/ipv4/ip_forward
> > > >
> > > > iptables -p FORWARD DROP
> > > >
> > > > iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
> > > >
> > > > then, you have 2 options
> > > >
> > > > 1 to use 1 ip of 192.168.1 to nat all the .2 network, or use a pool,
> > > > its your choice
> > > >
> > > > 1st case
> > > > iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to
> > > > 192.168.1.254
> > > >
> > > > or
> > > >
> > > > iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
> > > >
> > > >
> > > > 2nd case
> > > >
> > > > iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to
> > > > 192.168.1.50-192.168.1.60
> > > >
> > > >
> > > >
> > > >
> > > > Hello Kean,
> > > >
> > > > Monday, February 16, 2004, 8:55:14 PM, you wrote:
> > > >
> > > > KP> Hi, I have some problems setting up iptables on a linux box, acting as a
> > > > KP> router between two networks. I have an internet connection through a
> > > > KP> hardware router, which I have no access to. This router uses NAT, and
> > > > KP> has an interface on 192.168.1.1. So far I've had my LAN on
> > > > KP> 192.168.1.0/24, with no problems, but would like to split it into two
> > > > KP> LANs, one on 192.168.1.0/24, having the hardware router and some hosts,
> > > > KP> and another one on 192.168.2.0/24, acting as an "internal" LAN.
> > > >
> > > > KP> I'd then like to connect these two LANs with a linux box running
> > > > KP> iptables, so the both LANs have access to the internet through the
> > > > KP> hardware router.
> > > >
> > > > KP> I sat up the iptables machine (which have two NICs) to the IPs
> > > > KP> 192.168.1.100 and 192.168.2.100, one on each interface. How should I set
> > > > KP> up iptables, so the 192.168.2.0/24 range have access through iptables,
> > > > KP> and further through the hardware router onto the internet? Only outbound
> > > > KP> connections will be made. (Inbound connections are mapped in the
> > > > KP> hardware router to 192.168.1.x to specific hosts, no problem there).
> > > >
> > > > KP> The computers on the 192.168.2.0/24 range should be able to make
> > > > KP> connections to the 192.168.1.0/24 range, but not the other way around.
> > > >
> > > > KP> Any help is appreciated.
> > > >
> > > > KP> --
> > > > KP> Kean Pedersen
> > > >
> > > >
> > > > --
> > > > Best regards,
> > > > Alexis mailto:alexis@attla.net.ar
> > > >
> > > >
> > --
> > John A. Sullivan III
> > Chief Technology Officer
> > Nexus Management
> > +1 207-985-7880
> > john.sullivan@nexusmgmt.com
> >
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Running iptables behind router
2004-02-25 18:40 ` John A. Sullivan III
@ 2004-02-25 19:41 ` Kean Pedersen
0 siblings, 0 replies; 9+ messages in thread
From: Kean Pedersen @ 2004-02-25 19:41 UTC (permalink / raw)
To: netfilter
That worked :) .2 can now connect to .1 and the Internet. Just what I
wanted, thanks.
The rules in effect now are (if anyone would like to know):
Chain INPUT (policy ACCEPT 340K packets, 61M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 557 packets, 46760 bytes)
pkts bytes target prot opt in out source destination
567 47151 ACCEPT all -- any any 192.168.2.0/24 anywhere
96 30109 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 322K packets, 44M bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 21299 packets, 2019K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 40608 packets, 2980K bytes)
pkts bytes target prot opt in out source destination
57 3700 SNAT all -- any any 192.168.2.0/24 anywhere to:192.168.1.254
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
On Wed, Feb 25, 2004 at 01:40:47PM -0500, John A. Sullivan III wrote:
> Ah! Blinded by my own assumptions! I also always have rules to allow
> RELATED and ESTABLISHED traffic. As others on the list have pointed
> out, it looks like you have no rule here to allow return traffic.
> Assuming you are using connection tracking, you will want a rule in your
> forward chain similar to:
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
<snip>
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2004-02-25 19:41 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-02-16 23:55 Running iptables behind router Kean Pedersen
2004-02-17 12:39 ` Alexis
2004-02-24 0:13 ` Kean Pedersen
2004-02-24 4:31 ` John A. Sullivan III
2004-02-24 12:07 ` Kean Pedersen
2004-02-25 18:40 ` John A. Sullivan III
2004-02-25 19:41 ` Kean Pedersen
2004-02-24 11:06 ` Antony Stone
2004-02-24 14:13 ` Jeffrey Laramie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.