From: Krunk <krunkalot@hotpop.com>
To: 'Netfilter' <netfilter@lists.netfilter.org>
Subject: RE: Curious problem with my iptable rules.....detailed postinside, help appreciated.
Date: Sun, 18 Apr 2004 17:59:09 -0500 [thread overview]
Message-ID: <1082329149.4467.55.camel@james> (raw)
In-Reply-To: <20040418194758.8E5A6474C@sterenborg.info>
> Well, I don't know exactly what you tried but don't filter in the nat table.
> It's easy to forget that you do and although it's possible ; you have the
> filter table for that.
> Flushing all rules and setting policy to ACCEPT should keep you from
> rebooting.
>
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -F
> (iptables -X)
>
> But I suppose you already tried this..
> If it doesn't I'm curious what the output is of "iptables -nvL" and
> "iptables -t nat -nvL".
I rebooted and ran the main script. As expected, the second client
couldn't connect. I ran the above series of commands and the output of
iptables -t nat -nvL was as follows:
Chain PREROUTING (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 293 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ppp0 192.168.1.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ppp0 192.168.2.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
After seeing the commands did not clear my nat tables I took the liberty of trying:
iptables -P INPUT ACCEPT;
iptables -P OUTPUT ACCEPT;
iptables -P FORWARD ACCEPT;
iptables -t nat -P PREROUTING ACCEPT;
iptables -t nat -P OUTPUT ACCEPT;
iptables -t nat -P POSTROUTING ACCEPT;
iptables -t nat -F;
iptables -t nat -X;
iptables -F;
iptables -X
After which iptables -t nat -nvL output is:
Chain PREROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
This still did not enable me to bring the second client back online with the
bare minimum script.
> Reading your first post, one problem was : "eth1 can access the internet,
> but eth2 cannot". I took another look at your script, and I'll focus on nat
> only.
> This should nat clients on both eth1 and eth2 :
>
> echo 0 > /proc/sys/net/ipv4/ip_forward
> iptables -P FORWARD DROP
> iptables -F FORWARD
> iptables -A FORWARD -i eth1 -o ppp0 -s <net_lan_1> -j ACCEPT
> iptables -A FORWARD -i eth2 -o ppp0 -s <net_lan_2> -j ACCEPT
> iptables -t nat -A POSTROUTING -o ppp0 -s <net_lan_1> -j MASQUERADE
> iptables -t nat -A POSTROUTING -o ppp0 -s <net_lan_2> -j MASQUERADE
> echo 1 > /proc/sys/net/ipv4/ip_forward
Continuing in my attempts to find a way to troubleshoot without
rebooting each time, I prepended the more extensive
flush/delete/policy=ACCEPT string of commands to to this script (to
ensure a clean slate. Still no connection with the second client. For
good measure I added: iptables -A INPUT --protocol tcp --dport 80 -j
ACCEPT
The script now looks like:
1 #!/bin/bash
2 iptables -P INPUT ACCEPT
3 iptables -P OUTPUT ACCEPT
4 iptables -P FORWARD ACCEPT
5 iptables -t nat -P PREROUTING ACCEPT
6 iptables -t nat -P OUTPUT ACCEPT
7 iptables -t nat -P POSTROUTING ACCEPT
8 iptables -t nat -F
9 iptables -t nat -X
10 iptables -F
11 iptables -X
12
13 echo 0 > /proc/sys/net/ipv4/ip_forward
14 iptables -P FORWARD DROP
15 iptables -F FORWARD
16 iptables -A FORWARD -i eth1 -o ppp0 -s -j ACCEPT
17 iptables -A FORWARD -i eth2 -o ppp0 -s 192.168.2.78 -j ACCEPT
18 iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.xxx/255.255.255.0 -j MASQUERADE
19 iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.2.xxx/255.255.255.0 -j MASQUERADE
20 iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
21 echo 1 > /proc/sys/net/ipv4/ip_forward
So for completeness, I than reboot and run the "multieth" script:
#!/bin/bash
IPTABLES='/sbin/iptables'
# Set interface values
EXTIF='ppp0'
INTIF1='eth1'
INTIF2='eth2'
# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
iptables -F
iptables -X
# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
# forward LAN traffic from $INTIF2 to Internet interace $EXTIF
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
#echo -e " - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
#echo -e " - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
# block out all other Internet access on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
And the connection works fine all have access:
iptables -nvL:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
181 15548 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
3 144 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1 78 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
Chain FORWARD (policy ACCEPT 88 packets, 50603 bytes)
pkts bytes target prot opt in out source destination
1 65 ACCEPT all -- eth1 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
93 9286 ACCEPT all -- eth2 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
Chain OUTPUT (policy ACCEPT 112 packets, 13829 bytes)
pkts bytes target prot opt in out source destination
iptables -t nat -nvL:
Chain PREROUTING (policy ACCEPT 25 packets, 1526 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
20 1244 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
I than run my main script and voila, everything back to normal. Output of
iptables -t nat -nvL:
Chain PREROUTING (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ppp0 192.168.1.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ppp0 192.168.2.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
As you can see the output from this list and that of the previous -t nat -nvL output is
exactly the same (unless I am missing something). So I'm still quite confused.
> Well, I don't know exactly what you tried but don't filter in the nat table.
> It's easy to forget that you do and although it's possible ; you have the
> filter table for that.
When you say "don't filter the nat table", are you referring to the setting of drop policies
or the appending of ACCEPT policies? I have very few commands that are directed toward
nat table:
$IPT -t nat -P PREROUTING DROP
$IPT -t nat -P POSTROUTING DROP
$IPT -t nat -P OUTPUT DROP
$IPT -t nat -A PREROUTING -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE
$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT
I just want to be absolutely clear.
next prev parent reply other threads:[~2004-04-18 22:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-16 23:35 Curious problem with my iptable rules.....detailed post inside, help appreciated Krunk
2004-04-17 19:09 ` Rob Sterenborg
2004-04-18 18:10 ` Krunk
2004-04-18 19:47 ` Curious problem with my iptable rules.....detailed postinside, " Rob Sterenborg
2004-04-18 22:59 ` Krunk [this message]
2004-04-19 0:11 ` Curious problem with my iptable rules.....detailed postinside,help appreciated Rob Sterenborg
2004-04-19 1:58 ` Krunk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1082329149.4467.55.camel@james \
--to=krunkalot@hotpop.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.