Masquerade/SNAT with RH 8.0

Masquerade/SNAT with RH 8.0

[Bob]

I hope this hasn't been covered a million times. I'm trying to share the internet connection in my house. I'm very new to IPTABLES, and I can't get the sharing to work. Here is the setup. Please let me know if you need more information. Any help would be greatly appreciated!!!

The server is RH 8.0 with IPTABLES, and a DHCP server running. The Clients are a Mac and a PC (9.2 and Win98). Network Connectivity is good. All Three machines can ping each other, via private IPs:
192.168.0.30
192.168.0.22
192.168.0.1 (Internal NIC, Eth1)

The two clients have never been able to ping the public Eth0 card.

I have set forwarding to one, and that is set to be that way when the computer first boots, with this line:

echo 1 > /proc/sys/net/ipv4/ip_forward

That line seems to be working okay.

Here is the very simple ruleset that I've found on the net, and that seems to make sense:

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD

$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 208.141.xxx.xxx

Here is what the resulting script looks like:


*mangle
:PREROUTING ACCEPT [4:256]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Nov 11 00:29:53 2002
# Generated by iptables-save v1.2.6a on Mon Nov 11 00:29:53 2002
*nat
:PREROUTING ACCEPT [370:28696]
:POSTROUTING ACCEPT [396:23845]
:OUTPUT ACCEPT [406:24455]
-A POSTROUTING -o eth0 -j SNAT --to-source 208.141.xxx.xxx #(my public IP)
COMMIT
# Completed on Mon Nov 11 00:29:53 2002
# Generated by iptables-save v1.2.6a on Mon Nov 11 00:29:53 2002
*filter
:INPUT ACCEPT [140:118403]

I am just not sure what I am doing wrong. I don't know where to look to see what kind of error messages might be popping up. 

Does anyone have any ideas why I cant get packets forwarded from the internal interface to the external interface and out to the internet?

Any advice would be greatly appreciated. I've been trying to figure this out for a couple of weeks now. Thanks so much in advance!

Bob

ps. Where does IPTABLES log to? I notice in the above script it tells the kernel to log all forwarded packets. (at least that is how I read it, I could be wrong). Thanks again.

Re: Masquerade/SNAT with RH 8.0

[Joel Newkirk]

On Monday 11 November 2002 01:58 am, Bob wrote:
{Well, actually everything he wrote is down at the bottom... :^}

Make sure you have both the ip_conntrack and iptable_nat modules loaded to the 
kernel.  (insmod or modprobe)  In your FORWARD chain (filter FORWARD, more 
precisely) try just matching -i etho or -i eth1, and be very sure these are 
the devices you need.  (IE, on my machine eth1 is addressless, with ppp0 
connecting over it with DSL, so my rules use ppp0)

Put the ip_forward activation after you have set up forwarding rules, or at 
least after you have set the default policy for that chain to DROP.

Read through Oscar's tutorial at http://iptables-tutorial.frozentux.net for 
lots of info, and some example scripts.  As soon as you get the forwarding 
working, I'd suggest locking things down, like a default DROP policy on 
INPUT, which would then allow only explicitly allowed connections to be made 
to your machine, and an ESTABLISHED/RELATED rule for input (no interface or 
address match needed)  Depending on the usage, etc, you might accept only 
port 80, 53, etc forwarding from the LAN, and let other odd stuff drop (or 
log'n'drop) to block most worms, virii, phone-home programs, spyware, etc.

What happens here is a packet to be forwarded hits the first rule, and gets 
passed to the nat POSTROUTING chain if it's inbound from the internet (eth0) 
and part of or related to a connection initiated from inside (beyond eth1).  
If not it hits the second rule, which it gets passed if it's outbound from an 
internal machine.  The third rule logs what remains (which may be quite a 
bit, or very little, YRMV) and the log by default is /var/log/messages which 
you can read a variety of ways.  Simplest from a shell is usually "tail -n 25 
/var/log/messages" which will list the last 25 log entries.  (NOT just from 
IPTables!!)  You can also "cat /var/log/messages | grep SRC=" to list only 
IPTables logs, as nothing else I've come across yet logs with those four 
characters in every single entry.  (Or get real fancy and "cat 
/var/log/messages | grep SRC= | tail -n 50" for the last 50 iptables...)

j

> I hope this hasn't been covered a million times. I'm trying to share the
> internet connection in my house. I'm very new to IPTABLES, and I can't get
> the sharing to work. Here is the setup. Please let me know if you need more
> information. Any help would be greatly appreciated!!!


> The server is RH 8.0 with IPTABLES, and a DHCP server running. The Clients
> are a Mac and a PC (9.2 and Win98). Network Connectivity is good. All Three
> machines can ping each other, via private IPs: 192.168.0.30
> 192.168.0.22
> 192.168.0.1 (Internal NIC, Eth1)
>
> The two clients have never been able to ping the public Eth0 card.
>
> I have set forwarding to one, and that is set to be that way when the
> computer first boots, with this line:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> That line seems to be working okay.
>
> Here is the very simple ruleset that I've found on the net, and that seems
> to make sense:
>
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
>
> $IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED \
> -j ACCEPT 
> $IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
>
> $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 208.141.xxx.xxx
>
> Here is what the resulting script looks like:
>
>
> *mangle
>
> :PREROUTING ACCEPT [4:256]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
>
> COMMIT
> # Completed on Mon Nov 11 00:29:53 2002
> # Generated by iptables-save v1.2.6a on Mon Nov 11 00:29:53 2002
> *nat
>
> :PREROUTING ACCEPT [370:28696]
> :POSTROUTING ACCEPT [396:23845]
> :OUTPUT ACCEPT [406:24455]
>
> -A POSTROUTING -o eth0 -j SNAT --to-source 208.141.xxx.xxx #(my public IP)
> COMMIT
> # Completed on Mon Nov 11 00:29:53 2002
> # Generated by iptables-save v1.2.6a on Mon Nov 11 00:29:53 2002
> *filter
>
> :INPUT ACCEPT [140:118403]
>
> I am just not sure what I am doing wrong. I don't know where to look to see
> what kind of error messages might be popping up.
>
> Does anyone have any ideas why I cant get packets forwarded from the
> internal interface to the external interface and out to the internet?
>
> Any advice would be greatly appreciated. I've been trying to figure this
> out for a couple of weeks now. Thanks so much in advance!
>
> Bob
>
> ps. Where does IPTABLES log to? I notice in the above script it tells the
> kernel to log all forwarded packets. (at least that is how I read it, I
> could be wrong). Thanks again.

Re: Masquerade/SNAT with RH 8.0

[Ben Russo]

On Mon, 2002-11-11 at 01:58, Bob wrote:

> *mangle
> :PREROUTING ACCEPT [4:256]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> COMMIT
> # Completed on Mon Nov 11 00:29:53 2002
> # Generated by iptables-save v1.2.6a on Mon Nov 11 00:29:53 2002
> *nat
> :PREROUTING ACCEPT [370:28696]
> :POSTROUTING ACCEPT [396:23845]
> :OUTPUT ACCEPT [406:24455]
> -A POSTROUTING -o eth0 -j SNAT --to-source 208.141.xxx.xxx #(my public IP)

###  On redhat 8, the iptables system 5 init script reads 
###  /etc/sysconfig/iptables
###  This file has the same content as the output of iptables-save
###  so if you make changes to that file you can then do an
###  service iptables restart


### Get rid of the line above and replace it with:
-A POSTROUTING -s 192.168.108.0/255.255.255.0 -o eth0 -j MASQUERADE
###  Replace 192.168.108.0/255.255.255.0 with your internal subnet
###  replace eth0 with whatever your internet facing interface is.

> COMMIT
> # Completed on Mon Nov 11 00:29:53 2002
> # Generated by iptables-save v1.2.6a on Mon Nov 11 00:29:53 2002
> *filter
> :INPUT ACCEPT [140:118403]

If I were you I would set my INPUT policy to DROP,
and then add specific allow rules for what I want to come into my box.
Assume that eth0 faces the internet, and eth1 is internal.
If your ISP uses DHCP you probably want at least these rules:

-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 14 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 16 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 18 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 31 -j ACCEPT


If your internal subnet can be considered "trusted"
and it's subnet was 192.168.108.0/255.255.255.0 you could add:

-A INPUT -i eth1 -s 192.168.108.0/255.255.255.0 -j ACCEPT

Also, use "chkconfig --list" to make sure that your iptables is "on" for
the runlevel you are using.

Then do an /sbin/service iptables restart

Also check that your /etc/syconfig/network file has the following line:

GATEWAYDEV=eth0

You don't have to worry about manually loading all the iptables modules
for this.  In RedHat 8 they will get loaded auto-magically if you are
using the standard kernel and the standard iptables startup script.

-Ben.
RHCE