Re: Masquerade/SNAT with RH 8.0

[Joel Newkirk <netfilter@newkirk.us>]

On Monday 11 November 2002 01:58 am, Bob wrote:
{Well, actually everything he wrote is down at the bottom... :^}

Make sure you have both the ip_conntrack and iptable_nat modules loaded to the 
kernel.  (insmod or modprobe)  In your FORWARD chain (filter FORWARD, more 
precisely) try just matching -i etho or -i eth1, and be very sure these are 
the devices you need.  (IE, on my machine eth1 is addressless, with ppp0 
connecting over it with DSL, so my rules use ppp0)

Put the ip_forward activation after you have set up forwarding rules, or at 
least after you have set the default policy for that chain to DROP.

Read through Oscar's tutorial at http://iptables-tutorial.frozentux.net for 
lots of info, and some example scripts.  As soon as you get the forwarding 
working, I'd suggest locking things down, like a default DROP policy on 
INPUT, which would then allow only explicitly allowed connections to be made 
to your machine, and an ESTABLISHED/RELATED rule for input (no interface or 
address match needed)  Depending on the usage, etc, you might accept only 
port 80, 53, etc forwarding from the LAN, and let other odd stuff drop (or 
log'n'drop) to block most worms, virii, phone-home programs, spyware, etc.

What happens here is a packet to be forwarded hits the first rule, and gets 
passed to the nat POSTROUTING chain if it's inbound from the internet (eth0) 
and part of or related to a connection initiated from inside (beyond eth1).  
If not it hits the second rule, which it gets passed if it's outbound from an 
internal machine.  The third rule logs what remains (which may be quite a 
bit, or very little, YRMV) and the log by default is /var/log/messages which 
you can read a variety of ways.  Simplest from a shell is usually "tail -n 25 
/var/log/messages" which will list the last 25 log entries.  (NOT just from 
IPTables!!)  You can also "cat /var/log/messages | grep SRC=" to list only 
IPTables logs, as nothing else I've come across yet logs with those four 
characters in every single entry.  (Or get real fancy and "cat 
/var/log/messages | grep SRC= | tail -n 50" for the last 50 iptables...)

j

> I hope this hasn't been covered a million times. I'm trying to share the
> internet connection in my house. I'm very new to IPTABLES, and I can't get
> the sharing to work. Here is the setup. Please let me know if you need more
> information. Any help would be greatly appreciated!!!


> The server is RH 8.0 with IPTABLES, and a DHCP server running. The Clients
> are a Mac and a PC (9.2 and Win98). Network Connectivity is good. All Three
> machines can ping each other, via private IPs: 192.168.0.30
> 192.168.0.22
> 192.168.0.1 (Internal NIC, Eth1)
>
> The two clients have never been able to ping the public Eth0 card.
>
> I have set forwarding to one, and that is set to be that way when the
> computer first boots, with this line:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> That line seems to be working okay.
>
> Here is the very simple ruleset that I've found on the net, and that seems
> to make sense:
>
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
>
> $IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED \
> -j ACCEPT 
> $IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
>
> $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 208.141.xxx.xxx
>
> Here is what the resulting script looks like:
>
>
> *mangle
>
> :PREROUTING ACCEPT [4:256]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
>
> COMMIT
> # Completed on Mon Nov 11 00:29:53 2002
> # Generated by iptables-save v1.2.6a on Mon Nov 11 00:29:53 2002
> *nat
>
> :PREROUTING ACCEPT [370:28696]
> :POSTROUTING ACCEPT [396:23845]
> :OUTPUT ACCEPT [406:24455]
>
> -A POSTROUTING -o eth0 -j SNAT --to-source 208.141.xxx.xxx #(my public IP)
> COMMIT
> # Completed on Mon Nov 11 00:29:53 2002
> # Generated by iptables-save v1.2.6a on Mon Nov 11 00:29:53 2002
> *filter
>
> :INPUT ACCEPT [140:118403]
>
> I am just not sure what I am doing wrong. I don't know where to look to see
> what kind of error messages might be popping up.
>
> Does anyone have any ideas why I cant get packets forwarded from the
> internal interface to the external interface and out to the internet?
>
> Any advice would be greatly appreciated. I've been trying to figure this
> out for a couple of weeks now. Thanks so much in advance!
>
> Bob
>
> ps. Where does IPTABLES log to? I notice in the above script it tells the
> kernel to log all forwarded packets. (at least that is how I read it, I
> could be wrong). Thanks again.