* Problems with NAT
@ 2000-12-13 16:23 Marian Jancar
0 siblings, 0 replies; 18+ messages in thread
From: Marian Jancar @ 2000-12-13 16:23 UTC (permalink / raw)
To: linux-kernel
There is a problem with nat in at least 2.2.16 and 2.2.18. If you
specify routing first and nat second,
ip route add nat x.x.x.x via y.y.y.y
ip rule add from y.y.y.y nat x.x.x.x
the rule doesnt have an effect, ping to x.x.x.x says it got response
from y.y.y.y. With turned order of commands,
ip rule ...
ip route ...
it works.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 18+ messages in thread
* problems with nat
@ 2002-11-13 18:13 Rahul Jadhav
2002-11-13 19:20 ` Ben Russo
2002-11-16 18:58 ` Joel Newkirk
0 siblings, 2 replies; 18+ messages in thread
From: Rahul Jadhav @ 2002-11-13 18:13 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 46 bytes --]
please check the attachment...
Thanks
Rahul
[-- Attachment #2: query --]
[-- Type: application/x-java-vm, Size: 10758 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: problems with nat
2002-11-13 18:13 problems with nat Rahul Jadhav
@ 2002-11-13 19:20 ` Ben Russo
2002-11-13 20:01 ` Rahul Jadhav
2002-11-16 18:58 ` Joel Newkirk
1 sibling, 1 reply; 18+ messages in thread
From: Ben Russo @ 2002-11-13 19:20 UTC (permalink / raw)
To: Rahul Jadhav; +Cc: netfilter
Since you are working on this anyway....
For a slightly more secure setup, you might want to consider:
R E I
T+--------+ X+--------+N
internet |---|R| router |---|T|firewall|T|---| intranet
I+--------+ I+--------+I
P P | P
|
DMZ IP
\
| HTTP, MAIL, SSH
This will protect your servers from other intranet users
on the same subnet. (Also if you have 802.11 on your intranet...)
Maybe after doing this your problem will disappear simply by
rethinking the ruleset.
-Ben.
On Wed, 2002-11-13 at 13:13, Rahul Jadhav wrote:
> please check the attachment...
>
> Thanks
> Rahul
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: problems with nat
2002-11-13 19:20 ` Ben Russo
@ 2002-11-13 20:01 ` Rahul Jadhav
0 siblings, 0 replies; 18+ messages in thread
From: Rahul Jadhav @ 2002-11-13 20:01 UTC (permalink / raw)
To: Ben Russo; +Cc: netfilter
Ben Russo wrote:
>Since you are working on this anyway....
>
>For a slightly more secure setup, you might want to consider:
>
>
> R E I
> T+--------+ X+--------+N
> internet |---|R| router |---|T|firewall|T|---| intranet
> I+--------+ I+--------+I
> P P | P
> |
> DMZ IP
> \
> | HTTP, MAIL, SSH
>
>This will protect your servers from other intranet users
>on the same subnet. (Also if you have 802.11 on your intranet...)
>
>Maybe after doing this your problem will disappear simply by
>rethinking the ruleset.
>
>-Ben.
>
>
>On Wed, 2002-11-13 at 13:13, Rahul Jadhav wrote:
>
>
>>please check the attachment...
>>
>>Thanks
>>Rahul
>>
>>
You are right but I am trying to avoid doing that right now as i have
invested a lot of time already into this system. Moreover, I am pretty
sure there are people who have got iptables working with a setup like mine.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: problems with nat
2002-11-13 18:13 problems with nat Rahul Jadhav
2002-11-13 19:20 ` Ben Russo
@ 2002-11-16 18:58 ` Joel Newkirk
1 sibling, 0 replies; 18+ messages in thread
From: Joel Newkirk @ 2002-11-16 18:58 UTC (permalink / raw)
To: Rahul Jadhav, netfilter
On Wednesday 13 November 2002 01:13 pm, Rahul Jadhav wrote:
> please check the attachment...
>
> Thanks
> Rahul
Regarding your DNAT/SNAT issues, I suggest reading through Oscar's tutorial at
http://iptables-tutorial.frozentux.net/chunkyhtml/targets.html#DNATTARGET
where he explores your situation pretty precisely, forwarding HTTP from EXTRA
and INTRA, and making sure responses are directed properly. You also seem to
have some problems in FORWARD, which I comment on below.
grep = and grep FORWARD give us:
RTRIP=router's ip
EXTIP=external eth ip
INTIP=internal eth ip
HTTPSERVER="http server ip"
MAILSERVER="mail server ip"
SSHSERVER="ssh server ip"
UNPRIVPORTS="1024:65535"
INTRA_DEV="internal eth"
EXTRA_DEV="external eth"
INTRA_IP="internal ip"
EXTRA_IP="external ip"
INTRA_LAN="internal lan"
PUBLIC_IP="public ip of the router"
## FORWARD-Chain ## (everything that passes the firewall)
$IPTABLES -A FORWARD -m state --state INVALID -j LOG_INVALID
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -j CHECK_BAD_FLAG
$IPTABLES -A FORWARD -o $EXTRA_DEV -j SMB
$IPTABLES -A FORWARD -o $EXTRA_DEV -p tcp -i $INTRA_DEV -d $UNIVERSE -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -p udp -i $INTRA_DEV -d $UNIVERSE -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $HTTPSERVER -p tcp --sport 80 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $HTTPSERVER -p udp --sport 80 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $HTTPSERVER -p tcp --sport $UNPRIVPORTS
-j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $HTTPSERVER -p udp --sport $UNPRIVPORTS
-j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $MAILSERVER -p tcp --sport 25 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $MAILSERVER -p tcp --sport 110 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $MAILSERVER -p tcp --sport 109 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $MAILSERVER -p tcp --sport 143 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $MAILSERVER -p tcp --sport 81 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $MAILSERVER -p udp --sport 81 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $MAILSERVER -p tcp --sport $UNPRIVPORTS
-j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $MAILSERVER -p udp --sport $UNPRIVPORTS
-j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $MAILSERVER -p tcp --sport 389 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $SSHSERVER -p tcp --sport 82 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $SSHSERVER -p tcp --sport 83 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTRA_DEV -s $SSHSERVER -p tcp --sport 22 -j ACCEPT
$IPTABLES -A FORWARD -i $INTRA_DEV -o $EXTRA_DEV -s $INTRA_LAN -p tcp --sport
$UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTRA_DEV -o $EXTRA_DEV -s $INTRA_LAN -p udp --sport
$UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTRA_DEV -o $EXTRA_DEV -s $INTRA_LAN -p icmp -j
ACCEPT
$IPTABLES -A FORWARD -i $EXTRA_DEV -p tcp -m state --state ESTABLISHED -j
ACCEPT
$IPTABLES -A FORWARD -i $EXTRA_DEV -p udp -m state --state ESTABLISHED -j
ACCEPT
$IPTABLES -A FORWARD -i $EXTRA_DEV -p tcp -m state --state RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTRA_DEV -p udp -m state --state RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTRA_DEV -p icmp -m state --state RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -d $HTTPSERVER -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 80 -d $HTTPSERVER -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -d $EXTRA_IP -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 80 -d $EXTRA_IP -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 81 -d $MAILSERVER -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 81 -d $MAILSERVER -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 81 -d $EXTRA_IP -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 81 -d $EXTRA_IP -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 22 -d $SSHSERVER -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 82 -d $SSHSERVER -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 82 -d $SSHSERVER -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 83 -d $SSHSERVER -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 83 -d $SSHSERVER -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 82 -d $EXTRA_IP -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 82 -d $EXTRA_IP -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 83 -d $EXTRA_IP -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 83 -d $EXTRA_IP -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 22 -d $EXTRA_IP -j ACCEPT
$IPTABLES -A FORWARD -j LOG_DROP
## Port-Forwarding (--> Also see chain FORWARD)
Where do you define $UNIVERSE? You are referring here to user-defined chains
that are not defined, like CHECK_BAD_FLAG and SMB. I assume you DO define
them, just didn't include them? With ALL TCP going through CHECK_BAD_FLAG
(except EST/REL, caught just before) the contents of that chain could be
rather important in trying to find problems. The same for SMB where
everything outbound from your LAN to the internet is filtered...
Your second FORWARD rule allows all EST/REL traffic through, regardless of
source or destination. This is normally OK, but makes the five state rules
further down rather pointless. (they could also be condensed, unless you are
using them as counters, but aren't ever matched as it stands) But you don't
follow up by allowing new HTTP or DNS traffic from the LAN to your servers.
-o $EXTRA_DEV -i $INTRA_DEV should allow local machines to browse the
internet, but doesn't address local machines trying to connect to your
servers. -p tcp --dport 80 -i $INTRA_DEV -d $HTTPSERVER, for example, should
match them.
Also, I'd suggest that rather than test for "--sport $UNPRIVPORTS" you test
for allowed destination ports only. IE, for HTTP forwarding, use "--dport
80", etc. Otherwise you let ANY traffic through, as long as it's source port
is over 1024.
j
^ permalink raw reply [flat|nested] 18+ messages in thread
* Problems with NAT
@ 2003-05-29 15:15 Jose Luis Hime
2003-05-29 15:55 ` Ray Leach
0 siblings, 1 reply; 18+ messages in thread
From: Jose Luis Hime @ 2003-05-29 15:15 UTC (permalink / raw)
To: netfilter
Dear all:
I have the following network:
:
: /---------\
/-------\ Leased | Router | Leased /----------\
| LAN B |----------| without |----------| Internet |
\-------/ Line 1 | NAT | Line 2 \----------/
: \---------/
: |
: |
: /----------\
: | Firewall | /-------\
: | Linux |------| LAN A |
: | with NAT | \-------/
: \----------/
:
CITY "B" : CITY "A"
1. The router, the firewall and LAN A are in city "A"
2. LAN B is in another city (city "B")
3. LAN A must access the internet, LAN B must not;
4. Unfortunately my router does not support NAT;
5. Both the router and the linux firewall have real internet IP addresses;
6. So:
- The linux firewall must NAT packets from LAN A to the internet;
- The linux firewall must not NAT packets from LAN A to LAN B;
I created rules in table "filter" allowing communication between LAN A and
LAN B:
-t filter -A INPUT -s LAN A -d LAN B -j ACCEPT
-t filter -A INPUT -s LAN B -d LAN A -j ACCEPT
-t filter -A FORWARD -s LAN A -d LAN B -j ACCEPT
-t filter -A FORWARD -s LAN B -d LAN A -j ACCEPT
After that, I created one rule in table "nat" in order to allow LAN A
accessing the internet:
-t nat -A POSTROUTING -s LAN A -d 0/0 -j SNAT --to Firewall_IP_address
The problem is that LAN A is making NAT to LAN B.
Is there a way to prevent the firewall from NATing from LAN A to LAN B? The
problem is that both traffics (LAN A->internet and LAN A->LAN B) are going
through the same interface...
With ipchains, after reaching the INPUT and FORWARD rules the firewall
would stop and would not reach the NAT rules. This behavior changed in
iptables and it always check both tables (filter and nat).
Thanks in advance,
Jose Hime
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Problems with NAT
2003-05-29 15:15 Jose Luis Hime
@ 2003-05-29 15:55 ` Ray Leach
2003-05-29 17:15 ` Jose Luis Hime
0 siblings, 1 reply; 18+ messages in thread
From: Ray Leach @ 2003-05-29 15:55 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 2487 bytes --]
On Thu, 2003-05-29 at 17:15, Jose Luis Hime wrote:
> Dear all:
>
> I have the following network:
> :
> : /---------\
> /-------\ Leased | Router | Leased /----------\
> | LAN B |----------| without |----------| Internet |
> \-------/ Line 1 | NAT | Line 2 \----------/
> : \---------/
> : |
> : |
> : /----------\
> : | Firewall | /-------\
> : | Linux |------| LAN A |
> : | with NAT | \-------/
> : \----------/
> :
> CITY "B" : CITY "A"
>
> 1. The router, the firewall and LAN A are in city "A"
> 2. LAN B is in another city (city "B")
> 3. LAN A must access the internet, LAN B must not;
> 4. Unfortunately my router does not support NAT;
> 5. Both the router and the linux firewall have real internet IP addresses;
> 6. So:
> - The linux firewall must NAT packets from LAN A to the internet;
> - The linux firewall must not NAT packets from LAN A to LAN B;
>
> I created rules in table "filter" allowing communication between LAN A and
> LAN B:
> -t filter -A INPUT -s LAN A -d LAN B -j ACCEPT
> -t filter -A INPUT -s LAN B -d LAN A -j ACCEPT
> -t filter -A FORWARD -s LAN A -d LAN B -j ACCEPT
> -t filter -A FORWARD -s LAN B -d LAN A -j ACCEPT
>
> After that, I created one rule in table "nat" in order to allow LAN A
> accessing the internet:
> -t nat -A POSTROUTING -s LAN A -d 0/0 -j SNAT --to Firewall_IP_address
>
> The problem is that LAN A is making NAT to LAN B.
>
> Is there a way to prevent the firewall from NATing from LAN A to LAN B? The
> problem is that both traffics (LAN A->internet and LAN A->LAN B) are going
> through the same interface...
>
Sure, change your nat rule:
-t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to
Firewall_IP_address
> With ipchains, after reaching the INPUT and FORWARD rules the firewall
> would stop and would not reach the NAT rules. This behavior changed in
> iptables and it always check both tables (filter and nat).
>
> Thanks in advance,
> Jose Hime
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: Problems with NAT
2003-05-29 15:55 ` Ray Leach
@ 2003-05-29 17:15 ` Jose Luis Hime
2003-05-30 6:04 ` Ray Leach
0 siblings, 1 reply; 18+ messages in thread
From: Jose Luis Hime @ 2003-05-29 17:15 UTC (permalink / raw)
To: 'Ray Leach', 'Netfilter Mailing List'
The problem is that there are LAN C, LAN D and LAN E in other 3 cities,
also! So, the rule:
-t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to Firewall_IP_address
would work for LAN B, but not for the other LANs.
All LANs are connected to the same router.
Thanks again,
Jose Hime
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Ray Leach
Sent: Thursday, May 29, 2003 12:55 PM
To: Netfilter Mailing List
Subject: Re: Problems with NAT
On Thu, 2003-05-29 at 17:15, Jose Luis Hime wrote:
> Dear all:
>
> I have the following network:
> :
> : /---------\
> /-------\ Leased | Router | Leased /----------\
> | LAN B |----------| without |----------| Internet |
> \-------/ Line 1 | NAT | Line 2 \----------/
> : \---------/
> : |
> : |
> : /----------\
> : | Firewall | /-------\
> : | Linux |------| LAN A |
> : | with NAT | \-------/
> : \----------/
> :
> CITY "B" : CITY "A"
>
> 1. The router, the firewall and LAN A are in city "A"
> 2. LAN B is in another city (city "B")
> 3. LAN A must access the internet, LAN B must not;
> 4. Unfortunately my router does not support NAT;
> 5. Both the router and the linux firewall have real internet IP addresses;
> 6. So:
> - The linux firewall must NAT packets from LAN A to the internet;
> - The linux firewall must not NAT packets from LAN A to LAN B;
>
> I created rules in table "filter" allowing communication between LAN A and
> LAN B:
> -t filter -A INPUT -s LAN A -d LAN B -j ACCEPT
> -t filter -A INPUT -s LAN B -d LAN A -j ACCEPT
> -t filter -A FORWARD -s LAN A -d LAN B -j ACCEPT
> -t filter -A FORWARD -s LAN B -d LAN A -j ACCEPT
>
> After that, I created one rule in table "nat" in order to allow LAN A
> accessing the internet:
> -t nat -A POSTROUTING -s LAN A -d 0/0 -j SNAT --to Firewall_IP_address
>
> The problem is that LAN A is making NAT to LAN B.
>
> Is there a way to prevent the firewall from NATing from LAN A to LAN B? The
> problem is that both traffics (LAN A->internet and LAN A->LAN B) are going
> through the same interface...
>
Sure, change your nat rule:
-t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to
Firewall_IP_address
> With ipchains, after reaching the INPUT and FORWARD rules the firewall
> would stop and would not reach the NAT rules. This behavior changed in
> iptables and it always check both tables (filter and nat).
>
> Thanks in advance,
> Jose Hime
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: Problems with NAT
@ 2003-05-29 22:09 George Vieira
2003-05-29 23:02 ` Jose Luis Hime
0 siblings, 1 reply; 18+ messages in thread
From: George Vieira @ 2003-05-29 22:09 UTC (permalink / raw)
To: jhime, Ray Leach, Netfilter Mailing List
What is the IP ranges for the other networks? Are they the same subnet or different ones?
Ned more info so we can determine the needs..
PS: Nice drawing ;P
Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au
Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
Phone : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
-----Original Message-----
From: Jose Luis Hime [mailto:jhime@synchro.com.br]
Sent: Friday, May 30, 2003 3:15 AM
To: 'Ray Leach'; 'Netfilter Mailing List'
Subject: RE: Problems with NAT
The problem is that there are LAN C, LAN D and LAN E in other 3 cities,
also! So, the rule:
-t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to Firewall_IP_address
would work for LAN B, but not for the other LANs.
All LANs are connected to the same router.
Thanks again,
Jose Hime
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Ray Leach
Sent: Thursday, May 29, 2003 12:55 PM
To: Netfilter Mailing List
Subject: Re: Problems with NAT
^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: Problems with NAT
2003-05-29 22:09 George Vieira
@ 2003-05-29 23:02 ` Jose Luis Hime
2003-05-30 1:59 ` Matt Hellman
2003-05-30 2:01 ` Matt Hellman
0 siblings, 2 replies; 18+ messages in thread
From: Jose Luis Hime @ 2003-05-29 23:02 UTC (permalink / raw)
To: 'George Vieira', jhime, 'Ray Leach',
'Netfilter Mailing List'
[-- Attachment #1: Type: text/plain, Size: 1631 bytes --]
The addresses are the following:
LAN A: 172.25.0.0 / 255.255.0.0
LAN B: 172.28.0.0 / 255.255.0.0
LAN C: 10.0.0.0 / 255.0.0.0
LAN D: 159.254.172.0 / 255.255.255.0
LAN E: 164.137.0.0 / 255.255.0.0
LANs A and B are from the company I work for.
LANs C, D and E are from custommers of ours.
Thanks,
Jose Hime
-----Original Message-----
From: George Vieira [mailto:georgev@citadelcomputer.com.au]
Sent: Thursday, May 29, 2003 7:09 PM
To: jhime@synchro.com.br; Ray Leach; Netfilter Mailing List
Subject: RE: Problems with NAT
What is the IP ranges for the other networks? Are they the same subnet or different ones?
Ned more info so we can determine the needs..
PS: Nice drawing ;P
Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au
Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
Phone : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
-----Original Message-----
From: Jose Luis Hime [mailto:jhime@synchro.com.br]
Sent: Friday, May 30, 2003 3:15 AM
To: 'Ray Leach'; 'Netfilter Mailing List'
Subject: RE: Problems with NAT
The problem is that there are LAN C, LAN D and LAN E in other 3 cities,
also! So, the rule:
-t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to Firewall_IP_address
would work for LAN B, but not for the other LANs.
All LANs are connected to the same router.
Thanks again,
Jose Hime
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Ray Leach
Sent: Thursday, May 29, 2003 12:55 PM
To: Netfilter Mailing List
Subject: Re: Problems with NAT
[-- Attachment #2: winmail.dat --]
[-- Type: application/ms-tnef, Size: 2452 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: Problems with NAT
2003-05-29 23:02 ` Jose Luis Hime
@ 2003-05-30 1:59 ` Matt Hellman
2003-05-30 2:01 ` Matt Hellman
1 sibling, 0 replies; 18+ messages in thread
From: Matt Hellman @ 2003-05-30 1:59 UTC (permalink / raw)
To: jhime, 'George Vieira', 'Ray Leach',
'Netfilter Mailing List'
never tried it, but why couldn't you just add ACCEPT rules in PREROUTING
[before the NAT rule] for each LAN not_to_be_natted?
-t nat -A POSTROUTING -s LAN A -d LAN B -j ACCEPT
-t nat -A POSTROUTING -s LAN A -d LAN C -j ACCEPT
-t nat -A POSTROUTING -s LAN A -d 0/0 -j SNAT --to Firewall_IP_address
>-----Original Message-----
>From: netfilter-admin@lists.netfilter.org
>[mailto:netfilter-admin@lists.netfilter.org]
>Sent: Thursday, May 29, 2003 6:03 PM
>To: 'George Vieira'; jhime@synchro.com.br; 'Ray Leach';
>'Netfilter Mailing List'
>Subject: RE: Problems with NAT
>
>
>The addresses are the following:
>
>LAN A: 172.25.0.0 / 255.255.0.0
>LAN B: 172.28.0.0 / 255.255.0.0
>LAN C: 10.0.0.0 / 255.0.0.0
>LAN D: 159.254.172.0 / 255.255.255.0
>LAN E: 164.137.0.0 / 255.255.0.0
>
>LANs A and B are from the company I work for.
>LANs C, D and E are from custommers of ours.
>
>Thanks,
>Jose Hime
>
>-----Original Message-----
>From: George Vieira [mailto:georgev@citadelcomputer.com.au]
>Sent: Thursday, May 29, 2003 7:09 PM
>To: jhime@synchro.com.br; Ray Leach; Netfilter Mailing List
>Subject: RE: Problems with NAT
>
>
>What is the IP ranges for the other networks? Are they the
>same subnet or different ones?
>Ned more info so we can determine the needs..
>
>PS: Nice drawing ;P
>
>Thanks,
>____________________________________________
>George Vieira
>Systems Manager
>georgev@citadelcomputer.com.au
>
>Citadel Computer Systems Pty Ltd
>http://www.citadelcomputer.com.au
>
>Phone : +61 2 9955 2644
>HelpDesk: +61 2 9955 2698
>
>
>-----Original Message-----
>From: Jose Luis Hime [mailto:jhime@synchro.com.br]
>Sent: Friday, May 30, 2003 3:15 AM
>To: 'Ray Leach'; 'Netfilter Mailing List'
>Subject: RE: Problems with NAT
>
>
>The problem is that there are LAN C, LAN D and LAN E in other 3 cities,
>also! So, the rule:
>
>-t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to
>Firewall_IP_address
>
>would work for LAN B, but not for the other LANs.
>
>All LANs are connected to the same router.
>
>Thanks again,
>Jose Hime
>
>
>-----Original Message-----
>From: netfilter-admin@lists.netfilter.org
>[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Ray Leach
>Sent: Thursday, May 29, 2003 12:55 PM
>To: Netfilter Mailing List
>Subject: Re: Problems with NAT
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: Problems with NAT
2003-05-29 23:02 ` Jose Luis Hime
2003-05-30 1:59 ` Matt Hellman
@ 2003-05-30 2:01 ` Matt Hellman
1 sibling, 0 replies; 18+ messages in thread
From: Matt Hellman @ 2003-05-30 2:01 UTC (permalink / raw)
To: jhime, 'George Vieira', 'Ray Leach',
'Netfilter Mailing List'
Doh! I mean POSTROUTING. Also just noticed I sent this to more than just the
list. My apologies.
>-----Original Message-----
>From: netfilter-admin@lists.netfilter.org
>[mailto:netfilter-admin@lists.netfilter.org]
>Sent: Thursday, May 29, 2003 6:03 PM
>To: 'George Vieira'; jhime@synchro.com.br; 'Ray Leach';
>'Netfilter Mailing List'
>Subject: RE: Problems with NAT
>
>
>The addresses are the following:
>
>LAN A: 172.25.0.0 / 255.255.0.0
>LAN B: 172.28.0.0 / 255.255.0.0
>LAN C: 10.0.0.0 / 255.0.0.0
>LAN D: 159.254.172.0 / 255.255.255.0
>LAN E: 164.137.0.0 / 255.255.0.0
>
>LANs A and B are from the company I work for.
>LANs C, D and E are from custommers of ours.
>
>Thanks,
>Jose Hime
>
>-----Original Message-----
>From: George Vieira [mailto:georgev@citadelcomputer.com.au]
>Sent: Thursday, May 29, 2003 7:09 PM
>To: jhime@synchro.com.br; Ray Leach; Netfilter Mailing List
>Subject: RE: Problems with NAT
>
>
>What is the IP ranges for the other networks? Are they the
>same subnet or different ones?
>Ned more info so we can determine the needs..
>
>PS: Nice drawing ;P
>
>Thanks,
>____________________________________________
>George Vieira
>Systems Manager
>georgev@citadelcomputer.com.au
>
>Citadel Computer Systems Pty Ltd
>http://www.citadelcomputer.com.au
>
>Phone : +61 2 9955 2644
>HelpDesk: +61 2 9955 2698
>
>
>-----Original Message-----
>From: Jose Luis Hime [mailto:jhime@synchro.com.br]
>Sent: Friday, May 30, 2003 3:15 AM
>To: 'Ray Leach'; 'Netfilter Mailing List'
>Subject: RE: Problems with NAT
>
>
>The problem is that there are LAN C, LAN D and LAN E in other 3 cities,
>also! So, the rule:
>
>-t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to
>Firewall_IP_address
>
>would work for LAN B, but not for the other LANs.
>
>All LANs are connected to the same router.
>
>Thanks again,
>Jose Hime
>
>
>-----Original Message-----
>From: netfilter-admin@lists.netfilter.org
>[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Ray Leach
>Sent: Thursday, May 29, 2003 12:55 PM
>To: Netfilter Mailing List
>Subject: Re: Problems with NAT
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: Problems with NAT
@ 2003-05-30 2:30 George Vieira
0 siblings, 0 replies; 18+ messages in thread
From: George Vieira @ 2003-05-30 2:30 UTC (permalink / raw)
To: Matt Hellman, jhime, Ray Leach, Netfilter Mailing List
SNAT should not be used for MASQUERADING.. it's not advised anyway but still works but who knows what possible problems it may cause.
Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au
Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
Phone : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
-----Original Message-----
From: Matt Hellman [mailto:netfilter@taxandfinance.com]
Sent: Friday, May 30, 2003 11:59 AM
To: jhime@synchro.com.br; George Vieira; 'Ray Leach'; 'Netfilter Mailing
List'
Subject: RE: Problems with NAT
never tried it, but why couldn't you just add ACCEPT rules in PREROUTING
[before the NAT rule] for each LAN not_to_be_natted?
-t nat -A POSTROUTING -s LAN A -d LAN B -j ACCEPT
-t nat -A POSTROUTING -s LAN A -d LAN C -j ACCEPT
-t nat -A POSTROUTING -s LAN A -d 0/0 -j SNAT --to Firewall_IP_address
^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: Problems with NAT
2003-05-29 17:15 ` Jose Luis Hime
@ 2003-05-30 6:04 ` Ray Leach
0 siblings, 0 replies; 18+ messages in thread
From: Ray Leach @ 2003-05-30 6:04 UTC (permalink / raw)
To: jhime; +Cc: 'Netfilter Mailing List'
[-- Attachment #1: Type: text/plain, Size: 3336 bytes --]
On Thu, 2003-05-29 at 19:15, Jose Luis Hime wrote:
> The problem is that there are LAN C, LAN D and LAN E in other 3 cities,
> also! So, the rule:
>
> -t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to Firewall_IP_address
>
> would work for LAN B, but not for the other LANs.
>
> All LANs are connected to the same router.
>
What about adding '-o INET_IFACE', or do LAN C,D,E also connect via the
internet interface?
> Thanks again,
> Jose Hime
>
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Ray Leach
> Sent: Thursday, May 29, 2003 12:55 PM
> To: Netfilter Mailing List
> Subject: Re: Problems with NAT
>
>
> On Thu, 2003-05-29 at 17:15, Jose Luis Hime wrote:
> > Dear all:
> >
> > I have the following network:
> > :
> > : /---------\
> > /-------\ Leased | Router | Leased /----------\
> > | LAN B |----------| without |----------| Internet |
> > \-------/ Line 1 | NAT | Line 2 \----------/
> > : \---------/
> > : |
> > : |
> > : /----------\
> > : | Firewall | /-------\
> > : | Linux |------| LAN A |
> > : | with NAT | \-------/
> > : \----------/
> > :
> > CITY "B" : CITY "A"
> >
> > 1. The router, the firewall and LAN A are in city "A"
> > 2. LAN B is in another city (city "B")
> > 3. LAN A must access the internet, LAN B must not;
> > 4. Unfortunately my router does not support NAT;
> > 5. Both the router and the linux firewall have real internet IP addresses;
> > 6. So:
> > - The linux firewall must NAT packets from LAN A to the internet;
> > - The linux firewall must not NAT packets from LAN A to LAN B;
> >
> > I created rules in table "filter" allowing communication between LAN A and
> > LAN B:
> > -t filter -A INPUT -s LAN A -d LAN B -j ACCEPT
> > -t filter -A INPUT -s LAN B -d LAN A -j ACCEPT
> > -t filter -A FORWARD -s LAN A -d LAN B -j ACCEPT
> > -t filter -A FORWARD -s LAN B -d LAN A -j ACCEPT
> >
> > After that, I created one rule in table "nat" in order to allow LAN A
> > accessing the internet:
> > -t nat -A POSTROUTING -s LAN A -d 0/0 -j SNAT --to Firewall_IP_address
> >
> > The problem is that LAN A is making NAT to LAN B.
> >
> > Is there a way to prevent the firewall from NATing from LAN A to LAN B? The
> > problem is that both traffics (LAN A->internet and LAN A->LAN B) are going
> > through the same interface...
> >
> Sure, change your nat rule:
> -t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to
> Firewall_IP_address
>
> > With ipchains, after reaching the INPUT and FORWARD rules the firewall
> > would stop and would not reach the NAT rules. This behavior changed in
> > iptables and it always check both tables (filter and nat).
> >
> > Thanks in advance,
> > Jose Hime
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: Problems with NAT
@ 2003-05-30 6:57 George Vieira
0 siblings, 0 replies; 18+ messages in thread
From: George Vieira @ 2003-05-30 6:57 UTC (permalink / raw)
To: Ray Leach, jhime; +Cc: Netfilter Mailing List
They are all visible by the 1 nic.. the linux box talks to them via the same router that goes to the internet, this is why he has a problem.. so "-o eth0" wouldn't make a difference..
I found this out when he told me this in Portugese.. ;) he he funny that....
Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au
Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
-----Original Message-----
From: Ray Leach [mailto:raymondl@knowledgefactory.co.za]
Sent: Friday, May 30, 2003 4:04 PM
To: jhime@synchro.com.br
Cc: 'Netfilter Mailing List'
Subject: RE: Problems with NAT
On Thu, 2003-05-29 at 19:15, Jose Luis Hime wrote:
> The problem is that there are LAN C, LAN D and LAN E in other 3 cities,
> also! So, the rule:
>
> -t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to Firewall_IP_address
>
> would work for LAN B, but not for the other LANs.
>
> All LANs are connected to the same router.
>
What about adding '-o INET_IFACE', or do LAN C,D,E also connect via the
internet interface?
> Thanks again,
> Jose Hime
>
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Ray Leach
> Sent: Thursday, May 29, 2003 12:55 PM
> To: Netfilter Mailing List
> Subject: Re: Problems with NAT
>
>
> On Thu, 2003-05-29 at 17:15, Jose Luis Hime wrote:
> > Dear all:
> >
> > I have the following network:
> > :
> > : /---------\
> > /-------\ Leased | Router | Leased /----------\
> > | LAN B |----------| without |----------| Internet |
> > \-------/ Line 1 | NAT | Line 2 \----------/
> > : \---------/
> > : |
> > : |
> > : /----------\
> > : | Firewall | /-------\
> > : | Linux |------| LAN A |
> > : | with NAT | \-------/
> > : \----------/
> > :
> > CITY "B" : CITY "A"
> >
> > 1. The router, the firewall and LAN A are in city "A"
> > 2. LAN B is in another city (city "B")
> > 3. LAN A must access the internet, LAN B must not;
> > 4. Unfortunately my router does not support NAT;
> > 5. Both the router and the linux firewall have real internet IP addresses;
> > 6. So:
> > - The linux firewall must NAT packets from LAN A to the internet;
> > - The linux firewall must not NAT packets from LAN A to LAN B;
> >
> > I created rules in table "filter" allowing communication between LAN A and
> > LAN B:
> > -t filter -A INPUT -s LAN A -d LAN B -j ACCEPT
> > -t filter -A INPUT -s LAN B -d LAN A -j ACCEPT
> > -t filter -A FORWARD -s LAN A -d LAN B -j ACCEPT
> > -t filter -A FORWARD -s LAN B -d LAN A -j ACCEPT
> >
> > After that, I created one rule in table "nat" in order to allow LAN A
> > accessing the internet:
> > -t nat -A POSTROUTING -s LAN A -d 0/0 -j SNAT --to Firewall_IP_address
> >
> > The problem is that LAN A is making NAT to LAN B.
> >
> > Is there a way to prevent the firewall from NATing from LAN A to LAN B? The
> > problem is that both traffics (LAN A->internet and LAN A->LAN B) are going
> > through the same interface...
> >
> Sure, change your nat rule:
> -t nat -A POSTROUTING -s LAN A -d ! LAN B -j SNAT --to
> Firewall_IP_address
>
> > With ipchains, after reaching the INPUT and FORWARD rules the firewall
> > would stop and would not reach the NAT rules. This behavior changed in
> > iptables and it always check both tables (filter and nat).
> >
> > Thanks in advance,
> > Jose Hime
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
^ permalink raw reply [flat|nested] 18+ messages in thread
* Problems with NAT
@ 2003-09-27 16:44 Adam Mercer
2003-09-28 3:30 ` Mark E. Donaldson
0 siblings, 1 reply; 18+ messages in thread
From: Adam Mercer @ 2003-09-27 16:44 UTC (permalink / raw)
To: netfilter
Hi
I'm trying to set up my firwall so that I can plug my laptop into eth1
of my desktop and use NAT to access the outside world on the laptop
I've followed the NAT Howto and my firewall contains the following rules
# allow local-only connections
${IPTABLES} -A INPUT -i lo -j ACCEPT
# free output on any interface to any ip for any service
${IPTABLES} -A OUTPUT -j ACCEPT
# permit answers on already established connections
# and permit new connections related to established ones
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow incomg ssh connections
${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT
# NAT
${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
${IPTABLES} -A FORWARD -s 10.0.0.0/24 -j ACCEPT
# everything not accepted > /dev/null
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT DROP
# be verbose on dynamic ip-addresses
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
The laptop (PowerBook G4) is assigned an ip address in the range 10.0.0.2-.10
by a DHCP server. eth1 has an ip address 10.0.0.1, and eth0 is the connection
to the outside world. After running ethereal it appears that no packets from
the local network are making it to eth0. However I can ssh into the server if I
use ip address, but not hostname.
Can anyone help me out with this?
Thanks in advance
Adam
^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: Problems with NAT
2003-09-27 16:44 Problems with NAT Adam Mercer
@ 2003-09-28 3:30 ` Mark E. Donaldson
2003-09-28 7:36 ` Adam Mercer
0 siblings, 1 reply; 18+ messages in thread
From: Mark E. Donaldson @ 2003-09-28 3:30 UTC (permalink / raw)
To: Adam Mercer, netfilter
Adam - You have a mixture of "stateless" and "stateful" rules. SSH is
passing in both directions because you have an explicit ACCEPT for it. DNS
is blocked so you are unable to resolve. Although you need to do more than
this for long term function and security, here is a quick fix so your system
should work. Add:
${IPTABLES} -A INPUT -m state --state NEW -j ACCEPT
${IPTABLES} -A FORWARD -m state --state NEW -j ACCEPT
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Adam Mercer
Sent: Saturday, September 27, 2003 9:44 AM
To: netfilter@lists.netfilter.org
Subject: Problems with NAT
Hi
I'm trying to set up my firwall so that I can plug my laptop into eth1
of my desktop and use NAT to access the outside world on the laptop
I've followed the NAT Howto and my firewall contains the following rules
# allow local-only connections
${IPTABLES} -A INPUT -i lo -j ACCEPT
# free output on any interface to any ip for any service
${IPTABLES} -A OUTPUT -j ACCEPT
# permit answers on already established connections
# and permit new connections related to established ones
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow incomg ssh connections
${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT
# NAT
${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
${IPTABLES} -A FORWARD -s 10.0.0.0/24 -j ACCEPT
# everything not accepted > /dev/null
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT DROP
# be verbose on dynamic ip-addresses
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
The laptop (PowerBook G4) is assigned an ip address in the range
10.0.0.2-.10
by a DHCP server. eth1 has an ip address 10.0.0.1, and eth0 is the
connection
to the outside world. After running ethereal it appears that no packets from
the local network are making it to eth0. However I can ssh into the server
if I
use ip address, but not hostname.
Can anyone help me out with this?
Thanks in advance
Adam
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Problems with NAT
2003-09-28 3:30 ` Mark E. Donaldson
@ 2003-09-28 7:36 ` Adam Mercer
0 siblings, 0 replies; 18+ messages in thread
From: Adam Mercer @ 2003-09-28 7:36 UTC (permalink / raw)
To: Mark E. Donaldson; +Cc: netfilter
On Sat, Sep 27, 2003 at 08:30:17PM -0700, Mark E. Donaldson wrote:
> Adam - You have a mixture of "stateless" and "stateful" rules. SSH is
> passing in both directions because you have an explicit ACCEPT for it. DNS
> is blocked so you are unable to resolve. Although you need to do more than
> this for long term function and security, here is a quick fix so your system
> should work. Add:
>
> ${IPTABLES} -A INPUT -m state --state NEW -j ACCEPT
> ${IPTABLES} -A FORWARD -m state --state NEW -j ACCEPT
Mark
Thanks for the response, I've added those rules and still nothing. I
tried flushing all the rules, adding the example from the NAT howto and
still nothing. eth1 receives the packets yet doesn't transmit them.
Could this be due to something missing in my kernel config, I know that
I had a problem setting up the DHCP server as the kernel was missing
somthing? What options to I need enabled in the kernel?
Cheers
Adam
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Adam Mercer
> Sent: Saturday, September 27, 2003 9:44 AM
> To: netfilter@lists.netfilter.org
> Subject: Problems with NAT
>
>
> Hi
>
> I'm trying to set up my firwall so that I can plug my laptop into eth1
> of my desktop and use NAT to access the outside world on the laptop
>
> I've followed the NAT Howto and my firewall contains the following rules
>
> # allow local-only connections
> ${IPTABLES} -A INPUT -i lo -j ACCEPT
>
> # free output on any interface to any ip for any service
> ${IPTABLES} -A OUTPUT -j ACCEPT
>
> # permit answers on already established connections
> # and permit new connections related to established ones
> ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> ${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # allow incomg ssh connections
> ${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT
>
> # NAT
> ${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> ${IPTABLES} -A FORWARD -s 10.0.0.0/24 -j ACCEPT
>
> # everything not accepted > /dev/null
> ${IPTABLES} -P INPUT DROP
> ${IPTABLES} -P FORWARD DROP
> ${IPTABLES} -P OUTPUT DROP
>
> # be verbose on dynamic ip-addresses
> echo 2 > /proc/sys/net/ipv4/ip_dynaddr
>
> # disable ExplicitCongestionNotification
> echo 0 > /proc/sys/net/ipv4/tcp_ecn
>
> # turn on IP forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> The laptop (PowerBook G4) is assigned an ip address in the range
> 10.0.0.2-.10
> by a DHCP server. eth1 has an ip address 10.0.0.1, and eth0 is the
> connection
> to the outside world. After running ethereal it appears that no packets from
> the local network are making it to eth0. However I can ssh into the server
> if I
> use ip address, but not hostname.
>
> Can anyone help me out with this?
>
> Thanks in advance
>
> Adam
>
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2003-09-28 7:36 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-13 18:13 problems with nat Rahul Jadhav
2002-11-13 19:20 ` Ben Russo
2002-11-13 20:01 ` Rahul Jadhav
2002-11-16 18:58 ` Joel Newkirk
-- strict thread matches above, loose matches on Subject: below --
2003-09-27 16:44 Problems with NAT Adam Mercer
2003-09-28 3:30 ` Mark E. Donaldson
2003-09-28 7:36 ` Adam Mercer
2003-05-30 6:57 George Vieira
2003-05-30 2:30 George Vieira
2003-05-29 22:09 George Vieira
2003-05-29 23:02 ` Jose Luis Hime
2003-05-30 1:59 ` Matt Hellman
2003-05-30 2:01 ` Matt Hellman
2003-05-29 15:15 Jose Luis Hime
2003-05-29 15:55 ` Ray Leach
2003-05-29 17:15 ` Jose Luis Hime
2003-05-30 6:04 ` Ray Leach
2000-12-13 16:23 Marian Jancar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.