nat/masquerade with kernel 2.6.x

nat/masquerade with kernel 2.6.x

[Antonio Pérez]

Hello,
I hava a local network with private directions, and a adsl conection. I 
want to do masquerade. Then I do:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables --table nat --append POSTROUTING --out-interface eth1 -j 
MASQUERADE
where eth1 is the interface conected to internet. This work perfectly 
with the kernels 2.4.x.
But one week ago I installed the kernel 2.6.8 and when I do :
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables --table nat --append POSTROUTING --out-interface 
$ifc_internet -j MASQUERADE
the hosts of the internal network can do ping to internet, and this is 
normal, but they can not open any web or conection the msn , they
only can do ping. This is very stranger. I try the kernels 
2.6.7,2.6.7,2.6.8 and 2.6.9 and they do no work.
Can somebody help me, please?
Sorry for my bad english.

Re: nat/masquerade with kernel 2.6.x

[Andreas Grabner]

Hi

On Sat, Dec 11, 2004 at 01:45:08PM +0100, Antonio Pérez wrote:
>    iptables --table nat --append POSTROUTING --out-interface 
> $ifc_internet -j MASQUERADE
> the hosts of the internal network can do ping to internet, and this is 
> normal, but they can not open any web or conection the msn , they
> only can do ping. This is very stranger. I try the kernels 
> 2.6.7,2.6.7,2.6.8 and 2.6.9 and they do no work.
You can ping so NAT and routing seems to work.
Are there any other rules in the FORWARD chain? 

<try>
maybe you should check if DNS is working?
</try>

> Can somebody help me, please?
send more Info e.g. output of 
iptables -L -nvx
iptables -t nat -nvx

> Sorry for my bad english.
me too ;-)


Andreas Grabner

Re: nat/masquerade with kernel 2.6.x

[Antonio Pérez]

Andreas Grabner wrote:

>Hi
>
>On Sat, Dec 11, 2004 at 01:45:08PM +0100, Antonio Pérez wrote:
>  
>
>>   iptables --table nat --append POSTROUTING --out-interface 
>>$ifc_internet -j MASQUERADE
>>the hosts of the internal network can do ping to internet, and this is 
>>normal, but they can not open any web or conection the msn , they
>>only can do ping. This is very stranger. I try the kernels 
>>2.6.7,2.6.7,2.6.8 and 2.6.9 and they do no work.
>>    
>>
>You can ping so NAT and routing seems to work.
>Are there any other rules in the FORWARD chain? 
>
><try>
>maybe you should check if DNS is working?
></try>
>
>  
>
>>Can somebody help me, please?
>>    
>>
>send more Info e.g. output of 
>iptables -L -nvx
>iptables -t nat -nvx
>
>  
>
>>Sorry for my bad english.
>>    
>>
>me too ;-)
>
>
>Andreas Grabner
>
>
>  
>
I know that the dns is working because when I do "ping www.google.es" 
from  internal host  this  work.
There are not other rules in the FORWARD chain, look:

    Chain INPUT (policy ACCEPT 2 packets, 100 bytes)
        pkts      bytes target     prot opt in     out     
source               destination

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     
source               destination

    Chain OUTPUT (policy ACCEPT 5958 packets, 2480411 bytes)
        pkts      bytes target     prot opt in     out     
source               destination

and if i do iptables -t nat -L -nvx, then:

    Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     
source               destination

    Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
        pkts      bytes target     prot opt in     out     
source               destination
           0        0 MASQUERADE  all  --  *      eth1    
0.0.0.0/0            0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 1 packets, 60 bytes)
        pkts      bytes target     prot opt in     out     
source               destination

And this is all, :)