Re: Natting IPs hanging

[Brian Atkins <batkins@tlcdelivers.com>]

Jason,

Sorry for the delay in response.  Catting either of those files doesn't 
return much.  The ip_tables_names only returns: "filter"; 
ip_tables_targets is null. 

I did use genkernel to build the new kernel. I did have multiple issues 
with the kernel config initially, but mostly related to disk drivers. I 
can forward my .config if that might be helpful. 

I should say that other than trying to load the NATs, everything else is 
working fine.  Here is the small config that I am currently running 
(don't worry, this isn't production, yet):

# Generated by iptables-save v1.2.11 on Mon May 16 13:42:26 2005
*filter
:INPUT ACCEPT [89274:15206611]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9009:1656730]
-A INPUT -s xxx.xxx.xxx.0/255.0.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.0/255.0.0.0 -p icmp -j ACCEPT
-A INPUT -s xxx.xxx.xxx.64/255.255.255.192 -p icmp -j ACCEPT
-A INPUT -s xxx.xxx.xxx.65 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -j DROP
-A INPUT -p udp -j DROP
-A FORWARD -d xxx.xxx.xxx.57 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.57 -p tcp -m tcp --dport 5666 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 1999 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 4899 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 5666 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.62 -p tcp -m tcp --dport 4899 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.63 -p tcp -m tcp --dport 5666 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j DROP
-A OUTPUT -p tcp -j DROP
-A OUTPUT -p udp -j DROP
COMMIT
# Completed on Mon May 16 13:42:26 2005


Jason Opperisano wrote:

>On Fri, May 13, 2005 at 01:04:31PM -0700, Brian Atkins wrote:
>  
>
>>Greetings:
>>
>>I'm in the process of building my first dedicated firewall using 
>>iptables/netfilter (v 1.2.11) on Gentoo Linux (2.6.11 kernel).  I want 
>>to enable the natting of IPs, but I am having trouble getting the rules 
>>to take.  Essentially, I would like to take a specific group of IPs 
>>(servers) and nat them specifically to an internal ip address.  The 
>>remainder of the internal IPs (workstations - dhcp) should be natted 
>>outbound within a range of IPs.
>>
>>Based on the docs on Netfilter.org and the man pages, I decided to start 
>>off with the following:
>>
>>iptables -t nat -A PREROUTING -i eth0 -d 141.xxx.xxx.xxx -j DNAT 
>>--to-destination 10.xxx.xxx.xxx
>>
>>But, when I try to run the command, it just hangs. After a while, I can 
>>break out of it with CTL-C.
>>
>>What gives?  Am I missing something?
>>    
>>
>
>the syntax of that rule looks fine to me.  i'm going to go out on a limb
>and say there is something rotten in your kernel config.
>
>out of curiosity, how did you compile the kernel for this machine, by
>hand, or by using genkernel?
>
>also, what does:
>
>  $ cat /proc/net/ip_tables_names
>and
>  $ cat /proc/net/ip_tables_targets
>
>have to say?
>
>-j
>
>--
>"Tom Tucker: Now let's go to Greg The Weather Mime. OK... it's going
> to be cold...lots of wind... and it looks like parents are going to
> throw human fecal matter from the rooftops onto their children... oh,
> GOD. That's awful. No wait, it looks like rain. Yes, rain."
>        --Family Guy
>
>  
>

-- 
Brian Atkins
Systems Administrator
The Library Corporation
Research Park * Inwood, WV 25428-9733
Ph: (800) 325-7759 or (304) 229-0100
Fx: (304) 229-0295
http://TLCdelivers.com