From mboxrd@z Thu Jan 1 00:00:00 1970 From: Brian Atkins Subject: Re: Natting IPs hanging Date: Mon, 16 May 2005 08:40:49 -0700 Message-ID: <4288BF01.50503@tlcdelivers.com> References: <4285084F.1020500@tlcdelivers.com> <20050514152613.GA24427@bender.817west.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20050514152613.GA24427@bender.817west.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Jason Opperisano Cc: netfilter@lists.netfilter.org Jason, Sorry for the delay in response. Catting either of those files doesn't return much. The ip_tables_names only returns: "filter"; ip_tables_targets is null. I did use genkernel to build the new kernel. I did have multiple issues with the kernel config initially, but mostly related to disk drivers. I can forward my .config if that might be helpful. I should say that other than trying to load the NATs, everything else is working fine. Here is the small config that I am currently running (don't worry, this isn't production, yet): # Generated by iptables-save v1.2.11 on Mon May 16 13:42:26 2005 *filter :INPUT ACCEPT [89274:15206611] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [9009:1656730] -A INPUT -s xxx.xxx.xxx.0/255.0.0.0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s xxx.xxx.xxx.0/255.0.0.0 -p icmp -j ACCEPT -A INPUT -s xxx.xxx.xxx.64/255.255.255.192 -p icmp -j ACCEPT -A INPUT -s xxx.xxx.xxx.65 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -j DROP -A INPUT -p udp -j DROP -A FORWARD -d xxx.xxx.xxx.57 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.57 -p tcp -m tcp --dport 5666 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 1999 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 4899 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 5666 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 8080 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.62 -p tcp -m tcp --dport 4899 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.63 -p tcp -m tcp --dport 5666 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -p icmp -j DROP -A OUTPUT -p tcp -j DROP -A OUTPUT -p udp -j DROP COMMIT # Completed on Mon May 16 13:42:26 2005 Jason Opperisano wrote: >On Fri, May 13, 2005 at 01:04:31PM -0700, Brian Atkins wrote: > > >>Greetings: >> >>I'm in the process of building my first dedicated firewall using >>iptables/netfilter (v 1.2.11) on Gentoo Linux (2.6.11 kernel). I want >>to enable the natting of IPs, but I am having trouble getting the rules >>to take. Essentially, I would like to take a specific group of IPs >>(servers) and nat them specifically to an internal ip address. The >>remainder of the internal IPs (workstations - dhcp) should be natted >>outbound within a range of IPs. >> >>Based on the docs on Netfilter.org and the man pages, I decided to start >>off with the following: >> >>iptables -t nat -A PREROUTING -i eth0 -d 141.xxx.xxx.xxx -j DNAT >>--to-destination 10.xxx.xxx.xxx >> >>But, when I try to run the command, it just hangs. After a while, I can >>break out of it with CTL-C. >> >>What gives? Am I missing something? >> >> > >the syntax of that rule looks fine to me. i'm going to go out on a limb >and say there is something rotten in your kernel config. > >out of curiosity, how did you compile the kernel for this machine, by >hand, or by using genkernel? > >also, what does: > > $ cat /proc/net/ip_tables_names >and > $ cat /proc/net/ip_tables_targets > >have to say? > >-j > >-- >"Tom Tucker: Now let's go to Greg The Weather Mime. OK... it's going > to be cold...lots of wind... and it looks like parents are going to > throw human fecal matter from the rooftops onto their children... oh, > GOD. That's awful. No wait, it looks like rain. Yes, rain." > --Family Guy > > > -- Brian Atkins Systems Administrator The Library Corporation Research Park * Inwood, WV 25428-9733 Ph: (800) 325-7759 or (304) 229-0100 Fx: (304) 229-0295 http://TLCdelivers.com