Re: Natting IPs hanging

[John Mok <jmok@attglobal.net>]

Dear Brian,

How the routing is setup? Did you try to log the entries before the DROP 
rule? Since it is a PREROUTING NAT, the packet will be NATed before 
traversing in the INPUT, FORWARD or OUTPUT chains. You may proceed 
trouble-shooting in that direction.

John Mok


Brian Atkins wrote:

> Jason,
>
> Sorry for the delay in response.  Catting either of those files 
> doesn't return much.  The ip_tables_names only returns: "filter"; 
> ip_tables_targets is null.
> I did use genkernel to build the new kernel. I did have multiple 
> issues with the kernel config initially, but mostly related to disk 
> drivers. I can forward my .config if that might be helpful.
> I should say that other than trying to load the NATs, everything else 
> is working fine.  Here is the small config that I am currently running 
> (don't worry, this isn't production, yet):
>
> # Generated by iptables-save v1.2.11 on Mon May 16 13:42:26 2005
> *filter
> :INPUT ACCEPT [89274:15206611]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [9009:1656730]
> -A INPUT -s xxx.xxx.xxx.0/255.0.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s xxx.xxx.xxx.0/255.0.0.0 -p icmp -j ACCEPT
> -A INPUT -s xxx.xxx.xxx.64/255.255.255.192 -p icmp -j ACCEPT
> -A INPUT -s xxx.xxx.xxx.65 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -j DROP
> -A INPUT -p udp -j DROP
> -A FORWARD -d xxx.xxx.xxx.57 -p tcp -m tcp --dport 80 -j ACCEPT
> -A FORWARD -d xxx.xxx.xxx.57 -p tcp -m tcp --dport 5666 -j ACCEPT
> -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 80 -j ACCEPT
> -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 1999 -j ACCEPT
> -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 4899 -j ACCEPT
> -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 5666 -j ACCEPT
> -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 8080 -j ACCEPT
> -A FORWARD -d xxx.xxx.xxx.62 -p tcp -m tcp --dport 4899 -j ACCEPT
> -A FORWARD -d xxx.xxx.xxx.63 -p tcp -m tcp --dport 5666 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
> -A OUTPUT -p icmp -j ACCEPT
> -A OUTPUT -p icmp -j DROP
> -A OUTPUT -p tcp -j DROP
> -A OUTPUT -p udp -j DROP
> COMMIT
> # Completed on Mon May 16 13:42:26 2005
>
>
> Jason Opperisano wrote:
>
>> On Fri, May 13, 2005 at 01:04:31PM -0700, Brian Atkins wrote:
>>  
>>
>>> Greetings:
>>>
>>> I'm in the process of building my first dedicated firewall using 
>>> iptables/netfilter (v 1.2.11) on Gentoo Linux (2.6.11 kernel).  I 
>>> want to enable the natting of IPs, but I am having trouble getting 
>>> the rules to take.  Essentially, I would like to take a specific 
>>> group of IPs (servers) and nat them specifically to an internal ip 
>>> address.  The remainder of the internal IPs (workstations - dhcp) 
>>> should be natted outbound within a range of IPs.
>>>
>>> Based on the docs on Netfilter.org and the man pages, I decided to 
>>> start off with the following:
>>>
>>> iptables -t nat -A PREROUTING -i eth0 -d 141.xxx.xxx.xxx -j DNAT 
>>> --to-destination 10.xxx.xxx.xxx
>>>
>>> But, when I try to run the command, it just hangs. After a while, I 
>>> can break out of it with CTL-C.
>>>
>>> What gives?  Am I missing something?
>>>   
>>
>>
>> the syntax of that rule looks fine to me.  i'm going to go out on a limb
>> and say there is something rotten in your kernel config.
>>
>> out of curiosity, how did you compile the kernel for this machine, by
>> hand, or by using genkernel?
>>
>> also, what does:
>>
>>  $ cat /proc/net/ip_tables_names
>> and
>>  $ cat /proc/net/ip_tables_targets
>>
>> have to say?
>>
>> -j
>>
>> -- 
>> "Tom Tucker: Now let's go to Greg The Weather Mime. OK... it's going
>> to be cold...lots of wind... and it looks like parents are going to
>> throw human fecal matter from the rooftops onto their children... oh,
>> GOD. That's awful. No wait, it looks like rain. Yes, rain."
>>        --Family Guy
>>
>>  
>>
>