[2.6.21.1] Nat trouble

All of lore.kernel.org
 help / color / mirror / Atom feed

* [2.6.21.1] Nat trouble
@ 2007-05-07 11:57 BERTRAND Joël
  2007-05-07 20:17 ` David Miller
  2007-05-08 10:07 ` BERTRAND Joël
  0 siblings, 2 replies; 3+ messages in thread
From: BERTRAND Joël @ 2007-05-07 11:57 UTC (permalink / raw)
  To: sparclinux

	Hello,

	I have built a 2.6.21.1 kernel to replace a working 2.6.20 on an 
U60/SMP. NAT (iptables) worked fine with 2.6.20 but not with 2.6.21.1. 
That being said, all other iptables rules seem to works fine with 2.6.21.1.

My /var/lib/iptables/active script :

# Generated by iptables-save v1.2.11 on Sat Jan 22 20:25:31 2005
*filter
#
#
#=======================================# Par défaut, tout est rejeté sauf sur l'interface loopback
#=======================================#
:INPUT DROP [28:3300]
:FORWARD DROP [0:0]
:OUTPUT DROP [27:3120]
[0:0] -A INPUT -i lo -j ACCEPT
#
#
#=======================================# Tout ce qui provient du LAN est accepté.
#=======================================#
[0:0] -A INPUT -i eth0 -j ACCEPT
#
#
#=======================================# Protocoles provenant de l'interface WAN rayleigh.
# ftp, ssh, smtp, http, ntp, https, imaps, pop3s, cvs, jabber
#=======================================#
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth1 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 993 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 995 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 2401 -j ACCEPT
[0:0] -A INPUT -i eth1 -p udp -m udp --dport 2401 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 5222 -j ACCEPT
[0:0] -A INPUT -i eth1 -p icmp -j ACCEPT
#
#
#=======================================# Protocoles provenant de l'interface WAN newton.
# ssh, ntp, smtp
#=======================================#
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 25 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth2 -p icmp -j ACCEPT
#
#
#=======================================# Réceptions inconditionnelles
#=======================================#
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -m state --state INVALID -j DROP
#
#
#=======================================# Transmission du LAN vers l'interface WAN rayleigh (route par défaut).
# ftp, ssh, http, pop3, nntp, https, imaps, pop3s, openvpn, cvs,
# 3000:3001 (jcollab)
#=======================================#
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 21 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 43 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 110 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 119 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 993 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 995 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 1194 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 1194 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 2401 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 2401 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3000:3001 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5900 -j ACCEPT
#
#
#=======================================# De l'interface WAN rayleigh Vers les machines du /29.
# ssh
#=======================================#
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 22 -j ACCEPT
#
#
#=======================================# De l'interface WAN rayleigh vers lebegue.
# 3000:3001 (jcollab), mysql
#=======================================#
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.81 --dport 
80 -j ACCEPT
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.81 --dport 
3000:3001 -j ACCEPT
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.81 --dport 
3306 -j ACCEPT
#
#
#=======================================# De l'interface WAN rayleigh vers fermat.
# smtp, http
#=======================================#
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.83 --dport 
25 -j ACCEPT
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.83 --dport 
80 -j ACCEPT
#
#
#=======================================# De fermat vers l'interface WAN newton.
# smtp
#=======================================#
[0:0] -A FORWARD -i eth0 -o eth2 -p tcp -m tcp -s 192.168.0.83 --dport 
25 -j ACCEPT
#
#
#=======================================# De fermat vers l'interface WAN rayleigh.
# smtp
#=======================================#
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp -s 192.168.0.83 --dport 
3307 -j ACCEPT
#
#
#=======================================# Transmissions inconditionnelles
#=======================================#
[0:0] -A FORWARD -p icmp -j ACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -m state --state INVALID -j DROP
#
#
#=======================================# Émissions autorisées sur les interfaces LAN et loopback
#=======================================#
[0:0] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -o eth0 -j ACCEPT
#
#
#=======================================# Émissions autorisées sur l'interface WAN rayleigh
# ftp, ssh, telnet, smtp, whois, domain, http, pop3, nntp, ntp, https, cvs
# 3000:3001 (jcollab), mysql, 8080 (servlet jcollab)
#=======================================#
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 21 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 23 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 43 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 110 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 119 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 123 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 554 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 2401 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p udp -m udp --dport 2401 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 3000 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 3001 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 3306 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p icmp -j ACCEPT
#
#
#=======================================# Émissions autorisées sur l'interface WAN newton
# telnet, ntp
#=======================================#
[0:0] -A OUTPUT -o eth2 -p tcp -m tcp --dport 23 -j ACCEPT
[0:0] -A OUTPUT -o eth2 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A OUTPUT -o eth2 -p tcp -m tcp --dport 123 -j ACCEPT
[0:0] -A OUTPUT -o eth2 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A OUTPUT -o eth2 -p icmp -j ACCEPT
[0:0] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -m state --state INVALID -j DROP
COMMIT
# Completed on Sat Jan 22 20:25:31 2005
# Generated by iptables-save v1.2.11 on Sat Jan 22 20:25:31 2005
*nat
:PREROUTING ACCEPT [2:156]
:POSTROUTING ACCEPT [4:377]
:OUTPUT ACCEPT [0:0]
#
#
#=======================================# NAT de tout ce qui provient de l'interface LAN
#=======================================#
[0:0] -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#
#
#=======================================# Force le routage des paquets à destination du port 25 provenant de fermat
# vers l'interface WAN newton
#=======================================#
[0:0] -A PREROUTING -s 192.168.0.83 -p tcp -m tcp --dport 25 -jMARK 
--set-mark 1
COMMIT
# Completed on Sat Jan 22 20:25:31 2005

	eth1 and eth2 are WAN interfaces, eth0 is LAN. All options required for 
iptables have been built as modules. Configurations of both 2.6.20 and 
2.6.21.1 are the same.

	Regards,

	JKB

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [2.6.21.1] Nat trouble
  2007-05-07 11:57 [2.6.21.1] Nat trouble BERTRAND Joël
@ 2007-05-07 20:17 ` David Miller
  2007-05-08 10:07 ` BERTRAND Joël
  1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2007-05-07 20:17 UTC (permalink / raw)
  To: sparclinux

From: BERTRAND_Joël <joel.bertrand@systella.fr>
Date: Mon, 07 May 2007 13:57:11 +0200

> 	Hello,
> 
> 	I have built a 2.6.21.1 kernel to replace a working 2.6.20 on an 
> U60/SMP. NAT (iptables) worked fine with 2.6.20 but not with 2.6.21.1. 
> That being said, all other iptables rules seem to works fine with 2.6.21.1.
> 
> My /var/lib/iptables/active script :

Please report this to the netfilter developer lists, this doesn't
look sparc specific.

Please also make sure you have all the proper netfilter modules
enabled in your kernel config, some things have changed in the
past few releases.  For example, the connection tracking modules
are called "NF_FOO" instead of "IP_FOO"

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [2.6.21.1] Nat trouble
  2007-05-07 11:57 [2.6.21.1] Nat trouble BERTRAND Joël
  2007-05-07 20:17 ` David Miller
@ 2007-05-08 10:07 ` BERTRAND Joël
  1 sibling, 0 replies; 3+ messages in thread
From: BERTRAND Joël @ 2007-05-08 10:07 UTC (permalink / raw)
  To: sparclinux

David Miller a écrit :
> From: BERTRAND_Joël <joel.bertrand@systella.fr>
> Date: Mon, 07 May 2007 13:57:11 +0200
> 
>> 	Hello,
>>
>> 	I have built a 2.6.21.1 kernel to replace a working 2.6.20 on an 
>> U60/SMP. NAT (iptables) worked fine with 2.6.20 but not with 2.6.21.1. 
>> That being said, all other iptables rules seem to works fine with 2.6.21.1.
>>
>> My /var/lib/iptables/active script :
> 
> Please report this to the netfilter developer lists, this doesn't
> look sparc specific.
> 
> Please also make sure you have all the proper netfilter modules
> enabled in your kernel config, some things have changed in the
> past few releases.  For example, the connection tracking modules
> are called "NF_FOO" instead of "IP_FOO"

	I have all conntrack modules (and modules are loaded). I have some 
trouble a long time ago with conntrack modules with iproute2. I don't 
have any i386 nor amd64 to test on these architectures.

	Regards,

	JKB

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2007-05-08 10:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-07 11:57 [2.6.21.1] Nat trouble BERTRAND Joël
2007-05-07 20:17 ` David Miller
2007-05-08 10:07 ` BERTRAND Joël

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.