From: Patrick Chemla <patrick.chemla@perfaction.net>
To: netfilter@vger.kernel.org
Subject: I can't make forwarding
Date: Tue, 16 Feb 2010 13:19:21 +0200 [thread overview]
Message-ID: <4B7A7F39.5090808@perfaction.net> (raw)
Hi,
I have problems to setup a NAT router using iptables.
My NAT Router is running Fedora 11.
I have 2 interfaces, eth0 10.0.0.1 is internal, eth1 172.25.2.2 is external.
I have 10 external public addresses coming to the interface eth1 that I
want to forward to 10 internal computers on eth0.
When I try to ping or access an external web server from the NAT server
itself, it works very fine. I see on the remote server the external
address of the NAT router itself.
When I try to ping or wget an external web server from an internal
10.0.0.151 computer, using TCPDUMP both on the foreign server interface
and on the eth1 of the NAT router, I see that packets reach the
external server with the right IP 192.114.84.144, I see that the
external server send back something, but I can't get it back on the eth1
tcpdump.
Here is my iptables:
============
iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1664 208K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo *
0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
Chain FORWARD (policy ACCEPT 3499 packets, 213K bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth0 eth1
10.0.0.151 192.114.84.144 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0
192.114.84.144 10.0.0.151 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
466 71467 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0
Here is my NAT table:
=============
iptables -n -t nat -L -v
Chain PREROUTING (policy ACCEPT 915 packets, 129K bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- eth1 *
192.114.84.144 0.0.0.0/0 to:10.0.0.151
Chain POSTROUTING (policy ACCEPT 75 packets, 6372 bytes)
pkts bytes target prot opt in out source
destination
16 960 SNAT all -- * eth1
10.0.0.151 0.0.0.0/0 to:192.114.84.144
Chain OUTPUT (policy ACCEPT 36 packets, 3998 bytes)
pkts bytes target prot opt in out source
destination
I think I ACCEPT and FORWARD all, I have both SNAT and DNAT, but I
missed something.
Help will be welcome.
Patrick
next reply other threads:[~2010-02-16 11:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-16 11:19 Patrick Chemla [this message]
2010-02-16 14:05 ` I can't make forwarding Patrick Chemla
2010-02-16 15:38 ` Mart Frauenlob
2010-03-03 8:36 ` Multiple IPs to 2 interfaces problem with default route Patrick Chemla
2010-03-04 2:19 ` Sven-Haegar Koch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B7A7F39.5090808@perfaction.net \
--to=patrick.chemla@perfaction.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.