Re: I can't make forwarding

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Chemla <patrick.chemla@perfaction.net>
To: netfilter@vger.kernel.org
Subject: Re: I can't make forwarding
Date: Tue, 16 Feb 2010 16:05:41 +0200	[thread overview]
Message-ID: <4B7AA635.2010002@perfaction.net> (raw)
In-Reply-To: <4B7A7F39.5090808@perfaction.net>

Hi,

I tried more and doing this I can access to internet from a computer in 
the local network:
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

But the computer is viewed with the NAT router external local IP.

I need to have internal computers viewed with a different IP external 
address.

Patrick


Le 16/02/2010 13:19, Patrick Chemla a écrit :
> Hi,
>
> I have problems to setup a NAT router using iptables.
>
> My NAT Router is running Fedora 11.
>
> I have 2 interfaces, eth0 10.0.0.1 is internal, eth1 172.25.2.2 is 
> external.
>
> I have 10 external public addresses coming to the interface eth1 that 
> I want to forward to 10 internal computers on eth0.
>
> When I try to ping or access an external web server from the NAT 
> server itself, it works very fine. I see on the remote server the 
> external address of the NAT router itself.
> When I try to ping or wget an external web server from an internal 
> 10.0.0.151 computer,  using TCPDUMP both on the foreign server 
> interface and on the eth1 of the NAT router, I see  that packets reach 
> the external server with the right IP 192.114.84.144, I see that the 
> external server send back something, but I can't get it back on the 
> eth1 tcpdump.
>
> Here is my iptables:
> ============
> iptables -n  -L -v
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>  1664  208K ACCEPT     all  --    *       *       
> 0.0.0.0/0             0.0.0.0/0           state NEW,RELATED,ESTABLISHED
>     0     0 ACCEPT           icmp --  *       *       
> 0.0.0.0/0             0.0.0.0/0
>     0     0 ACCEPT            all  --   lo      *       
> 0.0.0.0/0             0.0.0.0/0
>     0     0 ACCEPT             tcp  --  *       *       
> 0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
>
> Chain FORWARD (policy ACCEPT 3499 packets, 213K bytes)
>  pkts bytes target     prot opt in     out         
> source               destination
>     0     0 ACCEPT         all  --    eth0   eth1    
> 10.0.0.151           192.114.84.144      state NEW,RELATED,ESTABLISHED
>     0     0 ACCEPT         all  --    eth1   eth0    
> 192.114.84.144       10.0.0.151          state NEW,RELATED,ESTABLISHED
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target      prot opt in     out     source               
> destination
>   466 71467 ACCEPT     all     --  *        *       
> 0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
>     0     0       ACCEPT     icmp --   *        *       
> 0.0.0.0/0            0.0.0.0/0
>
> Here is my NAT table:
> =============
> iptables -n -t nat -L -v
> Chain PREROUTING (policy ACCEPT 915 packets, 129K bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0        DNAT      tcp    --  eth1   *       
> 192.114.84.144       0.0.0.0/0           to:10.0.0.151
>
> Chain POSTROUTING (policy ACCEPT 75 packets, 6372 bytes)
>  pkts bytes target     prot opt in      out     source               
> destination
>    16   960     SNAT       all     --    *      eth1    
> 10.0.0.151           0.0.0.0/0           to:192.114.84.144
>
> Chain OUTPUT (policy ACCEPT 36 packets, 3998 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>
>
> I think I ACCEPT and FORWARD all, I have both SNAT and DNAT, but I 
> missed something.
>
> Help will be welcome.
>
> Patrick
>
>
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2010-02-16 14:05 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-02-16 11:19 I can't make forwarding Patrick Chemla
2010-02-16 14:05 ` Patrick Chemla [this message]
2010-02-16 15:38 ` Mart Frauenlob
2010-03-03  8:36   ` Multiple IPs to 2 interfaces problem with default route Patrick Chemla
2010-03-04  2:19     ` Sven-Haegar Koch

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B7AA635.2010002@perfaction.net \
    --to=patrick.chemla@perfaction.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.