Did MASQUERADE not work ?

Did MASQUERADE not work ?

[Kevork]

Hi !,

This problem is making me crazy ...

All of the sudden, PCs from inside network lost conextion to internet.
After some tcpdump on the linux box, I saw the box was not NATing.
Paquets from inside are going to outside on its original IP source.
The most misterious thing is that this was working some hours ago, from the
first time I set up the box.
No software was installed, no change was acomplished on the box ... nothing.
Iptables script is the same as when it worked.
MASQ line is:
iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -d $internet -j
MASQUERADE

I have 2 versions of kernel, one is out-of-the-box RedHat 9, and the other
is compiled by me.
I treid both, but the porblems persists (before there was not problem).

Has some one, please, some idea or any explanation for this ?.
It's getting me quite crazy ...

Thenk you very much,
Kevork.

RE: Did MASQUERADE not work ?

[Rob Sterenborg]

> Iptables script is the same as when it worked.
> MASQ line is:
> iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -d 
> $internet -j MASQUERADE

What is "-d $internet" ?
If $internet is 0.0.0.0 (as it should be) then you don't need to specify it
as this is assumed.

Did you try SNAT :
iptables -t nat -A POSTROUTING -o <if_inet> \
  -s 192.168.250.0/24 -j SNAT --to-source <ip_inet>

Do you have a FORWARD rule in place that allows MASQ/SNAT, or do you have
FORWARD policy set to ACCEPT (which you should not do) ?

Do you have "echo 1 > /proc/sys/net/ipv4/ip_forward" ?


Gr,
Rob

RE: Did MASQUERADE not work ?

[hclfm]

[-- Attachment #1: Type: text/html, Size: 2158 bytes --]

Re: Did MASQUERADE not work ?

[Antony Stone]

On Wednesday 10 March 2004 2:05 am, Kevork wrote:

> Hi !,
>
> This problem is making me crazy ...
>
> All of the sudden, PCs from inside network lost conextion to internet.
> After some tcpdump on the linux box, I saw the box was not NATing.
> Paquets from inside are going to outside on its original IP source.
> The most misterious thing is that this was working some hours ago, from the
> first time I set up the box.

Has your DHCP lease expired on the external interface?

> MASQ line is:
> iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -d $internet -j
> MASQUERADE

What is $internet?

Regards,

Antony.

-- 
This is not a rehearsal.
This is Real Life.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Did MASQUERADE not work ?

[Kevork]

[-- Attachment #1: Type: text/plain, Size: 2261 bytes --]

The only thing I did not try was SNAT as you advise here ... I will try this
today, but (always there is a "but"), when I post this mail masquering was
not working as I described ... that was yesterday night.

Today morning (no change in the meanwhile), masquering was working  :S

No FORWARD policy is active.
DHCP leasing is OK
I put "-o eth1" also.
$internet is "0.0.0.0/0" (I copy the entire script bellow)

I will try SNAT then, but now I must wait for "not working again"  ... This
has life !  :-))

Thank you all off you for your help ... I will keep you updated about this
fight.

Kevork.


  ----- Original Message ----- 
  From: hclfm@pricol.co.in 
  To: Rob Sterenborg 
  Cc: 'Kevork' ; netfilter@lists.netfilter.org 
  Sent: Wednesday, March 10, 2004 6:13 AM
  Subject: RE: Did MASQUERADE not work ?


  > Iptables script is the same as when it worked.
  > MASQ line is:
  > iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -d
  > $internet -j MASQUERADE


  Hi ,

  You have missed the outgoing interface "-o" option ( Internet Interface )

  iptables -t nat -A POSTROUTING -o eth1 -s 192.168.250.0/24 -d
  $internet -j MASQUERADE

  must work.


  regards,

  U.SivaKumar,
  Networking & E-Security,
  HCL INFOSYSTEMS LIMITED,

  "The Purpose of Computing is Insight, Not Numbers" 





  "Rob Sterenborg" <rob@sterenborg.info>
  Sent by: netfilter-admin@lists.netfilter.org
  03/10/2004 08:52 AM CET

  To: "'Kevork'" <rxlm@comintec.com.ar>, <netfilter@lists.netfilter.org>
  cc: 
  bcc: 
  Subject: RE: Did MASQUERADE not work ?




  > Iptables script is the same as when it worked.
  > MASQ line is:
  > iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -d
  > $internet -j MASQUERADE

  What is "-d $internet" ?
  If $internet is 0.0.0.0 (as it should be) then you don't need to specify it
  as this is assumed.

  Did you try SNAT :
  iptables -t nat -A POSTROUTING -o <if_inet> \
   -s 192.168.250.0/24 -j SNAT --to-source <ip_inet>

  Do you have a FORWARD rule in place that allows MASQ/SNAT, or do you have
  FORWARD policy set to ACCEPT (which you should not do) ?

  Do you have "echo 1 > /proc/sys/net/ipv4/ip_forward" ?


  Gr,
  Rob


  =

[-- Attachment #2: Type: text/html, Size: 4387 bytes --]