Re: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

[Mohamed Eldesoky <eldesoky.lists@gmail.com>]

On Sun, 13 Mar 2005 14:34:52 +0100, Sietse van Zanen <sietse@wizdom.nu> wrote:
> Because netfilter is a stateful firewall basically.
> It logs the first per NEW and marks the latter as RELATED,ESTABLISHED.
> 
But every new ping, is a new connection, not relate to the other ping !!!
It is not a ping-pong-ping-pong
It is ping-pong ping-pong

May be I am wrong !!!

> Only packets that match the NEW state will increment the counters. It counts how many connections have been set-up. Not how many packets belonging to a connection pass. These will be counted in a -j ACEEPT --state RELATED,ESTABLISHED rule, if present.
> 
> You could bypass this by creating stateless rule, but that would defeat the purpose of a stateless firewall.
> 
> -----Original Message-----
> From: Mohamed Eldesoky [mailto:eldesoky.lists@gmail.com]
> Sent: Sunday, March 13, 2005 2:21 PM
> To: Sietse van Zanen; netfilter
> Subject: Re: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)
> 
> On Sun, 13 Mar 2005 13:14:31 +0100, Sietse van Zanen <sietse@wizdom.nu> wrote:
> > What do you see, when you tcpdump on your external interface? (tcpdump -I eth0). Can you see natted packets exiting that interface?
> >
> > The reason, that you only see 4 packets in the iptables -t nat -L is that if you fire off 10 pings, iptables will see the latter 9 as belonging to the same connection and therefor only logs 1.
> 
> How come ???
> 
> >
> > It might be as simple, that the host you are trying to ping is just unpingable.
> >
> > Specify some more info, like what you are trying to ping, traceroute -I output.
> >
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Mårten Segerkvist
> > Sent: Sunday, March 13, 2005 1:01 PM
> > To: netfilter@lists.netfilter.org
> > Subject: RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)
> >
> > On Sun, 13 Mar 2005, Sietse van Zanen wrote:
> >
> > > From man iptables:
> > > MASQUERADE
> > > This target is only valid in the nat table, in the POSTROUTING chain.
> > > It should only be used with dynamically assigned IP (dialup)
> > > connections: if you have  a  static  IP address,  you should use the
> > > SNAT target.
> > >
> > > Try using regular SNAT rule:
> > >
> > > Iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT
> > > --to-source:your.pub.ip.addr
> > >
> >
> > Now using:
> >
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > modprobe ipt_MASQUERADE
> > modprobe iptable_filter
> > iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT \
> >    --to-source 81.172.241.145
> > iptables --append FORWARD --in-interface eth1 -j ACCEPT
> >
> > This gives me the same result as previosly. What confuses me further is
> > that no packets seems to be accepted from the wlan-interface.
> >
> > > iptables -L -v
> >
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >   pkts bytes target     prot opt in     out     source
> > destination
> >    125  5000 ACCEPT     all  --  wlan0  any     anywhere
> > anywhere
> >
> > > iptables -t nat -L -v
> >
> > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> >   pkts bytes target     prot opt in     out     source
> > destination
> >      4   295 SNAT       all  --  any    eth0    anywhere
> > anywhere            to:<IP>
> >
> > As before, I'd be most grateful for any suggestions!
> >
> > /Mårten Segerkvist
> >
> >
> 
> --
> Mohamed Eldesoky
> www.eldesoky.net
> RHCE
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE