* SNAT does not work
@ 2002-06-06 13:27 Uwe Eisner
2002-06-06 13:40 ` Antony Stone
2002-06-06 13:57 ` Antony Stone
0 siblings, 2 replies; 6+ messages in thread
From: Uwe Eisner @ 2002-06-06 13:27 UTC (permalink / raw)
To: netfilter
Hi @ all,
I'm using a internal ip-range, wherefor I need NAT to connecting to the
internet..
My problem is, that this rule does not work. When I start a Perl-code at
the www, witch shows me my ip-address, it showes me the IP-address of
the external interface of the router/firewall. I can not find the
problem. If I set no POSTROUTING rule, it is the same game...
Is it possible, that NAT is not activeted at my kernel. How can I test it?
Hier a snippet of my roules:
# Delete all Rules (not the standard policy)
iptables -F
# --> SET ALL INPUT FLAGS <--
iptables -P INPUT DROP # DROP
all, if no rule matches
iptables -A INPUT -i eth0 -j ACCEPT # Every
request, from the internal interface is allowed
iptables -A INPUT -s 141.12.0.0/16 -j ACCEPT # Every
request, from the GMD-LAN is allowed
# --> SET ALL FORWARD FLAGS <--
iptables -P FORWARD DROP # DROP
all, if no rule matches
iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/16 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# --> SET ALL OUTPUT FLAGS <--
iptables -P OUTPUT ACCEPT # ACCEPT
all, if no rule matches
# --> MASQUARDING <--
iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to-source 141.12.218.99
# 141.12.218.3 => 192.168.1.3 ==> MAIL.globit.com (DA-WEB01)
# ========================================================================
iptables -A PREROUTING -t nat -d 141.12.218.3 -j DNAT --to-destination
192.168.1.3
iptables -A FORWARD -p tcp -d 192.168.1.3/32 --dport 25 -j ACCEPT
## SMTP Port
iptables -A FORWARD -p tcp -d 192.168.1.3/32 --dport 110 -j ACCEPT
## POP3 Port
iptables -A FORWARD -p tcp -d 192.168.1.3/32 --dport 143 -j ACCEPT
## IMAP Port
Hope sameone can help me.
Thx and best regards
Uwe Eisner
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SNAT does not work
2002-06-06 13:27 SNAT does not work Uwe Eisner
@ 2002-06-06 13:40 ` Antony Stone
2002-06-06 13:57 ` Antony Stone
1 sibling, 0 replies; 6+ messages in thread
From: Antony Stone @ 2002-06-06 13:40 UTC (permalink / raw)
To: netfilter
On Thursday 06 June 2002 2:27 pm, Uwe Eisner wrote:
> My problem is, that this rule does not work. When I start a Perl-code at
> the www, witch shows me my ip-address, it showes me the IP-address of
> the external interface of the router/firewall. I can not find the
> problem. If I set no POSTROUTING rule, it is the same game...
>
> Is it possible, that NAT is not activeted at my kernel. How can I test it?
If that were true you would not be able to enter the "-t nat -j SNAT" rule -
you would get an error message.
I cannot see an obvious problem with your rules. I suggest you put a LOG
rule at the end of your FORWARD chain and see what gets logged (just before
it gets default DROPped).
Antony.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SNAT does not work
2002-06-06 13:27 SNAT does not work Uwe Eisner
2002-06-06 13:40 ` Antony Stone
@ 2002-06-06 13:57 ` Antony Stone
2002-06-06 14:45 ` Uwe Eisner
1 sibling, 1 reply; 6+ messages in thread
From: Antony Stone @ 2002-06-06 13:57 UTC (permalink / raw)
To: netfilter
On Thursday 06 June 2002 2:27 pm, Uwe Eisner wrote:
Hi.
Having read your email again, I realise that I do not understand what problem
you're having...
> I'm using a internal ip-range, wherefor I need NAT to connecting to the
> internet..
Okay, yes - I understand that.
> My problem is, that this rule does not work. When I start a Perl-code at
> the www, witch shows me my ip-address, it showes me the IP-address of
> the external interface of the router/firewall.
Surely that means that your address translation *is* working ?
1. If it were not, the remote web server would not be able to establish a
connection.
2. The external address of the firewall is the address you would expect to be
coming from when yu use the SNAT rule.
3. If you are running a Perl script, I assume that means that a TCP 3-way
handshake has been completed, which means the web server has successfully
been able to send packets back to your client.
> I can not find the problem.
What *is* the problem ?
> If I set no POSTROUTING rule, it is the same game...
I do not understand what you mean by this. Surely you do not mean that if
you remove the POSTROUTING rule, you can still connect to a remote web server
and have a Perl script tell you your source address ???
Maybe you can explain a little more for me ?
Antony.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SNAT does not work
2002-06-06 13:57 ` Antony Stone
@ 2002-06-06 14:45 ` Uwe Eisner
2002-06-06 14:55 ` Antony Stone
0 siblings, 1 reply; 6+ messages in thread
From: Uwe Eisner @ 2002-06-06 14:45 UTC (permalink / raw)
To: Antony Stone; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 2613 bytes --]
Antony Stone schrieb:
>On Thursday 06 June 2002 2:27 pm, Uwe Eisner wrote:
>
>Hi.
>
>Having read your email again, I realise that I do not understand what problem
>you're having...
>
>
>
>>I'm using a internal ip-range, wherefor I need NAT to connecting to the
>>internet..
>>
>>
>
>Okay, yes - I understand that.
>
>
>
>>My problem is, that this rule does not work. When I start a Perl-code at
>>the www, witch shows me my ip-address, it showes me the IP-address of
>>the external interface of the router/firewall.
>>
>>
>
>Surely that means that your address translation *is* working ?
>
But why is the external ip-address from the firewall showen at the www?
I specifyed the IP-address 141.12.218.99 not 141.12.129.9 (ext.
Router-IP-Address)
>
>1. If it were not, the remote web server would not be able to establish a
>connection.
>
>2. The external address of the firewall is the address you would expect to be
>coming from when yu use the SNAT rule.
>
>3. If you are running a Perl script, I assume that means that a TCP 3-way
>handshake has been completed, which means the web server has successfully
>been able to send packets back to your client.
>
>
>
>>I can not find the problem.
>>
>>
>
>What *is* the problem ?
>
>
>
>>If I set no POSTROUTING rule, it is the same game...
>>
>>
>
>I do not understand what you mean by this. Surely you do not mean that if
>you remove the POSTROUTING rule, you can still connect to a remote web server
>and have a Perl script tell you your source address ???
>
Yes, that is it! I removed every POSTROUTING rule, but I could still
connect to the web.
>
>Maybe you can explain a little more for me ?
>
Of cause. :-)
First I configured the Firewall, with a MASQUERADE rule, which shows the
www the external ip-address of the router/firewall.
I removed the statement from the configuration script and add the new role:
iptables -A POSTROUTING -t nat -s 192.168.0.0/16 -j SNAT --to-source
141.12.218.1
Afterwards I typed the flash command 'iptables -F'. Now ALL rules should
be removed, souldn't it?
I started my configuration script with the new rule (see above), but
nothing has changed.
First I tought, that iptables -F does not delete the POSTROUTING rules,
so I did it by hand:
iptables -D POSROUTING -t nat -s 192.168.0.0/16 -j MASQUERADE.
The same procedure, as discribed above and nothing has changed.
My plan is, that our network showes to the www just 1 ip-address, namely
141.12.218.99 and not the router-ip-address 141.12.129.9
Hope that is more information for you.
Thx
Uwe Eisner
>
>
>Antony.
>
>
[-- Attachment #2: Type: text/html, Size: 3694 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: SNAT does not work
2002-06-06 14:45 ` Uwe Eisner
@ 2002-06-06 14:55 ` Antony Stone
2002-06-07 10:50 ` Uwe Eisner
0 siblings, 1 reply; 6+ messages in thread
From: Antony Stone @ 2002-06-06 14:55 UTC (permalink / raw)
To: netfilter
On Thursday 06 June 2002 3:45 pm, Uwe Eisner wrote:
> >Surely that means that your address translation *is* working ?
>
> But why is the external ip-address from the firewall showen at the www?
> I specifyed the IP-address 141.12.218.99 not 141.12.129.9 (ext.
> Router-IP-Address)
Sorry - I did not realise from your original email that 141.12.218.99 was not
the external address of your firewall.
> > I do not understand what you mean by this. Surely you do not mean that
> > if you remove the POSTROUTING rule, you can still connect to a remote web
> > server and have a Perl script tell you your source address ???
>
> Yes, that is it! I removed every POSTROUTING rule, but I could still
> connect to the web.
In that case you must have Network Address Translation in operation on your
external router ? If not, then there is no way that:
a) privately-addressed machines 10.x.y.z, 172.16.s.t, 192.168.a.b could
contact external servers
b) your router address would show up on an external machine.
> Afterwards I typed the flash command 'iptables -F'. Now ALL rules should
> be removed, souldn't it?
No. Not unless you also typed
iptables -F -t nat
"iptables -F" on its own will *only* clear the filtering table, not the nat
table or the mangle table.
Try iptables -L -t nat to see what rules you really have in place.
> I started my configuration script with the new rule (see above), but
> nothing has changed.
>
> First I tought, that iptables -F does not delete the POSTROUTING rules,
Correct :-)
Antony.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SNAT does not work
2002-06-06 14:55 ` Antony Stone
@ 2002-06-07 10:50 ` Uwe Eisner
0 siblings, 0 replies; 6+ messages in thread
From: Uwe Eisner @ 2002-06-07 10:50 UTC (permalink / raw)
To: Antony Stone; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1756 bytes --]
Hi Antony..
thx for your information! Now it works fine!
greatings
Uwe
Antony Stone schrieb:
>On Thursday 06 June 2002 3:45 pm, Uwe Eisner wrote:
>
>
>
>>>Surely that means that your address translation *is* working ?
>>>
>>>
>>But why is the external ip-address from the firewall showen at the www?
>>I specifyed the IP-address 141.12.218.99 not 141.12.129.9 (ext.
>>Router-IP-Address)
>>
>>
>
>Sorry - I did not realise from your original email that 141.12.218.99 was not
>the external address of your firewall.
>
>
>
>>>I do not understand what you mean by this. Surely you do not mean that
>>>if you remove the POSTROUTING rule, you can still connect to a remote web
>>>server and have a Perl script tell you your source address ???
>>>
>>>
>>Yes, that is it! I removed every POSTROUTING rule, but I could still
>>connect to the web.
>>
>>
>
>In that case you must have Network Address Translation in operation on your
>external router ? If not, then there is no way that:
>
>a) privately-addressed machines 10.x.y.z, 172.16.s.t, 192.168.a.b could
>contact external servers
>
>b) your router address would show up on an external machine.
>
>
>
>>Afterwards I typed the flash command 'iptables -F'. Now ALL rules should
>>be removed, souldn't it?
>>
>>
>
>No. Not unless you also typed
>iptables -F -t nat
>
>"iptables -F" on its own will *only* clear the filtering table, not the nat
>table or the mangle table.
>
>Try iptables -L -t nat to see what rules you really have in place.
>
>
>
>>I started my configuration script with the new rule (see above), but
>>nothing has changed.
>>
>>First I tought, that iptables -F does not delete the POSTROUTING rules,
>>
>>
>
>Correct :-)
>
>
>Antony.
>
>
[-- Attachment #2: Type: text/html, Size: 2453 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2002-06-07 10:50 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-06 13:27 SNAT does not work Uwe Eisner
2002-06-06 13:40 ` Antony Stone
2002-06-06 13:57 ` Antony Stone
2002-06-06 14:45 ` Uwe Eisner
2002-06-06 14:55 ` Antony Stone
2002-06-07 10:50 ` Uwe Eisner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox