You need to have rules in the FORWARD chain (of the filter table) -
The examples in the URL you referenced:
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
I'm guessing $EXTIF would be eth0, and $INTIF would be whatever your
inside interface is.
David
On 9/11/10 8:10 AM, Hendrik Boom wrote:
I've been IP masquerading for years. But now my Pentium front-end machine
has bit the dust, and I'm setting up my server to do the masquerading
itself.
It's and AMD65 running Debian lenny:
hend...@lovesong:~$ uname -a
Linux lovesong 2.6.30-1-486 #1 Mon Aug 3 15:05:33 UTC 2009 i686 GNU/Linux
hend...@lovesong:~$
I've been more-or-less following the instructions in
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html
but nothing seems to work. I wondered it perhaps the modules weren't
being loaded, so I did lsmod. INstead of the modules I requested, whose
names started with ip_, I have another set of modules with similar names
starting with nf_. Is this relevant?
The script I'm using to start IP forwarding is as follows:
#!/bin/sh
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
echo 1 /proc/sys/net/ipv4/ip_forward
iptables --policy INPUT ACCEPT
iptables --flush INPUT
iptables --policy OUTPUT ACCEPT
iptables --flush OUTPUT
iptables --policy FORWARD DROP
iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo list resulting ip tables
iptables --list
echo filter:
iptables -L -n -t filter
echo mangle:
iptables -L -n -t mangle
echo nat:
iptables -t nat -n -L -v
And when I run it, it reports:
list resulting ip tables
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
filter:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
mangle:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
nat:
Chain PREROUTING (policy ACCEPT 32304 packets, 2322K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2881 packets, 200K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth00.0.0.0/00.0.0.0/0
Chain OUTPUT (policy ACCEPT 3520 packets, 242K bytes)
pkts bytes target prot opt in out source destination
list resulting ip tables
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
filter:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
mangle:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
nat:
Chain PREROUTING (policy ACCEPT 32304 packets, 2322K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2881 packets, 200K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth00.0.0.0/00.0.0.0/0
Chain OUTPUT (policy ACCEPT 3520 packets, 242K bytes)
pkts bytes target prot opt in out source destination
Evidently, when I run it, it does *something*. But when I try to
use the masquerade, nothing seems to get through, except from the
machine doing the masquerading itself. The server is currently
the only machine on my LAN that has access to the internet.
-- hendrik