Re: Having trouble establishing IP masquerading
On Sat, Sep 11, 2010 at 12:10:30PM +, Hendrik Boom wrote: I've been IP masquerading for years. But now my Pentium front-end machine has bit the dust, and I'm setting up my server to do the masquerading itself. It's and AMD65 running Debian lenny: hend...@lovesong:~$ uname -a Linux lovesong 2.6.30-1-486 #1 Mon Aug 3 15:05:33 UTC 2009 i686 GNU/Linux hend...@lovesong:~$ I've been more-or-less following the instructions in http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html but nothing seems to work. I wondered it perhaps the modules weren't being loaded, so I did lsmod. INstead of the modules I requested, whose names started with ip_, I have another set of modules with similar names starting with nf_. Is this relevant? The script I'm using to start IP forwarding is as follows: Personally I really like shorewall for managing iptables. You write a couple of simple shorewall rules, and it takes care of all the details. It is really quite handy. -- Len Sorensen -- To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100913140859.gr2...@caffeine.csclub.uwaterloo.ca
Having trouble establishing IP masquerading
I've been IP masquerading for years. But now my Pentium front-end machine has bit the dust, and I'm setting up my server to do the masquerading itself. It's and AMD65 running Debian lenny: hend...@lovesong:~$ uname -a Linux lovesong 2.6.30-1-486 #1 Mon Aug 3 15:05:33 UTC 2009 i686 GNU/Linux hend...@lovesong:~$ I've been more-or-less following the instructions in http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html but nothing seems to work. I wondered it perhaps the modules weren't being loaded, so I did lsmod. INstead of the modules I requested, whose names started with ip_, I have another set of modules with similar names starting with nf_. Is this relevant? The script I'm using to start IP forwarding is as follows: #!/bin/sh modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_nat_irc echo 1 /proc/sys/net/ipv4/ip_forward iptables --policy INPUT ACCEPT iptables --flush INPUT iptables --policy OUTPUT ACCEPT iptables --flush OUTPUT iptables --policy FORWARD DROP iptables -t nat -F iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo list resulting ip tables iptables --list echo filter: iptables -L -n -t filter echo mangle: iptables -L -n -t mangle echo nat: iptables -t nat -n -L -v And when I run it, it reports: list resulting ip tables Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination filter: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination mangle: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination nat: Chain PREROUTING (policy ACCEPT 32304 packets, 2322K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2881 packets, 200K bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * eth00.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT 3520 packets, 242K bytes) pkts bytes target prot opt in out source destination list resulting ip tables Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination filter: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination mangle: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination nat: Chain PREROUTING (policy ACCEPT 32304 packets, 2322K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2881 packets, 200K bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * eth00.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT 3520 packets, 242K bytes) pkts bytes target prot opt in out source destination Evidently, when I run it, it does *something*. But when I try to use the masquerade, nothing seems to get through, except from the machine doing the masquerading itself. The server is currently the only machine on my LAN that has access to the internet. -- hendrik -- To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive:
Re: Having trouble establishing IP masquerading
You need to have rules in the FORWARD chain (of the filter table) - The examples in the URL you referenced: $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT I'm guessing $EXTIF would be eth0, and $INTIF would be whatever your inside interface is. David On 9/11/10 8:10 AM, Hendrik Boom wrote: I've been IP masquerading for years. But now my Pentium front-end machine has bit the dust, and I'm setting up my server to do the masquerading itself. It's and AMD65 running Debian lenny: hend...@lovesong:~$ uname -a Linux lovesong 2.6.30-1-486 #1 Mon Aug 3 15:05:33 UTC 2009 i686 GNU/Linux hend...@lovesong:~$ I've been more-or-less following the instructions in http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html but nothing seems to work. I wondered it perhaps the modules weren't being loaded, so I did lsmod. INstead of the modules I requested, whose names started with ip_, I have another set of modules with similar names starting with nf_. Is this relevant? The script I'm using to start IP forwarding is as follows: #!/bin/sh modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_nat_irc echo 1 /proc/sys/net/ipv4/ip_forward iptables --policy INPUT ACCEPT iptables --flush INPUT iptables --policy OUTPUT ACCEPT iptables --flush OUTPUT iptables --policy FORWARD DROP iptables -t nat -F iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo list resulting ip tables iptables --list echo filter: iptables -L -n -t filter echo mangle: iptables -L -n -t mangle echo nat: iptables -t nat -n -L -v And when I run it, it reports: list resulting ip tables Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination filter: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination mangle: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination nat: Chain PREROUTING (policy ACCEPT 32304 packets, 2322K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2881 packets, 200K bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * eth00.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT 3520 packets, 242K bytes) pkts bytes target prot opt in out source destination list resulting ip tables Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination filter: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination mangle: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination nat: Chain PREROUTING (policy ACCEPT 32304 packets, 2322K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2881 packets, 200K bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * eth00.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT 3520 packets, 242K bytes) pkts bytes target prot opt in out source destination Evidently, when I run it, it does *something*. But when I try to use the masquerade, nothing seems to get through, except from the machine doing the masquerading itself. The server is currently the only machine on my LAN that has access to the internet. -- hendrik