Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Technical

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 2nd August 2011, 16:43
johncongdon johncongdon is offline
Junior Member
 
Join Date: Aug 2011
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default IPTables Masquerading Issue

I have setup masquerading dozens of times with no issues.

I have 2 linux boxes (A=Private, B=Masquerader)

Here are the checks I have done
A - Default gateway is B
B - iptables is wide open with 1 postrouting statement
iptables -t nat -A POSTROUTING -s 10.0.73.11 -j SNAT --to-source PUBLIC_IP
B - IP Forwarding is enabled.

I can ping from A to B's private address. Cannot go past that.
If I run iptraf on B, I can see the ping req/reply from A to another IP.

If I ssh from A to another machine outside the firewall, I can see the connection attempt with netstat -an | grep :22 on the remote machine.

So the connection are being transmitted out correctly, but not getting returned correctly through SNAT. Any ideas?
Reply With Quote
Sponsored Links
  #2  
Old 3rd August 2011, 13:39
Mark_NL Mark_NL is offline
Senior Member
 
Join Date: Sep 2008
Location: The Netherlands
Posts: 912
Thanks: 12
Thanked 100 Times in 96 Posts
Default

why do you SNAT?

for a simple and fast gateway you should do this:

set net.ipv4.ip_forward to 1 (/etc/sysctl.conf, then run: sysctl -p)
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

eth0 being your external interface (wan connection).

That's it.
Reply With Quote
  #3  
Old 3rd August 2011, 16:51
johncongdon johncongdon is offline
Junior Member
 
Join Date: Aug 2011
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I have done that as well. Both give me the same results. The SNAT was a last attempt and something that I read was "more secure" than just masquerade.

Either way, the end result was the same
Reply With Quote
  #4  
Old 3rd August 2011, 16:56
Mark_NL Mark_NL is offline
Senior Member
 
Join Date: Sep 2008
Location: The Netherlands
Posts: 912
Thanks: 12
Thanked 100 Times in 96 Posts
Default

If my solution doesn't work, then there is something you haven't told us about your setup.

A -> B -> C

you're able to ping C unless "C" is dropping stuff

A: ping c
B: tcpdump -i eth0 icmp
C: tcpdump -i eth0 icmp

now see what packets go back and forth on B and C
Reply With Quote
  #5  
Old 3rd August 2011, 17:56
johncongdon johncongdon is offline
Junior Member
 
Join Date: Aug 2011
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I wish I was not telling you something. That's why I tried to be very specific in my setup and testing that I have done. I have setup simple masquerading before, should not be this difficult. I also made sure selinux was off, in case that was the issue. I can ping from A to the private side of B, so ping is not being blocked on A.

I also went back to your suggestion of iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE, and I get the same results.

I see the ping request/reply on C (in your example).
I see the ping request/reply on B ( on both eth0 and eth1 )

The firewall on A is default open
Quote:
root@PSWEBNODE1 [~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain acctboth (0 references)
target prot opt source destination
root@PSWEBNODE1 [~]# cat /etc/redhat-release
CentOS release 5.6 (Final)
Output from B
Quote:
[root@psfw1 ~]# tcpdump -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:46:49.508565 IP 10.0.73.11 > MachineC: ICMP echo request, id 36931, seq 1, length 64
11:46:49.528951 IP MachineC > 10.0.73.11: ICMP echo reply, id 36931, seq 1, length 64
11:46:50.508192 IP 10.0.73.11 > MachineC: ICMP echo request, id 36931, seq 2, length 64
11:46:50.529028 IP MachineC > 10.0.73.11: ICMP echo reply, id 36931, seq 2, length 64

4 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@psfw1 ~]# tcpdump -i eth1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:46:53.507654 IP MachineB_PublicIP > MachineC: ICMP echo request, id 36931, seq 5, length 64
11:46:53.527257 IP MachineC > MachineB_PublicIP: ICMP echo reply, id 36931, seq 5, length 64

2 packets captured
2 packets received by filter
0 packets dropped by kernel
Output from C
Quote:
[root@squishy scanner]# tcpdump -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:47:18.171359 IP MachineB_PublicIP > MachineC: icmp 64: echo request seq 74
11:47:18.250561 IP MachineC > MachineB_PublicIP: icmp 64: echo reply seq 74

2 packets captured
2 packets received by filter
0 packets dropped by kernel
Reply With Quote
  #6  
Old 3rd August 2011, 18:41
Franz Franz is online now
Senior Member
 
Join Date: Jul 2009
Location: Cakovec
Posts: 117
Thanks: 7
Thanked 24 Times in 18 Posts
Send a message via Skype™ to Franz
Default

did you configure this on machine B?

Code:
 echo 1 > /proc/sys/net/ipv4/ip_forward
__________________
my PAGE
VoIP
my IT help blog
Reply With Quote
Reply

Bookmarks

Tags
iptables, masquerade

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Port foreword + openVPN + iptables ? flan Server Operation 0 15th May 2011 23:31
ISPConfig 3 problems with mail Help me !!!!!!! albertox26 Installation/Configuration 8 27th December 2010 19:57
ISPC 3.0.3 - Help me optimize Apache+MySQL itsnedkeren Installation/Configuration 7 23rd November 2010 12:43
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23
iptables issue with xen perfect setup - debian alexnz HOWTO-Related Questions 3 25th November 2006 13:49


All times are GMT +2. The time now is 08:28.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.