HI, Problem get firewall going.

Neil Dugan ubuntu at butterflystitches.com.au
Mon Jul 31 07:55:21 BST 2006 

Paul Schulz wrote:
> Neil,
> 
> After you have run you script, what is the contents of the iptables tables?
> Are they what you expect?
> 
> # iptables -t nat -vL
see below
> 
> Packets coming for the firewall can get nat'ed and sent out eth0
> instread of eth1.
> 
> On my 'router/firewall' I have the following.. which works..
> (It only NAT's packets coming from internal, to external IP addresses,
> and auto-matically looks after the related return packets.)
> 
> Cheers,
> Paul
> -------
> Internel Network is 192.168.10.0/24
> External IP address: EXTIP
> 
> iptables -t nat -A POSTROUTING \
>           -s 192.168.10.0/255.255.255.0 \
>           -d ! 192.168.10.0/255.255.255.0 \
>           -j SNAT --to-source $EXTIP
I put something similar in but it didn't help.  I still can't ping the 
modem on 192.168.1.1

> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
that is already there

This is what I get if I ping the NIC on the other side of the firewall.

----------------------------------------------
Jul 31 16:13:33 localhost kernel: [17179736.368000] 
mangle_prerouting:IN=eth1 OUT= 
MAC=00:50:ba:ab:8b:68:00:0d:56:c5:2b:b4:08:00 SRC=192.168.5.200 
DST=192.168.1.238 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP 
TYPE=8 CODE=0 ID=48918 SEQ=3

Jul 31 16:13:33 localhost kernel: [17179736.368000] 
nat_prerouting:IN=eth1 OUT= 
MAC=00:50:ba:ab:8b:68:00:0d:56:c5:2b:b4:08:00 SRC=192.168.5.200 
DST=192.168.1.238 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP 
TYPE=8 CODE=0 ID=48918 SEQ=3

Jul 31 16:13:33 localhost kernel: [17179736.368000] 
mangle_input:IN=eth1 OUT= 
MAC=00:50:ba:ab:8b:68:00:0d:56:c5:2b:b4:08:00 SRC=192.168.5.200 
DST=192.168.1.238 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP 
TYPE=8 CODE=0 ID=48918 SEQ=3

Jul 31 16:13:33 localhost kernel: [17179736.368000] 
filter_input:IN=eth1 OUT= 
MAC=00:50:ba:ab:8b:68:00:0d:56:c5:2b:b4:08:00 SRC=192.168.5.200 
DST=192.168.1.238 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP 
TYPE=8 CODE=0 ID=48918 SEQ=3

Jul 31 16:13:33 localhost kernel: [17179736.368000] mangle_output:IN= 
OUT=eth1 SRC=192.168.1.238 DST=192.168.5.200 LEN=84 TOS=0x00 PREC=0x00 
TTL=64 ID=47137 PROTO=ICMP TYPE=0 CODE=0 ID=48918 SEQ=3

Jul 31 16:13:33 localhost kernel: [17179736.368000] filter_output:IN= 
OUT=eth1 SRC=192.168.1.238 DST=192.168.5.200 LEN=84 TOS=0x00 PREC=0x00 
TTL=64 ID=47137 PROTO=ICMP TYPE=0 CODE=0 ID=48918 SEQ=3

Jul 31 16:13:33 localhost kernel: [17179736.368000] 
mangle_postrouting:IN= OUT=eth1 SRC=192.168.1.238 DST=192.168.5.200 
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47137 PROTO=ICMP TYPE=0 CODE=0 
ID=48918 SEQ=3

------ # iptables -t nat -vL --------------
Chain PREROUTING (policy ACCEPT 20 packets, 2910 bytes)
  pkts bytes target     prot opt in     out     source 
destination
    20  2910 LOG        all  --  any    any     anywhere 
anywhere            LOG level warning prefix `nat_prerouting:'

Chain POSTROUTING (policy ACCEPT 9 packets, 605 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     9   605 LOG        all  --  any    any     anywhere 
anywhere            LOG level warning prefix `nat_postrouting:'
     0     0 SNAT       all  --  any    any     192.168.5.0/24 
!192.168.5.0/24      to:192.168.1.238

Chain OUTPUT (policy ACCEPT 9 packets, 605 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     9   605 LOG        all  --  any    any     anywhere 
anywhere            LOG level warning prefix `nat_output:'


------ # iptables -t filter -vL --------------
Chain INPUT (policy DROP 35 packets, 4224 bytes)
  pkts bytes target     prot opt in     out     source 
destination
   195 68159 LOG        all  --  any    any     anywhere 
anywhere            LOG level warning prefix `filter_input:'
   154 63431 ACCEPT     all  --  eth0   any     anywhere 
anywhere            state RELATED,ESTABLISHED
     6   504 ACCEPT     all  --  eth1   any     anywhere 
anywhere
     0     0 ACCEPT     tcp  --  eth0   any     anywhere 
anywhere            tcp dpt:ssh
     0     0 ACCEPT     udp  --  eth0   any     anywhere 
anywhere            udp dpt:23323
     0     0 ACCEPT     icmp --  eth0   any     anywhere 
anywhere
    35  4224 LOG        all  --  any    any     anywhere 
anywhere            LOG level warning prefix `filter_input:droping:'

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  any    any     anywhere 
anywhere            LOG level warning prefix `filter_forward:'
     0     0 ACCEPT     all  --  any    eth0    anywhere 
anywhere
     0     0 ACCEPT     all  --  eth0   any     anywhere 
anywhere            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 199 packets, 30249 bytes)
  pkts bytes target     prot opt in     out     source 
destination
   190 29493 LOG        all  --  any    any     anywhere 
anywhere            LOG level warning prefix `filter_output:'
-------------------------------------------

Thanks Paul,
Regards Neil.

More information about the ubuntu-au mailing list