Thread: Newbie NAT question
View Single Post

  #7 (permalink)  
Old 11-05-2004
Tauno Voipio
 
Posts: n/a
Default Re: Newbie NAT question
Fernando Vaz wrote:
> Tauno Voipio escreveu:
>
>> Fernando Vaz wrote:
>>
>>> Hello folks,
>>>
>>> I'm trying to set up a home network, using an older PC as a
>>> gateway/apache server. The connection between both boxes works fine,
>>> and the gateway connects to the internet fine (ADSL ppp0 connection,
>>> it pings out of my net ok). All the NAT modules are loaded, I have
>>> cleared all firewall rules, but still the machine behind the gateway
>>> can't ping anywhere past the gateway. ipv4_forward is set to 1. I'll
>>> try to draw a diagram:
>>>
>>>
>>> | |
>>> | internet |
>>> |_____________|
>>> |
>>> |
>>> \/
>>> -------------------
>>> |ppp0(valid ip) |
>>> | /\ |
>>> | | |
>>> | \/ |
>>> |eth0 (ip 0.0.0.0)|
>>> | /\ |
>>> | | |
>>> | \/ |
>>> |eth1(192.168.0.2)|
>>> |_________________|
>>> /\
>>> |
>>> \/
>>> -------------------
>>> |eth0(192.168.0.5)|
>>> |gw 192.168.0.2) |
>>> |_________________|
>>>
>>> Is it something to do with my routes? Please help, I've been
>>> struggling over this for quite a few days, and I'm pretty sure "im
>>> missing out on something really dumb...
>>
>>
>>
>> Please post:
>>
>> - the kernel version (uname -a)
>>
>> - the output of
>> ifconfig -a
>>
>> - the output of
>> route -n
>>
>> - the output of
>> iptables -nvL
>> or
>> ipchains -nvL
>>
>> of the gateway host, so we do not need to guess so much.
>>
>>
> Here's the rest of the info, as requested:
>
> The desktop box:
> Linux garrido.localdomain 2.6.5-63255U10_3cl #1 Fri Sep 10 21:24:34 BRT
> 2004 i686 unknown unknown GNU/Linux
> Conectiva Linux 10
> NVidia NForce2 Onboard NIC
> Athlon XP 2500+

OK.

> eth0 Encapsulamento do Link: Ethernet Endereço de HW
> 00:E0:4C:C6:FA:94
> inet end.: 192.168.0.5 Bcast:192.168.0.255 Masc:255.255.255.0
> UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
> pacotes RX:172 erros:0 descart.:0 sobrepos.:0 quadro:0
> pacotes TX:377 erros:0 descart.:0 sobrepos.:0 portadora:0
> colisões:0 txqueuelen:1000
> RX bytes:22431 (21.9 Kb) TX bytes:28346 (27.6 Kb)
> IRQ:177 Endereço de E/S:0x4000
>
> Tabela de Roteamento IP do Kernel
> Destino Roteador MáscaraGen. Opções Métrica Ref Uso
> Iface
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 192.168.0.2 0.0.0.0 UG 0 0 0
> eth0

OK.

> --------------------------------------------------------------------------------
>
>
> Gateway host:
>
> Linux gaws.localdomain 2.6.5-63077cl #1 Thu Jun 17 18:42:25 BRT 2004
> i686 unknown unknown GNU/Linux
> Conectiva Linux 10
> Realtek 8139 NIC
> 3Com 359x NIC
> PII 333MHz
>
> eth0 Encapsulamento do Link: Ethernet Endereço de HW
> 00:02:E3:0E:EB:CA
> UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
> pacotes RX:199 erros:0 descart.:0 sobrepos.:0 quadro:0
> pacotes TX:203 erros:0 descart.:0 sobrepos.:0 portadora:0
> colisões:0 txqueuelen:1000
> RX bytes:15124 (14.7 Kb) TX bytes:13013 (12.7 Kb)
> IRQ:10 Endereço de E/S:0xe00
>
> eth1 Encapsulamento do Link: Ethernet Endereço de HW
> 00:50:04:AA:8A:42
> inet end.: 192.168.0.2 Bcast:192.168.0.255 Masc:255.255.255.0
> UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
> pacotes RX:420 erros:0 descart.:0 sobrepos.:0 quadro:0
> pacotes TX:192 erros:0 descart.:0 sobrepos.:0 portadora:0
> colisões:0 txqueuelen:1000
> RX bytes:34314 (33.5 Kb) TX bytes:24603 (24.0 Kb)
> IRQ:9 Endereço de E/S:0xdc00
>
> ppp0 Encapsulamento do Link: Protocolo Ponto-a-Ponto
> inet end.: xxx.xxx.xxx.xxx P-a-P:200.138.225.254
> Masc:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Métrica:1
> pacotes RX:142 erros:0 descart.:0 sobrepos.:0 quadro:0
> pacotes TX:148 erros:0 descart.:0 sobrepos.:0 portadora:0
> colisões:0 txqueuelen:3
> RX bytes:8478 (8.2 Kb) TX bytes:6364 (6.2 Kb)
>
> Tabela de Roteamento IP do Kernel
> Destino Roteador MáscaraGen. Opções Métrica Ref Uso
> Iface
> 200.138.225.254 0.0.0.0 255.255.255.255 UH 0 0 0
> ppp0
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth1
> 0.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
> eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 200.138.225.254 0.0.0.0 UG 0 0 0
> ppp0

This seems to be OK for a PPPoE setup.

> Chain INPUT (policy ACCEPT 73 packets, 6668 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- * eth0 192.168.0.0/24 0.0.0.0/0
> 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 48 packets, 5753 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- * eth0 192.168.0.0/24 0.0.0.0/0
>

I do not see any NAT entries, and there seems to be plenty of
extra rules for traffic between eth0 and eth1. You should not
consider eth0 in the firewall scripts, the traffic goes to
ppp0 (which then tunnels via eth0).

Does your setup script contain:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Is forwarding enabled in kernel? Check /proc/sys/net/ipv4/ip_forward

HTH

Tauno Voipio
tauno voipio (at) iki fi

Reply With Quote