IP Forwarding problem
This is a discussion on IP Forwarding problem within the Linux Networking forums, part of the Linux Forums category; I am sure there is a simple fix to my problem but I have looked on the net and I ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-26-2004
|
|||
|
|||
IP Forwarding problem
I am sure there is a simple fix to my problem but I have looked on the net
and I have not found it. I have a RedHat 9 system set up. I am connecting to the Internet via an ISDN modem. The connection works fine. I now want to have the Windows boxes on the LAN connect to the Internet via the Linux box. I set up IP Forwarding. I am able to see the Linux box from the Windows machines on the network. However, I am not able to get out onto the Internet from the Windows machines. I ran tcpdump and I see that the requests from the Windows machine are going out but they are showing up as coming from 192.168.0.4 instead of as from the IP assigned from my ISP. It seems like the NAT is not working but I don't know how to fix it. The routing table seems to be OK. Below is what is reported by route -n: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ippp0 0.0.0.0 62.219.193.1 0.0.0.0 UG 0 0 0 ippp0 The RedHat 7.3 system that I had in the past that performed this function used ipchains. RedHat 9 uses iptables. I don't know if the problem relates to a bad configuration for iptables. I used the RedHat tool for defining the iptables rules (Medium Security with the LAN as a trusted interface). Below is what I get from iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Lokkit-0-50-INPUT (2 references) target prot opt source destination ACCEPT udp -- ntp.ilan.net.il anywhere udp spt:ntp dpt:ntp ACCEPT udp -- ntp.ilan.net.il anywhere udp spt:ntp dpt:ntp ACCEPT udp -- kd2.bezeqint.net anywhere udp spt:domain dpts:1025:65535 ACCEPT udp -- dnsmail2.bezeqint.net anywhere udp spt:domain dpts:1025:65535 ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable Can someone tell me what I need to change to get the Windows machines to see the Internet? Any pointers to documentation that addresses this specific problem? I have read a bunch of documentation but I haven't found a way to solve this problem. thanks, David Suna david@davidsconsultants.com 
|
|
04-26-2004
|
|||
|
|||
|
Re: IP Forwarding problem
Yes, It's very simple problem. First you have to remove default rule set
that Redhat supported. - iptables -F - iptables -t nat -F and then, iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE or -j SNAT --to your real IP. Maybe Redhat's default firewall rule set made you confused. "David Suna" <david@davidsconsultants.com> wrote in message news:pan.2004.04.26.09.56.00.76741@davidsconsultan ts.com... > I am sure there is a simple fix to my problem but I have looked on the net > and I have not found it. > > I have a RedHat 9 system set up. I am connecting to the Internet via an > ISDN modem. The connection works fine. I now want to have the Windows > boxes on the LAN connect to the Internet via the Linux box. I set up IP > Forwarding. I am able to see the Linux box from the Windows machines on > the network. However, I am not able to get out onto the Internet from the > Windows machines. I ran tcpdump and I see that the requests from the > Windows machine are going out but they are showing up as coming from > 192.168.0.4 instead of as from the IP assigned from my ISP. > > It seems like the NAT is not working but I don't know how to fix it. The > routing table seems to be OK. Below is what is reported by route -n: > > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > 62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ippp0 > 0.0.0.0 62.219.193.1 0.0.0.0 UG 0 0 0 ippp0 > > The RedHat 7.3 system that I had in the past that performed this function > used ipchains. RedHat 9 uses iptables. I don't know if the problem > relates to a bad configuration for iptables. I used the RedHat tool for > defining the iptables rules (Medium Security with the LAN as a trusted > interface). Below is what I get from iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > RH-Lokkit-0-50-INPUT all -- anywhere anywhere > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > RH-Lokkit-0-50-INPUT all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain RH-Lokkit-0-50-INPUT (2 references) > target prot opt source destination > ACCEPT udp -- ntp.ilan.net.il anywhere udp spt:ntp dpt:ntp > ACCEPT udp -- ntp.ilan.net.il anywhere udp spt:ntp dpt:ntp > ACCEPT udp -- kd2.bezeqint.net anywhere udp spt:domain dpts:1025:65535 > ACCEPT udp -- dnsmail2.bezeqint.net anywhere udp spt:domain dpts:1025:65535 > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable > REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable > REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable > > Can someone tell me what I need to change to get the Windows machines to > see the Internet? Any pointers to documentation that addresses this > specific problem? I have read a bunch of documentation but I haven't > found a way to solve this problem. > > thanks, > David Suna > david@davidsconsultants.com >
|
|
04-26-2004
|
|||
|
|||
|
Re: IP Forwarding problem
Thanks. That worked and the Windows boxes are now able to access the
internet. Two follow up questions: 1. What do I have to add to not allow external connections (from anything other than my LAN) to my Linux box? 2. How can I make these changes permanent so I don't have to redo them every time I connect / reboot? Thanks again, David Suna david@davidsconsultants.com On Mon, 26 Apr 2004 19:26:57 +0900, ya wrote: > Yes, It's very simple problem. First you have to remove default rule set > that Redhat supported. > - iptables -F > - iptables -t nat -F > > and then, iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE > or -j SNAT --to your real IP. > > Maybe Redhat's default firewall rule set made you confused.
|
|
04-27-2004
|
|||
|
|||
|
Re: IP Forwarding problem
I am glad that you was able to solve the problem.
Regarding your first question, you should change the source target in iptables 's nat table. It's very easy. Replace "-s 192.168.1.0/24" with "-s your virtual ip". Regarding your second question, you can use "rc.local" file located in "rc.d" directory. Write bash-command concerned with iptables on "rc.local" file. For example, " iptables -F, iptables -t nat -F, iptables -t nat -A POSTROUTING ...... " If you wish to find more information about iptables, I advertise you to use google. Googling is a best way to solve the problem. p.s. My English is poor, so I am wondering that my meaning can be correctly delivered to you. Now I am learning English, so If I have a wrong grammar in this article, please inform me of it. And it will be greatly appreciated if you contact me by ICQ(200030453). "David Suna" <david@davidsconsultants.com> wrote in message news:pan.2004.04.26.11.44.01.314459@davidsconsulta nts.com... > Thanks. That worked and the Windows boxes are now able to access the > internet. Two follow up questions: > 1. What do I have to add to not allow external connections (from anything > other than my LAN) to my Linux box? > 2. How can I make these changes permanent so I don't have to redo them > every time I connect / reboot? > > Thanks again, > David Suna > david@davidsconsultants.com > > On Mon, 26 Apr 2004 19:26:57 +0900, ya wrote: > > > Yes, It's very simple problem. First you have to remove default rule set > > that Redhat supported. > > - iptables -F > > - iptables -t nat -F > > > > and then, iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE > > or -j SNAT --to your real IP. > > > > Maybe Redhat's default firewall rule set made you confused. >
|
Linear Mode
