[NTLUG:Discuss] Iptables NAT not working and no logs

Thomas Cameron thomas.cameron at camerontech.com
Sun Oct 4 22:32:46 CDT 2009


On 10/04/2009 08:26 PM, Neil Aggarwal wrote:
> Hello all:
> 
> I am having trouble getting NAT with iptables to work.
> 
> I have this configuration:
> 
> Internet --- Linux machine --- Windows machine
> 
> The windows machine is on a private IP.
> 
> I am able to go to the linux machine and load the
> web site from the windows machine using lynx with
> the private IP.  That means there should not be a
> problem going from the linux machine to the windows
> machine.
> 
> I have tied a public IP address a.b.c.d to the
> linux machine and entered these rules in its
> firewall:
> 
> echo "1" > /proc/sys/net/ipv4/ip_forward
> /sbin/ifconfig eth0:1 $WIN_EXTERNAL_IP netmask $ETH0_NETMASK broadcast
> $ETH0_BCAST
> /sbin/iptables -t nat -A PREROUTING -d $WIN_EXTERNAL_IP -j DNAT --to
> $WIN_INTERNAL_IP
> /sbin/iptables -t nat -A POSTROUTING -s $WIN_INTERNAL_IP -j SNAT --to
> $WIN_EXTERNAL_IP
> 
> I have these log entries at the bottom of the firewall rules:
> 
> /sbin/iptables -A INPUT -j LOG --log-prefix "INPUT "
> /sbin/iptables -A OUTPUT -j LOG --log-prefix "OUTPUT "
> /sbin/iptables -A FORWARD -j LOG --log-prefix "FORWARD "
> 
> INPUT, OUTPUT, and FORWARD are set to default DROP.
> The nat tables are all set to default ACCEPT.
> 
> When I try to go to the external IP address http://a.b.c.d from
> another network, it does not connect and I do not see anything
> in the firewall logs.

To get logging to work, the logging commands need to come first, before
the actions.

I'm not sure what you are trying to do - are you trying to poke a hole
through your firewall bidirectionally, or just allow the Windows box to
get to the Internet?

To do the latter, all you really need is something like this:

INTERNAL_NET=192.168.0.0/24
WINDOWS_HOST=192.168.0.10
EXTERNAL_INTERFACE=24.10.20.30

iptables -t nat -I POSTROUTING -s $INTERNAL_NET -j \
  LOG --log-prefix "Outbound SNAT"
iptables -t nat -I POSTROUTING -s $INTERNAL_NET -j \
  SNAT --to-source $EXTERNAL_INTERFACE

If you want to allow external traffic to get into the Windows box, it
would look like this:

iptables -t nat -I PREROUTING -d $EXTERNAL_INTERFACE -j \
  LOG --log-prefix "Inbound DNAT"
iptables -t nat -I PREROUTING -d $EXTERNAL_INTERFACE -j \
  DNAT --to-destination $WINDOWS_HOST

You can combine both rules to poke the proverbial hole through the
firewall.  I wouldn't do it, though.  Only do it port by port.



More information about the Discuss mailing list