[NTLUG:Discuss] Iptables NAT not working and no logs
Thomas Cameron
thomas.cameron at camerontech.com
Sun Oct 4 22:32:46 CDT 2009
On 10/04/2009 08:26 PM, Neil Aggarwal wrote:
> Hello all:
>
> I am having trouble getting NAT with iptables to work.
>
> I have this configuration:
>
> Internet --- Linux machine --- Windows machine
>
> The windows machine is on a private IP.
>
> I am able to go to the linux machine and load the
> web site from the windows machine using lynx with
> the private IP. That means there should not be a
> problem going from the linux machine to the windows
> machine.
>
> I have tied a public IP address a.b.c.d to the
> linux machine and entered these rules in its
> firewall:
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
> /sbin/ifconfig eth0:1 $WIN_EXTERNAL_IP netmask $ETH0_NETMASK broadcast
> $ETH0_BCAST
> /sbin/iptables -t nat -A PREROUTING -d $WIN_EXTERNAL_IP -j DNAT --to
> $WIN_INTERNAL_IP
> /sbin/iptables -t nat -A POSTROUTING -s $WIN_INTERNAL_IP -j SNAT --to
> $WIN_EXTERNAL_IP
>
> I have these log entries at the bottom of the firewall rules:
>
> /sbin/iptables -A INPUT -j LOG --log-prefix "INPUT "
> /sbin/iptables -A OUTPUT -j LOG --log-prefix "OUTPUT "
> /sbin/iptables -A FORWARD -j LOG --log-prefix "FORWARD "
>
> INPUT, OUTPUT, and FORWARD are set to default DROP.
> The nat tables are all set to default ACCEPT.
>
> When I try to go to the external IP address http://a.b.c.d from
> another network, it does not connect and I do not see anything
> in the firewall logs.
To get logging to work, the logging commands need to come first, before
the actions.
I'm not sure what you are trying to do - are you trying to poke a hole
through your firewall bidirectionally, or just allow the Windows box to
get to the Internet?
To do the latter, all you really need is something like this:
INTERNAL_NET=192.168.0.0/24
WINDOWS_HOST=192.168.0.10
EXTERNAL_INTERFACE=24.10.20.30
iptables -t nat -I POSTROUTING -s $INTERNAL_NET -j \
LOG --log-prefix "Outbound SNAT"
iptables -t nat -I POSTROUTING -s $INTERNAL_NET -j \
SNAT --to-source $EXTERNAL_INTERFACE
If you want to allow external traffic to get into the Windows box, it
would look like this:
iptables -t nat -I PREROUTING -d $EXTERNAL_INTERFACE -j \
LOG --log-prefix "Inbound DNAT"
iptables -t nat -I PREROUTING -d $EXTERNAL_INTERFACE -j \
DNAT --to-destination $WINDOWS_HOST
You can combine both rules to poke the proverbial hole through the
firewall. I wouldn't do it, though. Only do it port by port.
More information about the Discuss
mailing list