[plug] forwarding packets
Russell Steicke
r.steicke at bom.gov.au
Wed Feb 1 15:13:44 WST 2006
On Thu, Feb 02, 2006 at 07:10:28AM +0800, Jon Miller wrote:
> I'm having a major problem trying to forward packets from either a workstation of the LAn to the Internet.
> I want to be sure I'm doing this correctly.
>
> I set a forward rule:
> $IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT
>
> Then I set a PREROUTING rule
> $IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 192.168.xxx.xxx
You need source NAT, not destination NAT, and you need to specify this
in the nat table (not the filter table which is the default table
without a -t option). Only one rule required:
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT --to 1.2.3.4
where 1.2.3.4 is your external address and eth0 is your external
interface. If you have a dynamic address, use the MASQUERADE target
(instead of SNAT) without the --to option.
This is explained in the docs at netfilter.org.
http://netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.1
> All I can see using tethereal on the network is SYN packets.
If the packets are being forwarded (see below) they will have a
private source address, with the rules you're using, and are probably
being dropped by your ISP, so you'll see no replies.
> Any idea what I'm doing wrong?
A common oops is to forget to enable forwarding in the kernel.
# cat /proc/sys/net/ipv4/ip_forward
1
Make sure that returns a 1, not a 0. If it doesn't, do
# echo 1 > /proc/sys/net/ipv4/ip_forward
and then edit /etc/sysctl.conf to make it survive a reboot.
--
Russell Steicke
-- Fortune says:
Pecor's Health-Food Principle:
Never eat rutabaga on any day of the week that has a "y" in it.
More information about the plug
mailing list