[plug] forwarding packets

Jon Miller jlmiller at mmtnetworks.com.au
Wed Feb 1 20:25:59 WST 2006 

Russell,
Thanks for the info
The external is a static ipaddress.  Are you saying the external of the gateway server or the internet public  ip address.  I ask because the external iface of the gateway server is in 192.168.100.xxx which connects to the cisco router ethernet iface.  The external ip address of the router is static also.
Just curious why POSTROUTING vs PREROUTING, from what I understand we are changing the source ip address after the routing has taken place and this will go out the external iface with a different (external iface) ip address.  So if the internal ip address was 192.168.1.143 it would go out the gateway server as 192.168.100.2 and this would hit the c2821 router and change agin from 192.168.100.2 to 203.161.xx.xx. Is this correct, just want to make sure this is fully understood.

Funny how different iptables works vs novell bordermanager.

Thanks


>>> r.steicke at bom.gov.au 3:13:44 pm 1/02/2006 >>>
On Thu, Feb 02, 2006 at 07:10:28AM +0800, Jon  Miller wrote:
> I'm having a major problem trying to forward packets from either a workstation of the LAn to the Internet.
> I want to be sure I'm doing this correctly.
> 
> I set a forward rule:
> $IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT
> 
> Then I set a PREROUTING rule 
> $IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 192.168.xxx.xxx

You need source NAT, not destination NAT, and you need to specify this
in the nat table (not the filter table which is the default table
without a -t option).  Only one rule required:

  iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT --to 1.2.3.4

where 1.2.3.4 is your external address and eth0 is your external
interface.  If you have a dynamic address, use the MASQUERADE target
(instead of SNAT) without the --to option.

This is explained in the docs at netfilter.org.

  http://netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.1

> All I can see using tethereal on the network is SYN packets.

If the packets are being forwarded (see below) they will have a
private source address, with the rules you're using, and are probably
being dropped by your ISP, so you'll see no replies.

> Any idea what I'm doing wrong?

A common oops is to forget to enable forwarding in the kernel.

  # cat /proc/sys/net/ipv4/ip_forward
  1

Make sure that returns a 1, not a 0.  If it doesn't, do

  # echo 1 > /proc/sys/net/ipv4/ip_forward

and then edit /etc/sysctl.conf to make it survive a reboot.




-- 
Russell Steicke

-- Fortune says:
Pecor's Health-Food Principle:
    Never eat rutabaga on any day of the week that has a "y" in it.
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20060201/6c4b5a3d/attachment.htm>

More information about the plug mailing list