Results 1 to 1 of 1
Hello Friends I have some Project to BUild NAT-PT in my LAN. I was using NAT-PT from Mr Lucas (tomicki.net) and for my distro i used Fedora 12. Everythings is ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 07-10-2010 #1
- Join Date
- Mar 2010
I fail configure Iptables to prevent "connect network unreachable" when Build NAT-PT
I have some Project to BUild NAT-PT in my LAN. I was using NAT-PT from Mr Lucas (tomicki.net) and for my distro i used Fedora 12. Everythings is ok, and I succesfully installed NAT-PT, Configure it, but I have some problem with Iptables configuration. In order build NAT-PT, I must prevent Destinaton Unreacable with iptables.
This is the clue from Mr Lucas :
NAT-PT needs both iptables and ip6tables installed and running on your system. Most systems come with iptables pre-installed, but many do not have ip6tables. In order for NAT-PT to work correctly, ip6tables must be configured to drop all outbound ICMP "Destination Unreachable" packets to prevent your system from sending "Route Unreachable" messages. This can be done with the following commands (assuming default ip6tables configuration).
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 1 -j DROP
If your router is configured to perform IPv6 forwarding you must drop all packets going to the NAT-PT prefix (default: 2000:ffff:. The following rule will do:
ip6tables -A FORWARD -d 2000:ffff:: -j DROP
The second important thing is the configuration of iptables. If you intend to use the outbound IPv4 addresses as part of your translation pool, you must DROP all packets that are not part of NEW, ESTABLISHED, or RELATED connections. This should be part of a healthy firewall policy anyway. A set of rules as the one below will work perfectly.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP
Please make sure that both iptables and ip6tables both start during boot time. On most Linux systems this can be accomplished with the following commands. Don't worry if you get an error message similar to "ln: `/etc/rc3.d/S08iptables': File exists", this simply means that iptables was already setup to start up at boot time.
ln -s /etc/init.d/iptables /etc/rc3.d/S08iptables
ln -s /etc/init.d/iptables /etc/rc5.d/S08iptables
ln -s /etc/init.d/ip6tables /etc/rc3.d/S08ip6tables
ln -s /etc/init.d/ip6tables /etc/rc5.d/S08ip6tables
I just follow the step and I use every computer with IPtables configured like above. condition :
I use ping from Ipv6 to IPv4 to test (from ipv6 only host with address 2002:1234:5678:ffff::6f/64)
then I got messege :
"connect network unreachable"
Do I miss something ? Help me..