Find the answer to your Linux question:
Results 1 to 9 of 9
Hi all, I have a linux box w/ two nics. em0 -> 192.168.1.2 -> this connects to a dlink router of IP 192.168.1.1 em1 -> 172.16.0.1 -> this connects to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2007
    Location
    In North America
    Posts
    20

    Iptables - firewall/Router


    Hi all,

    I have a linux box w/ two nics.

    em0 -> 192.168.1.2 -> this connects to a dlink router of IP 192.168.1.1
    em1 -> 172.16.0.1 -> this connects to my lan (windows server and Lan network


    I right now just want to ping from a lan host on em1 interface with ip 172.16.0.254 to the dlink router 192.168.1.1 connected to em0 interface.

    I have set only forward table rules such as:
    iptables -A FORWARD -i em1 -s 172.16.0.0 -o em0 -d 192.168.1.0 -j ACCEPT
    iptables -A FORWARD -i em0 -s 192.168.1.0 -o em1 -d 172.16.0.0 -j ACCEPT

    I HAVE THE NEW,ESTABLISHED,RELATED IN THE COMMAND AS WELL.

    I just can't seem to ping thru em1 to my dlink router and get a reply. I don't think I need to be using NAT table as I'm just pinging thru router.

    PLEASE HELP W/ GUIDANCE.

  2. #2
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,763
    I don't think I need to be using NAT table as I'm just pinging thru router.
    Yes, you do. Unless the DLink's "default gateway" is back thru the 192.168.1.2 address, it does not know where to send packets so they make it back to the originating host. Review the routing table.

    You also did not specify if you have enabled IP forwarding.

    Google: linux iptables nat

  3. #3
    Just Joined!
    Join Date
    Jun 2007
    Location
    In North America
    Posts
    20
    I do have IPfowarding enabled.

    I added the rule below to the NAT table:
    iptables -t nat -A POSTROUTING -o eth1 SNAT --to-source 192.168.1.233

    If I do a tcpdump on the eth1 interface I see a arp request in reference to 192.168.1.233 asking to tell my dlink router at address 192.168.1.1.

    Would my dlink router still need to know a route back? The router knows how to get to the 192.168.1.0 network as it is basically directly connected.

    I still can't ping the 192.168.1.1 dlink router from behind the linux firewall on the 172.16.0.0 network.

    Any other ideals? Am I missing any other iptables commands.

    I have googled iptables, I even have a book on it.
    This is not so easy.

    Thanks!

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,763
    Would my dlink router still need to know a route back?
    Dunno - depends on what's in the DLink's routing table and whether it sees the packet coming from a local subnet IP address. ICMP is not the best protocol to test with. You may want to use a telnet client and some open port on the DLink to establish a TCP session. You may also want to use some device on the receiving side that you can run tcpdump and see incoming connections.

    If you want to save the headache, review the link I posted and use the MASQUERADE option until you understand networking/routing better.

    I don't think your SNAT syntax is correct:

    Code:
    The strict way:
    iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to $PPPIP
    
    The liberal way:
    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
    You can look at the packet counters in iptables to see if any packets are hitting your rules:

    Code:
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
    Keep reading...

  6. #5
    Just Joined!
    Join Date
    Jun 2007
    Location
    In North America
    Posts
    20
    I did get it working via MASQUERADE.
    I would like to have it implemented w/ SNAT however - not exactly sure the ADV vs. DisAdv are for doing it the different ways.

    Another question I have is on your last post, why the ppp0 interfaces? Are they just alias names you gave your interfaces?

    Thank you for your help.

  7. #6
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    s/ppp0/<your_iface>/g

    a) masquerading over nat triggers the routing device to send its own request to the target and translate the response back to the requester. this also means that the routing device in the middle has to have a specific port open and for the client it looks like as if the routing device is the one he is talking to, but for real he is talking to someone else (masqueraded / hidden).

    b) if you would have correct routing of your packets from one subnet to the other then you would be able to communicate directly with the other host.

    you may immagine yourself what the pros and cons are. the con having biggest impact for private networks on solution (a) is that you can't have multiple hosts behind the routing device with the same service running and accessing them uniformly through the standard port (i.e. two times ssh over port 22 means that at least one of the two hosts has to be nat'ed on a different port than 22).

  8. #7
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,763
    OP's question was about SNAT vs. MASQUERADE and not routing vs. NAT.

    Google can give you more information.

    MASQUERADE doesn't have an option to specify a particular source address to use on the NAT device. The source address used is the address of the outgoing interface.
    SNAT: The address is the source address to substitute for the original source address in the packet, presumably the address of the outgoing interface. Source NAT is what NAT is traditionally used for, to allow outgoing connections. Specifying a single translation address performs NAPT, allowing all local, privately addressed hosts to share your site's single, public IP address.

    Optionally, a range of source addresses can be specified. Sites that have a block of public addresses would use this range. Outgoing connections from local hosts would be assigned one of the available addresses, with the public address being associated with a particular local host's IP address. Specifying a range of addresses represents what traditional, basic NAT is usually used for, although iptables SNAT is internally implemented as NAPT in both cases.
    Using a correct configuration, many hosts on the "private" network can be NAT'ed and all accessed using the same SSH port from the "public" network.

  9. #8
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    Oh sorry, I've probably overread SNAT.. anyway the answer to that question would depend on the definition of SNAT for this usecase. See Wikipedia.

  10. #9
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,763
    We're talking about iptables here. To put it simply, iptables' SNAT can map IP's and ports while MASQUEARDE only maps ports.

    I'm not going into the realm of the many ways that NAT (in general) can be implemented (1-to-1, many-to-1, etc.) which is what the Wikipedia article is talking about.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •