Find the answer to your Linux question:
Results 1 to 5 of 5
i have a public ip address 1.2.3.4 (assume) and i want to setup a SNAT server to let interal PC access internet. Archlinux (Latest Verison with newly installed and updated) ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2011
    Posts
    4

    [Archlinux]IPTABLES NAT PROBLEM


    i have a public ip address 1.2.3.4 (assume)
    and i want to setup a SNAT server to let interal PC access internet.
    Archlinux (Latest Verison with newly installed and updated)
    eth0: 1.2.3.4 (public ip addr)
    eth1: 192.168.0.1
    mask: 255.255.255.0

    ---------------------------------------------------
    Windows 2003
    NIC1:
    192.168.0.2
    Gateway: 192.168.0.1
    MASK:255.255.255.0

    ------------------------------------------------------
    then i input command to Archlinux Server
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
    iptables -t nat -L
    i can see my rule in it
    ping 8.8.8.8 (google dns) OK
    but in my internal PC (windows 2003)
    ping 192.168.0.1 - worked
    ping 8.8.8.8 - didnot work.
    -------------------------------------------
    at server : i used tcpdump -i eth1 and find my icmp message , but archlinux did not forward my icmp message to eth0 .
    i tried lots of solutions
    1. modprobe
    modprobe ip_tables
    modprobe ip_nat_ftp
    2. iptables-save and restart iptables
    3. /etc/rc.d/network restart
    4. echo 0 > /proc/sys/net/ipv4/ip_forward
    and them did not make SNAT work ...
    What can I do?
    Thx for help

  2. #2
    Just Joined!
    Join Date
    Apr 2005
    Location
    Perth, Western Australia
    Posts
    11
    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    #
    # Prevent SYN floods from consuming memory resources:
    #
     echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    #
    # Prevents anything coming in to firewall and lets only 
    # all packets out
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    #
    # Flush (-F) all specific rules
    #
    iptables -F INPUT 
    iptables -F FORWARD 
    iptables -F OUTPUT 
    iptables -F -t nat
    #
    # Forward all packets from eth1 (internal network) to eth0 (the internet).
    #
    iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
    
    #
    # Forward packets that are part of existing and related connections from eth0 to eth1.
    #
    iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #
    # Permit packets in to firewall itself that are part of existing and related connections.
    #
    iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow all inputs to firewall from the internal network and local interfaces# Enable SNAT functionality on eth0
    #
    # SNAT (Source NAT) is used to map private source IP numbers of
    # interfaces on the internal LAN to one of my public static IP numbers.
    # SNAT performs this mapping when a client running on one of the
    # internal hosts (x.y.z.c) initiates a TCP connection (SYN) through
    # eth0.
    #
    ### you have " iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4" you left off the "-s 192.168.0.0/24"
    iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 1.2.3.4
    #
    iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
    iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
    Last edited by MikeTbob; 05-01-2011 at 01:33 AM. Reason: Added Code Tags

  3. #3
    Just Joined!
    Join Date
    Apr 2011
    Posts
    4
    hi , i try kernel26-lts

    the problem is solved

    ur code is detailed and correct.

    thx for ur help.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Newbie
    Join Date
    Dec 2010
    Posts
    146
    I would suggest you try MASQUERADE target too if the above suggestion doesn't work.

    BTW I don't find any flaw in your setup, it should work. You just just need to enable ip_forward (which you did).

  6. #5
    Just Joined!
    Join Date
    Apr 2011
    Posts
    4
    Quote Originally Posted by dE_logics View Post
    I would suggest you try MASQUERADE target too if the above suggestion doesn't work.

    BTW I don't find any flaw in your setup, it should work. You just just need to enable ip_forward (which you did).
    Thx , i changed kernel-lts (32) and it works~

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •