Find the answer to your Linux question:
Results 1 to 7 of 7
Hello guys, I have a problem with configuring iptables on my router. The situation is the following (picture). Netzstruktur.jpg The FritzBox is the DHCP-Server for Network1 (192.168.2.x) and the Router ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2012
    Posts
    2

    IP-Tables: Problem with printing (port?)


    Hello guys, I have a problem with configuring iptables on my router. The situation is the following (picture).
    Netzstruktur.jpg
    The FritzBox is the DHCP-Server for Network1 (192.168.2.x) and the Router is the DHCP-Server for Network2 (192.168.102.x). The Router also connects both networks. Therefore I am using iptables for ip-forewarding. My /etc/network/interfaces is the following:
    Code:
    auto lo
    iface lo inet loopback
    
    auto eth0
    iface eth0 inet static
            address 192.168.2.22
            netmask 255.255.255.0
            gateway 192.168.2.1
    
    auto eth1
    iface eth1 inet static
            address 192.168.102.22
            netmask 255.255.255.0
    
    up /sbin/iptables -F
     up /sbin/iptables -X
      up /sbin/iptables -t nat -F
    
    up /sbin/iptables -A FORWARD -o eth0 -s 192.168.0.0/16 -m conntrack --ctstate NEW -j ACCEPT
     up /sbin/iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      up /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
       up /sbin/sysctl -w net.ipv4.ip_forward=1
    
    up /etc/init.d/dnsmasq restart
    The internet-connection works fine from everywhere.
    My Problem is, that I can not print from a computer in network2 on a printer in network1 and that I can not conect to a samba network storage in network1 from a computer in network2. The browser interface from the printer / NAS is reachable and a ping is also working.

    Code:
    root@datenserver:~# iptables -L 
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  192.168.0.0/16       anywhere            ctstate NEW 
    ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED 
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    root@datenserver:~#
    Code:
    root@datenserver:~# route
    Kernel-IP-Routentabelle
    Ziel            Router          Genmask         Flags Metric Ref    Use Iface
    192.168.102.0   *               255.255.255.0   U     0      0        0 eth1
    192.168.2.0     *               255.255.255.0   U     0      0        0 eth0
    link-local      *               255.255.0.0     U     1000   0        0 eth0
    default         fritz.box       0.0.0.0         UG    100    0        0 eth0
    root@datenserver:~#
    Is there a mistake in the ip-tables part? I am not an expert.
    Would be great, if you could help me!
    Thanks

    Nils
    Last edited by karabiner; 04-02-2012 at 07:33 PM.

  2. #2
    Just Joined!
    Join Date
    Jan 2009
    Posts
    30
    Hey, I'm not expert on iptables, but I've had set up NAT on my rooter as well. The line

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    should be enough to setup NAT and it is probably working correctly if the ping rich the printer/NAS server. The rules in FORWARD table are actually a bit useless as your policy is ACCEPT - packets with do not match any of those two rules are accepted as well. But it does not explain what is the problem, that you cannot access the printer/NAS.

    The problem might be on the server site, not on the router. Try to run some packet tracing (tcpdump, wireshark) on the router to see, whether the printer/NAS sends any answer to the client and it goes through the router.

    Balda

  3. #3
    Just Joined!
    Join Date
    Apr 2012
    Posts
    2
    Hey Balda,
    thanks for your answer. Today I read a lot about iptables and routing. Now I am not shure if I should use iptables (in the way you explained).
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    or if I should use route like this.
    route add -net 192.168.0.0 netmask 255.255.255.0 dev eth1

    Any ideas? Where is the difference?
    Thanks Nils

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Jan 2009
    Posts
    30
    I'm not sure what is your intention. However, when you add the mentioned rule for NAT, the network2 connected to interface eth1 will not be accessible from other locations and all packets going from network2 through the router will look like the router send them. That would actually be the problem, that the printer/NAS server is limited only to LAN.

    You might just want to have two LANs connected together. The kerner do the routing for you just with net.ipv4.ip_forward set to 1 and the routing table is filled correctly. In your case the routing table is automatically filled correctly - network 192.168.102.0 on eth1 and 192.168.2.0 on eth0.

    Iptables is more used for filtering the traffic, so in your case you probably don't need any rule.

  6. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    What does your routing table look like?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #6
    Just Joined!
    Join Date
    Jan 2009
    Posts
    30
    I don't think that it will helps you, anyway this is my /etc/network/interfaces:

    Code:
    auto eth1
    allow-hotplug eth1
    iface eth1 inet dhcp
    
    auto br0
    iface br0 inet static
            bridge_ports eth0 eth2
            address 10.106.72.81
            netmask 255.255.255.240
            network 10.106.72.80
    I have set a bridge br0 over interfaces eth0 and eth2 so they act as a switch and eth1 is connected to my ISP which gives me some address from the range 89.x.x.x. As the network 10.106.72.80/28 is my private, I have set a NAT on eth1:

    Code:
    $ sudo iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 199K packets, 28M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain INPUT (policy ACCEPT 19612 packets, 3400K bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 11976 packets, 1214K bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain POSTROUTING (policy ACCEPT 1634 packets, 312K bytes)
     pkts bytes target     prot opt in     out     source               destination         
     141K 9903K MASQUERADE  all  --  any    eth1    anywhere             anywhere
    The routing table is the following:

    Code:
    $ /sbin/route 
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         ip-89-102-9-1.n 0.0.0.0         UG    0      0        0 eth1
    10.106.72.80    *               255.255.255.240 U     0      0        0 br0
    89.102.9.0      *               255.255.255.0   U     0      0        0 eth1
    The routing table is actually filled by the kernel from the IP configuration of the interfaces. Similarly as yours is filled correctly according to the configuration of your interfaces. So you don't need to do it manually.

    To investigate your problem it is best to run wireshark on the router and see where the communication between the pc and you printer stucks.

    Balda

  8. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Checking the routing table is always a good idea, so do not dismiss it.


    @karabiner

    You really do not need a firewall unless you are trying to block one network from reaching another. And since you are on a private network you do not need MASQUERADE setup. Masquerade is only required when you leave your private network and goto a public network.

    Copy and paste the following to the command line and test if everything works;

    Code:
    /sbin/iptables -F
    /sbin/iptables -X
    /sbin/iptables -t nat -F
    echo 1 > /proc/sys/net/ipv4/ip_forward
    Now test what you are trying to do. If this works then update your network start up as above and edit your sysctl.conf file to include;
    Code:
    net.ipv4.ip_forward = 1
    as you will have forwarding turned on all the time.

    You only need a firewall facing the internet and not on your internal network. I believe that your FritzBox is already working as a firewall to the internet, correct?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •