NAT fails on amd64

siggma · 01-25-2008, 03:05 PM

I have been using Debian etch now for over a year. Recently, due to a hardware upgrade I installed the amd-64 version of etch. It installs fine and I believe I will be able to use it effectively, possibly even with Apache-mpm-worker and fastcgi-php

But, I keep running into an issue with NAT redirection on my internal network and it's unique to amd-64 Debian Kernel 2.6. The adpater works fine. I can ping it, I can use the local network with Vista, I can successfully connect to webmin from the internal adapter. The internet adapter works fine as well.

Does anyone know of a reason the firewall would act differently in the 64 bit version of etch?
Adapters are both Realtek. One is VIA RhineII, the other is a brand new Netgear FA311 10/100 and they both work find under 686 kernels.

HELP???

jschiwal · 01-25-2008, 03:22 PM

Look at the output of lsmod. I wonder if you are missing a module that the netfilter rules would use for masquerading. Are you sure your iptables rules haven't changed?

siggma · 01-25-2008, 03:39 PM

Quote:

Originally Posted by jschiwal

Look at the output of lsmod. I wonder if you are missing a module that the netfilter rules would use for masquerading. Are you sure your iptables rules haven't changed?

I'll have to snap a copy of modules now, then reboot and compare. Thanks for the tip.

siggma · 01-30-2008, 02:59 PM

Any help or ideas would be appreciated.

Ok, I installed a fresh basic amd64, no X, installed webmin and ssh, set IPTables with webmin and it fails to masquerade. Then I checked modules and it looks OK. I tried with different hardware since I've had BIOS issue with the VIA RhineII and I want to eliminate it. I'm posting this over the NAT with the 686 kernel.

The amd64 is installed on a SATA drive, the x86 is on an IDE so there may be some disk differences. I don't know what all these modules do but I do see the network and IP Tables modules. I entered new IPTables rules with the appropriate interface names. The network hardware seem fine. No errors and the links go up and down OK. I can access both internet and internal net independently but no masquerade. Below is: /etc/network/interfaces iptables-save and lsmod outputs. This iptables has squid redirection, the other does not.

/etc/network/interfaces

Quote:

# The loopback network interface
auto lo eth1 eth3
iface lo inet loopback
# The primary network interface
iface eth3 inet static
address 216.99.209.41
netmask 255.255.255.0
broadcast 216.99.209.255
network 216.99.209.0
gateway 216.99.209.254
post-up iptables-restore < /etc/iptables.up.rules

iface eth1 inet static
address 192.168.1.99
netmask 255.255.255.0
broadcast 192.168.1.255
network 192.168.1.0
post-up iptables-restore < /etc/iptables.up.rules

Quote:

# Generated by iptables-save v1.3.6 on Wed Jan 30 11:42:17 2008
*filter
:INPUT DROP [38:4870]
:FORWARD ACCEPT [81:3192]
:OUTPUT ACCEPT [7749:2716757]
-A INPUT -i ! eth3 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 21,80,443,110,25,993,995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
-A INPUT -p tcp -m tcp --dport 1024:65535 -j ACCEPT
COMMIT
# Completed on Wed Jan 30 11:42:17 2008
# Generated by iptables-save v1.3.6 on Wed Jan 30 11:42:17 2008
*mangle
:PREROUTING ACCEPT [8061:1161034]
:INPUT ACCEPT [7956:1156554]
:FORWARD ACCEPT [81:3192]
:OUTPUT ACCEPT [7749:2716757]
:POSTROUTING ACCEPT [7866:2726031]
COMMIT
# Completed on Wed Jan 30 11:42:17 2008
# Generated by iptables-save v1.3.6 on Wed Jan 30 11:42:17 2008
*nat
:PREROUTING ACCEPT [149:10178]
:POSTROUTING ACCEPT [22:2372]
:OUTPUT ACCEPT [221:15851]
-A PREROUTING -d 216.99.209.41 -p tcp -m tcp -m multiport --ports 49875 -j DNAT --to-destination 192.168.1.100
-A PREROUTING -d 216.99.209.41 -p tcp -m tcp -m multiport --ports 64000 -j DNAT --to-destination 192.168.1.100
-A PREROUTING -d 216.99.209.41 -p udp -m udp -m multiport --ports 65000 -j DNAT --to-destination 192.168.1.100
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth3 -j MASQUERADE
COMMIT
# Completed on Wed Jan 30 11:42:17 2008
# Generated by iptables-save v1.3.6 on Wed Jan 30 11:42:17 2008
*raw
:PREROUTING ACCEPT [8061:1161034]
:OUTPUT ACCEPT [7749:2716757]
COMMIT
# Completed on Wed Jan 30 11:42:17 2008

Here is the x86 lsmod:

Quote:

trbailey:~# lsmod
Module Size Used by
quota_v2 8864 2
xt_state 2272 2
iptable_filter 3104 1
iptable_mangle 2880 0
ipt_MASQUERADE 3712 1
ipt_REDIRECT 2176 1
xt_tcpudp 3136 12
xt_multiport 3264 4
iptable_nat 7044 1
ip_nat 16876 3 ipt_MASQUERADE,ipt_REDIRECT,iptable_nat
ip_conntrack 49088 4 xt_state,ipt_MASQUERADE,iptable_nat,ip_nat
nfnetlink 6680 2 ip_nat,ip_conntrack
iptable_raw 2144 0
ip_tables 13028 4 iptable_filter,iptable_mangle,iptable_nat,iptable_raw
x_tables 13316 7 xt_state,ipt_MASQUERADE,ipt_REDIRECT,xt_tcpudp,xt_multiport,iptable_nat,ip_tables
button 6672 0
ac 5188 0
battery 9636 0
ipv6 226272 44
ext2 59048 1
dm_snapshot 15552 0
dm_mirror 19152 0
dm_mod 50232 2 dm_snapshot,dm_mirror
loop 15048 0
serio_raw 6660 0
rtc 12372 0
floppy 53156 0
psmouse 35016 0
via_agp 9664 1
agpgart 29896 1 via_agp
pcspkr 3072 0
i2c_viapro 8244 0
i2c_core 19680 1 i2c_viapro
shpchp 33024 0
pci_hotplug 28704 1 shpchp
evdev 9088 0
ext3 119240 2
jbd 52456 1 ext3
mbcache 8356 2 ext2,ext3
ide_cd 36064 0
cdrom 32544 1 ide_cd
ide_disk 14848 6
sata_via 10052 0
via82cxxx 8388 0 [permanent]
8139cp 21920 0
8139too 25120 0
mii 5344 2 8139cp,8139too
tulip 46560 0
libata 89396 1 sata_via
scsi_mod 124168 1 libata
generic 4868 0 [permanent]
ide_core 110504 4 ide_cd,ide_disk,via82cxxx,generic
thermal 13608 0
processor 28840 1 thermal
fan 4804 0

And here is the amd64 lsmod output:

Quote:

trbailey:~# lsmod
Module Size Used by
xt_state 6912 2
xt_tcpudp 7936 8
ipt_MASQUERADE 8320 1
iptable_nat 12292 1
ip_nat 24492 2 ipt_MASQUERADE,iptable_nat
ip_conntrack 63140 4 xt_state,ipt_MASQUERADE,iptable_nat,ip_nat
nfnetlink 11976 2 ip_nat,ip_conntrack
iptable_mangle 7552 0
iptable_filter 7808 1
ip_tables 25576 3 iptable_nat,iptable_mangle,iptable_filter
x_tables 22024 5 xt_state,xt_tcpudp,ipt_MASQUERADE,iptable_nat,ip_tables
ipv6 286048 18
button 12192 0
ac 10376 0
battery 15496 0
dm_snapshot 20664 0
dm_mirror 25216 0
dm_mod 62800 2 dm_snapshot,dm_mirror
loop 20112 0
shpchp 42156 0
pci_hotplug 20872 1 shpchp
pcspkr 7808 0
serio_raw 12036 0
psmouse 44432 0
floppy 67112 0
via_agp 15616 1
i2c_viapro 14232 0
i2c_core 27776 1 i2c_viapro
evdev 15360 0
ext3 138512 1
jbd 65392 1 ext3
mbcache 14216 1 ext3
ide_cd 45088 0
cdrom 40488 1 ide_cd
sd_mod 25856 3
via82cxxx 13444 0 [permanent]
sata_via 16004 2
libata 106784 1 sata_via
scsi_mod 153008 2 sd_mod,libata
generic 10500 0 [permanent]
ide_core 147584 3 ide_cd,via82cxxx,generic
8139too 33408 0
8139cp 29440 0
tulip 57120 0
mii 10368 2 8139too,8139cp
thermal 20240 0
processor 38248 1 thermal
fan 9864 0

jschiwal · 01-30-2008, 06:50 PM

I think you need to modprobe nf_conntrack.
I believe that it is what tracks outgoing connections which is needed to match inbound traffic with the IP of the outbound traffic.

siggma · 01-31-2008, 02:01 PM

The nf_conntrack modules wasn't in the 86 version and it now works without explicitly referring to it so if it's used, it' loaded some other way.

I found a couple things I seem to have forgotten.
Enable ip forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward

And I think I need bind to get NAT to work properly.
#apt-get install bind9

Assumptions seem to really get me in trouble.
Thank you for the help, I think it's going to be OK.

JimBass · 01-31-2008, 08:15 PM

You don not need BIND to get NAT working, they have nothing to do with one another. BIND just translates names to numeric addresses. You may want your server acting as DNS for your LAN, in which case you'll want BIND, but it isn't a requirement in the broad sense. It certainly won't hurt to have, and isn't very resource intensive, but it isn't needed.

Peace,
JimBass

jschiwal · 02-02-2008, 06:05 AM

I missed the ip_conntrack in the second lsmod listing. In newer kernels it is named nf_conntrack instead.

The 2.6 kernel example firewall script in the Linux IP Masquerading Howto might be a useful reference:
http://tldp.org/HOWTO/IP-Masquerade-...-examples.html

siggma · 02-03-2008, 11:30 AM

Quote:

Originally Posted by jschiwal

I missed the ip_conntrack in the second lsmod listing. In newer kernels it is named nf_conntrack instead.

The 2.6 kernel example firewall script in the Linux IP Masquerading Howto might be a useful reference:
http://tldp.org/HOWTO/IP-Masquerade-...-examples.html

Thank you for your help. I feel even more sheepish since I wrote my experiences down in a How-To for the Home Server Webmaster:
http://home.trbailey.net/tech/iptables.html
I've added that link and updated it to reflect my latest experience.
-Tom