-   Linux - Networking (
-   -   Debian Squeeze NAT not working (

newbie to linux 03-24-2012 09:43 PM

Debian Squeeze NAT not working
I have a small home network with mixed Linux and Windows computers, I am trying to set up a Debian server (HP DL560 G1).

I have the following setup:
eth0: Internal network (
eth1: Physical interface for ppp0
ppp0: DHCP WAN

uname -a:

Linux main-server 2.6.32-5-686-bigmem #1 SMP Mon Jan 16 16:42:05 UTC 2012 i686 GNU/Linux
All latest updates installed

I have squidProxy runing on port 3128 and currently providing access to the internet for the network. However there are some issues with a proxy in general that creates problems (Android doesn't support them without rooting, Flash doesn't necessarily support it, Windows won't remember passwords). I have Googled many different variations of 'configure nat debian squeeze' nad tried nearly every tutorial and read through enourmous amounts of documentation, and the server still won't provide NAT services. I use iptables for firewalling purposes, and wrote a script to set it up on every boot. The script is called from a custom init script.


#Set up iptables for a fully functional server

#The external interface
export WAN="ppp0"

#The internal interface
export LAN="eth0"

#set the IP address of the...
export AdminMachine="" #Remote Administration Machine
export AdminMachineBackup="" #Backup machine for remote admin

export LocalMachine="" #Local Machine

#Empty iptable's rule tables
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

#Enable packet forwarding in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#allow ssh from admin machine
iptables -A INPUT -s $AdminMachine -d $LocalMachine -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -s $AdminMachine -d $LocalMachine -p tcp --dport 6011 -j ACCEPT
iptables -A INPUT -s $AdminMachineBackup -d $LocalMachine -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s -d $LocalMachine -p tcp --dport 22 -j ACCEPT

#set up TCP handshake
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $WAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#Allow services to run
iptables -A INPUT -d $LocalMachine -p tcp --dport 80 -j ACCEPT  #HTTP/Apache
iptables -A INPUT -d $LocalMachine -p tcp --dport 81 -j ACCEPT #HTTP/Apache alt
iptables -A INPUT -d $LocalMachine -p tcp --dport 443 -j ACCEPT #SSL/Apache
iptables -A INPUT -d $LocalMachine -p tcp --dport 25 -j ACCEPT #FTP
iptables -A INPUT -d $LocalMachine -p tcp --dport 3000 -j ACCEPT #ntop

iptables -A INPUT -d $LocalMachine -p tcp --dport 135 -j ACCEPT #Samba/TCP
iptables -A INPUT -d $LocalMachine -p udp --dport 137:138 -j ACCEPT #Samba/UDP
iptables -A INPUT -d $LocalMachine -p tcp --dport 139 -j ACCEPT #Samba/TCP
iptables -A INPUT -d $LocalMachine -p tcp --dport 445 -j ACCEPT #Samba TCP

iptables -A INPUT -d $LocalMachine -p tcp --dport 3389 -j ACCEPT #VBox RDP
iptables -A INPUT -d $LocalMachine -p tcp --dport 10000 -j ACCEPT #Webmin

iptables -A INPUT -d $LocalMachine -p tcp --dport 5901 -j ACCEPT #VNC

iptables -A INPUT -d $LocalMachine -p tcp --dport 9091 -j ACCEPT #Transmission
iptables -A INPUT -d $LocalMachine -p tcp --dport 873 -j ACCEPT #Rsync (for backuppc)

iptables -A INPUT -d $LocalMachine -p udp --dport 67 -j ACCEPT #DHCP

iptables -A INPUT -d $LocalMachine -p udp --dport 514 -j ACCEPT #Rsyslog
iptables -A INPUT -d $LocalMachine -p tcp --dport 514 -j ACCEPT #Rsyslog

iptables -A INPUT -d $LocalMachine -p udp --dport 69 -j ACCEPT #TFTPd
iptables -A INPUT -d $LocalMachine -p udp --dport 111 -j ACCEPT #NFS
iptables -A INPUT -d $LocalMachine -p tcp --dport 111 -j ACCEPT #NFS
iptables -A INPUT -d $LocalMachine -p udp --dport 2049 -j ACCEPT #RPC
iptables -A INPUT -d $LocalMachine -p tcp --dport 2049 -j ACCEPT #RPC

iptables -A INPUT -d $LocalMachine -p tcp --dport 3128 -j ACCEPT #Squid-Proxy

iptables -A INPUT -d $LocalMachine -p tcp --dport 943 -j ACCEPT #OpenVPN

#Allow all traffic from localhost
iptables -A INPUT -d $LocalMachine -s -j ACCEPT

#Set up ip forwarding
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface $WAN -j MASQUERADE

#Block Everything else
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

#End the Script
exit 0

I can access the internet fine through squid, but when I disable the proxy in firefox it can't connect (tested

Any ideas, help, or suggestions would be greatly appreciated. If more info is needed just let me know.

tech_soul8 03-25-2012 08:06 AM

Well first of all If you ask me try to disable squid and try to flus all your rules "iptables -F", set INPUT,FORWARD,OUTPUT chains to ACCEPT and add iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE and than try to connect from win hosts to internet. If it doesn't work than check if iptable_nat is loaded in the kernel. To check you can issue following command /sbin/lsmod |grep table. If everything works fine than you should add your rules one by one and see what's causing the problem. I alos recommend that you put in each chain LOG target for all blocked traffic so you can inspect in /var/log/messages and /var/log/syslog which traffic is blocked and than make rules for allowing it if it must pass through.

newbie to linux 03-25-2012 05:47 PM

I tried everything you suggested, iptable_nat is loaded, and using the LOG target doesn't generate anything that (to me anyways) indicates that I'm even trying to access the internet. I also tried shutting down Apache as I wasn't sure if that would cause problems. Anyways, no luck. if the contents of /var/log/syslog would be useful let me know and I'll post it. Also

cat /var/log/syslog | grep -i E0:CA:94:03:5A:A2 | grep -i ppp0 | wc -l
produced only

which would indicate that my computer E0:CA:94:03:5A:A2 wasn't trying to access the internet, would it not?

tech_soul8 03-26-2012 01:13 AM

post output of iptables -L. You can't access internet from Debian or just from win clients on local lan or both?

nikmit 03-26-2012 05:54 AM

If you are troubleshooting NAT, test it with ping rather than http traffic, to avoid interference of any DNS/proxy errors.
Ping and if it doesn't work do iptables -t nat -L -v and see if the masquerade rule is getting traffic.

Once you have ping connectivity, look at any proxy/dns issues on the client computers (was the proxy transparent?)

newbie to linux 03-27-2012 08:20 PM

OK, I can ping if I give the IP address however, I need to configure DNSmasq to provide DNS lookups (which are currently going to the server, but it is not providing any DNS services). So I am currently doing some research and will post back here soon.

newbie to linux 03-27-2012 10:48 PM

Success! DNSmasq is now successfully configured and I can access the internet without a proxy.

WizadNoNext 03-30-2012 12:31 PM

Obvious mistake.
Server without DNS? It seams to be joke.

I have server with:
BRouter (Bridge + router)
firewall (IP/IP6/ARP/EBtables)
(S)FTP(S) (working only as SFTP or FTPS, no plain FTP supported)
SSH (obvious)
some minor services.

For me this minimal set of services for home server. Actually I have two exactly same servers. One of them simply do not do firewalling, as it is plain bridge. Both have own IEEE802.11 Access Points with specific passphrases for specific MACs. I am planing to turn them into small cluser, but it is not for now.

All times are GMT -5. The time now is 06:25 PM.