LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 08-13-2003, 10:43 PM   #1
saruman666
LQ Newbie
 
Registered: Aug 2003
Location: Brasil - São Paulo
Distribution: Redhat - FreeBSD - OpenBSD
Posts: 10

Rep: Reputation: 0
Unhappy IPTABLES doesn't work!!! help...


I already install the redhat 9 and wanna share my connection with more one comp, but doesn't work!! help me to find solution..

I start with this options:

eth0 (RTK 8139) --> dhcp
eth1 (RTK 8139) -->static 192.168.0.1

everthing ok... I can use the internet normally!

$echo 1 > /proc/sys/net/ipv4/ip_forward

$/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

$/etc/init.d/iptables restart

$/etc/init.d/iptables save

$/etc/init.d/iptables status
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- 192.168.0.0/24 anywhere

I can ping my client (windows xp):

ip: 192.168.0.2
gateway: 192.168.0.1
netmask: 255.255.255.0

ps.:with DNS of my server configured!

$ ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=128 time=0.564 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=128 time=0.352 ms

my client (windows xp) don't access internet. WHY??
 
Old 08-13-2003, 11:13 PM   #2
Mathieu
Senior Member
 
Registered: Feb 2001
Location: Montreal, Quebec, Canada
Distribution: RedHat, Fedora, CentOS, SUSE
Posts: 1,403

Rep: Reputation: 46
In order for IP forwarding to be activated automatically when the system boots up.
Edit the file /etc/sysctl.conf and on the line net.ipv4.ip_forward = 0, change 0 to 1.
Code:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Make sure the FORWARD policy is set to ACCEPT.

You can view your iptables rules by typing:
Code:
iptables -L
You can also take a look at this post.
http://www.linuxquestions.org/questi...351#post395351
 
Old 08-13-2003, 11:24 PM   #3
saruman666
LQ Newbie
 
Registered: Aug 2003
Location: Brasil - São Paulo
Distribution: Redhat - FreeBSD - OpenBSD
Posts: 10

Original Poster
Rep: Reputation: 0
How can I set FORWARD...

$/sbin/iptables -L

Chain FORWARD (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere

OH GOD..
policy is DROP, I thinks it's wrong... how can I change this???

I try this..

/sbin/iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT

but...

$/sbin/iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere

policy for FORWARD is still drop??
and this INPUT policy ACCEPT is bad??
 
Old 08-13-2003, 11:50 PM   #4
Mathieu
Senior Member
 
Registered: Feb 2001
Location: Montreal, Quebec, Canada
Distribution: RedHat, Fedora, CentOS, SUSE
Posts: 1,403

Rep: Reputation: 46
To set FORWARD to accept, type:
Code:
iptables -P FORWARD ACCEPT
To set up a basic IP forwarding and Masquerading for your network,
take a look a this post.
http://www.linuxquestions.org/questi...351#post395351
 
Old 08-13-2003, 11:58 PM   #5
saruman666
LQ Newbie
 
Registered: Aug 2003
Location: Brasil - São Paulo
Distribution: Redhat - FreeBSD - OpenBSD
Posts: 10

Original Poster
Rep: Reputation: 0
Doesn't work yet!! :-(

#/sbin/iptables -P FORWARD ACCEPT

/etc/init.d/iptables restart

#/sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT udp -- ns2.papalegua.com.br anywhere udp spt:domain dpts:1025:65535
ACCEPT udp -- ns1.papalegua.com.br anywhere udp spt:domain dpts:1025:65535
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable

It's all message... I test my client and doesn't work yet!! shit!! I use iptables on the redhat 8 on milion times and works!! maybe I made something wrong?? I dont know.. it's make crazy!!
 
Old 08-14-2003, 12:17 AM   #6
Mathieu
Senior Member
 
Registered: Feb 2001
Location: Montreal, Quebec, Canada
Distribution: RedHat, Fedora, CentOS, SUSE
Posts: 1,403

Rep: Reputation: 46
Can windowsXP ping Linux ?

It may be a routing issue.
You can take a look at the routing table.
Code:
route -n
 
Old 08-14-2003, 07:58 AM   #7
jonas_larson
Member
 
Registered: Jul 2003
Location: Stockholm, Sweden
Distribution: RH9
Posts: 37

Rep: Reputation: 15
Hi,
Could you post the result of "iptables -t nat -L"


In general what you need to do to make it work is the following...

1. set all policy's to ACCEPT (Q'n'D solution)
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

2. masquerade all everyware...
iptables -t nat -A POSTROUTING -j MASQUERADE


3. enable forwarding...
echo 1 > /proc/sys/net/ipv4/ip_forward


And of course you machine needs to have the right DNS, Gateway and so on...

Regards

Jonas
Quote:
ACCEPT all -- 192.168.0.0/24 anywhere
When you put this in your forward chain it will enable everything from the 192.168.0.0 network to get out, but it will not let anything back in...

You need to put this in your FORWARD chain...
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

This will enable already established packages to get back to your internal network... (i.e. an echo-reply...)
 
Old 08-14-2003, 10:46 AM   #8
Bambi
Newbie
 
Registered: Aug 2003
Location: Toronto, Canada
Distribution: RedHat
Posts: 13

Rep: Reputation: 0
I'm brand new, but I read some iptables stuff, and my impression is the the Policy is suppose to be DROP and then you let in what you want, and if it doen't match the criteria then it is dropped
 
Old 08-14-2003, 11:36 AM   #9
Mathieu
Senior Member
 
Registered: Feb 2001
Location: Montreal, Quebec, Canada
Distribution: RedHat, Fedora, CentOS, SUSE
Posts: 1,403

Rep: Reputation: 46
Yes.
But in this case, we are trying to debug the network.
By setting the three main chains to ACCEPT and leaving the Masquerade, we know that iptables is not the problem.

By the way, saruman666 if you have not found the problem.
I suggest flushing all the rules, setting the three main chains to ACCEPT and leaving only the Masquerade,
if the internet sharing does not work, then the problem is not with iptables.
 
Old 08-14-2003, 12:25 PM   #10
saruman666
LQ Newbie
 
Registered: Aug 2003
Location: Brasil - São Paulo
Distribution: Redhat - FreeBSD - OpenBSD
Posts: 10

Original Poster
Rep: Reputation: 0
Sory for my big delay but I have to sleep to work on the morning.... now I'am on launch time... so.... I will begin where I stop... about route -n...

yes, i can ping the gateway from client (winXP)

/sbin/route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
200.210.122.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 200.210.122.1 0.0.0.0 UG 0 0 0 eth0

[root@phoenix phoenix]# /sbin/iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

after apply this commands:

$iptables -P INPUT ACCEPT
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD ACCEPT

/sbin/iptables-save
# Generated by iptables-save v1.2.7a on Thu Aug 14 13:04:33 2003
*filter
:INPUT ACCEPT [199:14160]
:FORWARD ACCEPT [3:216]
:OUTPUT ACCEPT [243:16515]
COMMIT
# Completed on Thu Aug 14 13:04:33 2003
# Generated by iptables-save v1.2.7a on Thu Aug 14 13:04:33 2003
*nat
:PREROUTING ACCEPT [3:216]
:POSTROUTING ACCEPT [11:703]
:OUTPUT ACCEPT [8:487]
COMMIT
# Completed on Thu Aug 14 13:04:33 2003

and this can be helpufl...

/etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


I accept everthing above!

So.. the last thing that I do is:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I tested and it's not working yet!! :-(

I will try to do something more...

Maybe this:

>By the way, saruman666 if you have not found the problem.
>I suggest flushing all the rules, setting the three main chains to ACCEPT and leaving >only the Masquerade,
>if the internet sharing does not work, then the problem is not with iptables.
 
Old 08-14-2003, 02:39 PM   #11
Mathieu
Senior Member
 
Registered: Feb 2001
Location: Montreal, Quebec, Canada
Distribution: RedHat, Fedora, CentOS, SUSE
Posts: 1,403

Rep: Reputation: 46
Now you need Masquerading. Type:
Code:
iptables -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
 
Old 08-16-2003, 05:15 PM   #12
saruman666
LQ Newbie
 
Registered: Aug 2003
Location: Brasil - São Paulo
Distribution: Redhat - FreeBSD - OpenBSD
Posts: 10

Original Poster
Rep: Reputation: 0
I fix the problem... I take a look on the rules and have some rules from redhat-config-securitylevel that's block forward when you set medium or high security

I need execute redhat-config-securitylevel change the level and apply the rules again!!

just use:

$echo 1 > /proc/sys/net/ipv4/ip_forward

on the file /etc/sysctl.conf I change the net.ipv4.ip_forward from 0 to 1!!

net.ipv4.ip_forward = 1

After this only use:
$/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

****DON'T USE:
/etc/init.d/iptables restart
****BEFORE SAVE YOUR RULES!!!
if you do that you will apply the default rule that is before MASQUERADE!!

so... save first:

/etc/init.d/iptables save
and then...
/etc/init.d/iptables restart

everthing's good with me now!!
and on the next time I need to pay attention on the securitylevel of redhat install! ^_^"
thanks and more thanks to everone for help me!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables question: Will this work? lucktsm Linux - Networking 7 07-06-2005 04:22 PM
Iptables command won't work no_names_left Linux - Networking 9 04-23-2005 08:53 PM
iptables doesn't work with me Agent007 Linux - Networking 4 01-23-2004 08:14 AM
IPTables doesn't seem to work X11 Linux - Software 7 07-08-2002 01:39 AM
iptables doesn't work correctly themorph Linux - Networking 1 02-20-2002 10:33 PM


All times are GMT -5. The time now is 12:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration