Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
07-24-2006, 04:36 PM
|
#1
|
|
Member
Registered: Dec 2002
Location: UK
Distribution: Slackware 12; Ubuntu 7.10
Posts: 358
Rep: 
|
iptables NAT, no ACK data, resolves fine ...?
Here goes again (post failed to auth last time!! ARGH!)
Can't get NAT to work from laptop (WinXP Home) to desktop (Slackware 10.2).
I can, now I'm running named ping (out) and resolv external servers, no ACKs though. Ethereal shows lots of SYNs being sent when I try to surf to a website from laptop. Desktop connects fine to 'net and samba and pinging work between machines.
I've disabled windows firewall and Kerio on laptop and used simple NAT rules (several versions and several iptable config tools, currently firestarter) so as to ensure I'm not blocking required packets.
Any help greatly appreciated - before I finish tearing my hair out!
pbhj
====
Config:
laptop (192.168.0.2 [static]) --eth0--> desktop (192.168.0.1 [static]) --ppp0(pppoe)--> ISP (orange|wanadoo|freeserve).
route:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
ge0-1.lns5-c10. * 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default * 0.0.0.0 U 0 0 0 ppp0
iptables -L (currently using firestarter)
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- resolver2.svr.pol.co.uk anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- resolver2.svr.pol.co.uk anywhere
ACCEPT tcp -- resolver1.svr.pol.co.uk anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- resolver1.svr.pol.co.uk anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
DROP all -- anywhere 255.255.255.255
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
LSI all -f anywhere anywhere limit: avg 10/min burst 5
INBOUND all -- anywhere anywhere
INBOUND all -- anywhere ixthus
INBOUND all -- anywhere user-6542.lns5-c10.dsl.pol.co.uk
INBOUND all -- anywhere 192.168.0.255
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Input'
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
OUTBOUND all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.0.0/24 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere 192.168.0.0/24 state RELATED,ESTABLISHED
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Forward'
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- user-6542.lns5-c10.dsl.pol.co.uk resolver2.svr.pol.co.uk tcp dpt:domain
ACCEPT udp -- user-6542.lns5-c10.dsl.pol.co.uk resolver2.svr.pol.co.uk udp dpt:domain
ACCEPT tcp -- user-6542.lns5-c10.dsl.pol.co.uk resolver1.svr.pol.co.uk tcp dpt:domain
ACCEPT udp -- user-6542.lns5-c10.dsl.pol.co.uk resolver1.svr.pol.co.uk udp dpt:domain
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
OUTBOUND all -- anywhere anywhere
OUTBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Output'
Chain INBOUND (4 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpts:netbios-ns:netbios-ssn
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpts:netbios-ns:netbios-ssn
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:microsoft-ds
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:microsoft-ds
LSI all -- anywhere anywhere
Chain LOG_FILTER (5 references)
target prot opt source destination
Chain LSI (2 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP all -- anywhere anywhere
Chain LSO (0 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTBOUND (3 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ifconfig
Code:
eth0 Link encap:Ethernet HWaddr 00:E0:18:CC:D8:4B
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:18ff:fecc:d84b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9227 errors:0 dropped:0 overruns:0 frame:0
TX packets:4946 errors:0 dropped:0 overruns:1 carrier:0
collisions:0 txqueuelen:1000
RX bytes:902207 (881.0 KiB) TX bytes:2350808 (2.2 MiB)
Interrupt:5 Base address:0x1400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3507 errors:0 dropped:0 overruns:0 frame:0
TX packets:3507 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:147308 (143.8 KiB) TX bytes:147308 (143.8 KiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:84.68.153.142 P-t-P:62.25.198.169 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:33124 errors:0 dropped:0 overruns:0 frame:0
TX packets:36280 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:27930296 (26.6 MiB) TX bytes:6783392 (6.4 MiB)
I've got some ethereal libpcap style dump of a ping and a website access attempt if that helps ... let me know. |
|
|
|
|
07-24-2006, 05:57 PM
|
#2
|
|
Moderator
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,505
Rep:
|
To be honest, that remains a very complex iptables setup. About the bare minimum for a NAT setup is (stolen from my box):
Code:
*nat
:PREROUTING ACCEPT [127116:11275682]
:POSTROUTING ACCEPT [359:18720]
:OUTPUT ACCEPT [1976:134673]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Mon Jul 3 01:43:54 2006
# Generated by iptables-save v1.3.1 on Mon Jul 3 01:43:54 2006
*filter
:INPUT DROP [35218:5766523]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [47799:4239308]
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Jul 3 01:43:54 2006
This assumes that you are using a 192.168.1.0/24 private network on eth0 with internet on eth1. |
|
|
|
|
07-25-2006, 04:06 PM
|
#3
|
|
Member
Registered: Dec 2002
Location: UK
Distribution: Slackware 12; Ubuntu 7.10
Posts: 358
Original Poster
Rep:
|
minimal NAT
Thanks for your reply.
I was under the impression that:
Code:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
was the minimal NAT requirement. But I've also tried it with things like
Code:
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -i eth0 -j ACCEPT
.. to ensure that eth0 traffic was explicitly allowed; and with
Code:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
.. to ensure it wasn't an problem with non-fragmentation of overlarge packets (this is a fix apparently, though it could be a phone home for an alien planet for all I know!).
Anyhow. I've tried your script with my ppp0 (pppoe to ISP) and eth0 (LAN) so that iptables-save now gives me:
Code:
# Generated by iptables-save v1.3.5 on Tue Jul 25 21:36:12 2006
*nat
:PREROUTING ACCEPT [18:1844]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [48:2892]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Jul 25 21:36:12 2006
# Generated by iptables-save v1.3.5 on Tue Jul 25 21:36:12 2006
*filter
:INPUT DROP [4:524]
:FORWARD DROP [6:288]
:OUTPUT ACCEPT [1330:85670]
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Jul 25 21:36:12 2006
This doesn't appear to have changed anything. I still can't access net from laptop via desktop. Any other thoughts??
(Incidentally, I've also switched to using dnsmasq instead of named).
===
What I'm getting according to Ethereal is this: deskflap ("D") gets a request from laptop ("L") and looks up the IP of the domain name on the net, returning it to L [OK so far!]. L then sends 4 SYN packets from port 1154 to port 80 of the appropriate webserver. Then I get to ARP packets one from D's MAC asking "who has 192.168.0.2" and the other responding correctly with the MAC of L [presumably this is setting up ready to return the HTTP data?]. Then I get an NBNS packet that says something about refreshing L. And then I get some packets mixed together including some ICMP,3 (host unreachables from D to L) and some more TCP SYN stuff from consecutive ports which appear to further connection attempts and which try a few different server addresses (perhaps due to load balanced servers). I also get more NBNS and ARP stuff.
Please help if you can.
Thanks. |
|
|
|
|
07-25-2006, 05:05 PM
|
#4
|
|
Moderator
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,505
Rep:
|
So the desktop and the laptop can talk to each other, but all outbound packets are being rejected with the ICMP host unreachable?
Is echo "1" > /proc/sys/net/ipv4/ip_forward set as well? (Just checking)
|
|
|
|
|
07-25-2006, 05:19 PM
|
#5
|
|
Member
Registered: Dec 2002
Location: UK
Distribution: Slackware 12; Ubuntu 7.10
Posts: 358
Original Poster
Rep:
|
Yes, cat /proc/sys/net/ipv4/ip_forward responds with "1". I've also tried with dyn_addr set to "1" and tried ftp / pop3 traffic and that doesn't work either.
But I've noticed I don't have ip_conntrack module, could this relate?
lsmod:
Code:
Module Size Used by
iptable_mangle 2624 0
ipt_TCPMSS 4032 0
xt_tcpudp 3200 5
xt_state 1984 7
ipt_MASQUERADE 3520 1
iptable_nat 8516 1
ip_nat 17132 2 ipt_MASQUERADE,iptable_nat
iptable_filter 2816 1
ip_tables 12760 3 iptable_mangle,iptable_nat,iptable_filter
x_tables 12612 6 ipt_TCPMSS,xt_tcpudp,xt_state,ipt_MASQUERADE,iptable_nat,ip_tables
snd_mixer_oss 17280 0
ipv6 226816 16
quickcam 68708 0
videodev 9024 1 quickcam
ohci_hcd 30788 0
via_agp 9408 1
snd_ens1370 19296 1
snd_rawmidi 24992 1 snd_ens1370
snd_ak4531_codec 8640 1 snd_ens1370
ohci1394 31472 0
8139too 25664 0
nvidia 3922140 12
joydev 9280 0
sr_mod 14948 0
ide_scsi 15492 0
nvidia_agp 7388 0
Last edited by pbhj; 07-25-2006 at 05:28 PM.
|
|
|
|
|
07-25-2006, 05:24 PM
|
#6
|
|
Moderator
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,505
Rep:
|
Yeah, you'll need conntrack. Looks like your kernel version is right in the middle of the transition from ipt_ to xt_.  Somehow it's supposed to be more extensible... or something. |
|
|
|
|
07-25-2006, 05:33 PM
|
#7
|
|
Member
Registered: Dec 2002
Location: UK
Distribution: Slackware 12; Ubuntu 7.10
Posts: 358
Original Poster
Rep:
|
for sure?!
Quote:
|
Originally Posted by Matir
Yeah, you'll need conntrack. Looks like your kernel version is right in the middle of the transition from ipt_ to xt_. Somehow it's supposed to be more extensible... or something. |
So conntrack is definitely needed for NAT? Were is it in the "make menuconfig" tree, I'll make the module and see if it fixes it. I do have xt_conntrack as it happens! Should I be up- or down-grading???
Thanks!
 Incidentally, I thought kernels would be usable if they were released. I've just found that my CD writer no longer works and have been told to revert to a 2.4 kernel (but that's a different thread all together).
Last edited by pbhj; 07-25-2006 at 05:38 PM.
|
|
|
|
|
07-25-2006, 05:43 PM
|
#8
|
|
Moderator
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,505
Rep:
|
I've almost never heard of a kernel breaking support for hardware that worked fine previously... in the rare case it did, they fixed it ASAP. But as you say, that's a separate thread.
Conntrack should be in:
Code:
│ Location: │
│ -> Networking │
│ -> Networking support (NET [=y]) │
│ -> Networking options │
│ -> Network packet filtering (replaces ipchains) (NETFILTER [= │
│ -> IP: Netfilter Configuration
(Sorry if it's messy, it's a copy/paste from make menuconfig) |
|
|
|
|
07-25-2006, 05:54 PM
|
#9
|
|
Member
Registered: Dec 2002
Location: UK
Distribution: Slackware 12; Ubuntu 7.10
Posts: 358
Original Poster
Rep:
|
Symbol: IP_NF_CONNTRACK [=y] │
│ Prompt: Connection tracking (required for masq/NAT) │
│ Defined at net/ipv4/netfilter/Kconfig:23 │
│ Depends on: NET && INET && NETFILTER │
│ Location: │
│ -> Networking │
│ -> Networking support (NET [=y]) │
│ -> Networking options │
│ -> Network packet filtering (replaces ipchains) (NETFILTER [=y]) │
│ -> IP: Netfilter Configuration
OK. I have that, but it make xt_conntrack.
Now modinfo tells me that xt_conntrack is aliased as ipt_conntrack, but presumably this is something different to ip_conntrack??
Thanks for all your help on this btw Matir.
I know this aint Windows, but I'm going to try a reboot!
|
|
|
|
|
07-25-2006, 05:58 PM
|
#10
|
|
Moderator
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,505
Rep:
|
xt_conntrack is the 'new' name, I believe. Try modprobing it and see what happens. |
|
|
|
|
07-25-2006, 06:59 PM
|
#11
|
|
Member
Registered: Dec 2002
Location: UK
Distribution: Slackware 12; Ubuntu 7.10
Posts: 358
Original Poster
Rep:
|
w00t it works, nat now enabled ... posting from laptop!
Thanks Matir.
I went down the list and enabled all the modules in "IP: Netfilter Configuration" using "make menuconfig" and then did "make modules && make modules_install".
This borked my nvidia module (why? I don't know, I suspect it just sets a dirty flag and forces the module to be remade, luckily I've done that a few times and recognised the problem and knew the solution ... experience is great!).
So anyhow: I'm using dnsmasq and firestarter. So I'll use rc.dnsmasq and chmod it to a+x and I'll do an iptables-save to create an rc.firewall and chmod a+x that too.
I'm getting standard internet on the laptop and using ethereal on desktop I can see the ACKs rolling by. I still seem to have some ICMP unreachables from desktop to laptop, but it seems perhaps the ARP stuff is automagically compensating for that.
Great. I can get on with fixing my CDwriter now!!
Cheers again.
pbhj
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 01:00 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
