LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables problem after del add a rule (http://www.linuxquestions.org/questions/linux-networking-3/iptables-problem-after-del-add-a-rule-630175/)

oknets10 03-24-2008 03:03 AM

iptables problem after del add a rule
 
Hi all,

I'm adding an SNAT rule and doing ping to check it, and it work fine.
Then I'm deleting the rule and adding it again (without stopping the ping) and the ping will not start work again, I must stop and start the ping in order to the iptables (and ping) work.

Any idea why ? and how to solve it ?

sarajevo 03-24-2008 03:09 AM

Hi, give us a iptables code you have :)
then we can write more, right ?

oknets10 03-24-2008 03:12 AM

Quote:

Originally Posted by sarajevo (Post 3098460)
Hi, give us a iptables code you have :)
then we can write more, right ?

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 192.168.11.2

That's all.

sarajevo 03-24-2008 03:35 AM

....
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT # you set start rules. Drop everything in INPUT and FORWARD chain, and accept all in OUTPUT chain ( do you understand chains ? )

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT # Accept all from lo interface

I suppose you have this rule on some machine with two network interfaces ?

So, using this rule
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 192.168.11.2

you allow packets originated from network 192.168.1.0/24 to have source address as they are originating from host 192.168.11.2
You can allow transfer packets from one interface to antoher with the folowing rules :

iptabes -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ...
this will allow forward from inside net to outside.

iptables -A FORWARD -o $other_iface -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT

....
also read http://iptables-tutorial.frozentux.n...-tutorial.html

and more, http://lartc.org/


By the way I do not understand, why you have to stop it when once in work.

oknets10 03-24-2008 04:13 AM

Hi,

Yes, the rule is on a machine with two interfaces.
You suggest a different way for the same thing, but four rules instead of one. yours is more generic, but I don't need it.
Thanks for your help.


All times are GMT -5. The time now is 07:11 AM.