LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 06-14-2007, 11:23 AM   #1
MarkEHansen
LQ Newbie
 
Registered: Dec 2006
Posts: 19

Rep: Reputation: 0
IPTABLES rules for NAT of machines through the PPP interface


I have a CentOS 4.5 Linux machine which acts as my connection to the internet and firewall. Behind that, I have a small set of machines which are masqueraded through it to the Internet,
using IPTABLES.

The Linux machine has a 'lo' interface, as well as an internal (INT) interface for the local machines, and an external (EXT) interface for the connection to the Internet.

This all works fine.

Now, I am trying to add a PPP connection from my office Linux
machine to my machine at home. The PPP connection comes up
properly, and routes are added as needed, and connectivity
from my home Linux machine to my office network works as expected.

The problem is that my local (masqueraded) machines at home are not able to get IP packets to the office machines and back again.

I've added the following IPTABLES commands to my firewall scripts, but still cannot get the packets through:

$IPTABLES -A INPUT -i ppp0 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -j ACCEPT
$IPTABLES -A FORWARD -o ppp0 -j ACCEPT

I believe the problem is that the IPTABLES firewall needs to do some special NATing for the PPP interface.

Is this something I can get some help with on this forum? I can provide more details about my configuration, of course, but wanted to keep this initial message short and readable.

Thanks,
 
Old 06-14-2007, 02:11 PM   #2
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
Quote:
Originally Posted by MarkEHansen

$IPTABLES -A INPUT -i ppp0 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -j ACCEPT
$IPTABLES -A FORWARD -o ppp0 -j ACCEPT
the bold - try to replace with this line :

$IPTABLES -A FORWARD -i ppp0 -o <your_intintf> -j ACCEPT

and for the NAT -- i dont have a clue where the traffic will be redirect since you dont give any code.


HTH,

Cheers.

Last edited by rossonieri#1; 06-14-2007 at 02:14 PM.
 
Old 06-14-2007, 03:58 PM   #3
MarkEHansen
LQ Newbie
 
Registered: Dec 2006
Posts: 19

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by rossonieri#1
the bold - try to replace with this line :

$IPTABLES -A FORWARD -i ppp0 -o <your_intintf> -j ACCEPT

and for the NAT -- i dont have a clue where the traffic will be redirect since you dont give any code.


HTH,

Cheers.
I changed that FORWARD rule as you've suggested, but no change. I think the problem is in the natting anyway, so let me show you what I'm doing there:

- PPPIP is the IP address for the PPP tunnel on the home side

$IPTABLES -A INPUT -i ppp0 -s 0.0.0.0/0 -d $PPPIP \
-m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -o $INTIF -j ACCEPT
This used to say ppp0, rather than $INTIF

$IPTABLES -t nat -A POSTROUTING -o ppp0 -j SNAT --to $PPPIP


If you need to see all my rules, I can provide them...

Thanks,
 
Old 06-15-2007, 12:13 AM   #4
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi,

hmmm... OK, lets see whether the packet can go outside to the remote office using tcpdump on ppp0. or maybe it can go outside but your machine cant receive reply.

or for the simplicity --- just disable iptables first to check whether you can really send/receive the traffic (more over you use NAT).

i'll be waiting.

cheers.
 
Old 06-15-2007, 11:31 AM   #5
MarkEHansen
LQ Newbie
 
Registered: Dec 2006
Posts: 19

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by rossonieri#1
hi,

hmmm... OK, lets see whether the packet can go outside to the remote office using tcpdump on ppp0. or maybe it can go outside but your machine cant receive reply.
I ran tcpdump -i ppp0 on my local Linux machine and saw that
when I pinged an IP at my office from the local Linux machine,
the packets were sent and received.

However, when I attempted to ping the same IP at my office from
my local masqueraded PC, there was no output from tcpdump.

Quote:
Originally Posted by rossonieri#1
or for the simplicity --- just disable iptables first to check whether you can really send/receive the traffic (more over you use NAT).
I'm not sure what you are asking for here. If I disable iptables, I'll lose the NATting functionaltiy as well, won't I?


Quote:
Originally Posted by rossonieri#1
i'll be waiting.

cheers.
Thank you so much for taking the time to help me.

Incidentally, I've been reading through the iptables tutorial, but nothing helpful gained just yet. I'll also be ordering the Linux Firewalls book by Robert Ziegler, but would sure like to get this working in the meantime.
 
Old 06-15-2007, 12:11 PM   #6
MarkEHansen
LQ Newbie
 
Registered: Dec 2006
Posts: 19

Original Poster
Rep: Reputation: 0
I know that my iptables rules are working to masquerade my in-home machines, so I went through all the rules and created similar rules for the PPP interface.

The result is that my in-home machines are now able to ping the machines located on my office network, via the PPP interface.

I really appreciate the help, and realize that I still need to learn more about how to configure the iptables rules, and will continue to do so.

Here are the rules that I added to my firewall script in support of the PPP tunnel. If you see anything wrong with these, I would sure like to hear about it.

Thanks again!

INTIF is my internal interface (eth0)
EXTIF is my external interface (eth1)
UNIVERSE=0.0.0.0/32
INTNET=is my internal network (10.1.1.0/24)
PPPIF=ppp0
PPPIP is the IP address of my local Linux machine on the home-end of the PPP tunnel

$IPTABLES -A INPUT -i $PPPIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $PPPIF -p ICMP -s $UNIVERSE -d $PPPIP -j ACCEPT
$IPTABLES -A INPUT -i $PPPIF -s $UNIVERSE -d $PPPIP -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -o $PPPIF -s $PPPIP -d $UNIVERSE -j ACCEPT

$IPTABLES -A FORWARD -o $PPPIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $PPPIF -j ACCEPT
$IPTABLES -A FORWARD -i $PPPIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $PPPIF -j SNAT --to $PPPIP
 
Old 06-15-2007, 02:19 PM   #7
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi MarkEHansen,

sorry for the very late reply

"I know that my iptables rules are working to masquerade my in-home machines, so I went through all the rules and created similar rules for the PPP interface.

The result is that my in-home machines are now able to ping the machines located on my office network, via the PPP interface."

well, congrats then

from yours :
$IPTABLES -A INPUT -i $PPPIF -s $UNIVERSE -d $PPPIP -m state --state ESTABLISHED,RELATED -j ACCEPT

and

$IPTABLES -A FORWARD -i $PPPIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

and

$IPTABLES -t nat -A POSTROUTING -o $PPPIF -j SNAT --to $PPPIP


this is the key to succesfully accept a connection.

cheers.
 
  


Reply

Tags
iptables, nating, ppp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what are the iptables rules to each interface ? marozsas Linux - Networking 4 07-03-2006 03:11 PM
Firewall and NAT rules samplelin Linux - Security 1 06-20-2006 07:22 AM
Masquarade rules for NAT shipon_97 Linux - Networking 2 04-16-2006 06:34 PM
iptables rules for emule in nat box eantoranz Linux - Networking 3 08-08-2005 10:37 PM
iptables -t nat -L not showing all rules alpha-wolf Linux - Networking 0 08-14-2001 07:36 AM


All times are GMT -5. The time now is 08:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration