natting traffic between 2 interfaces

nukenstien · 02-12-2005, 01:15 PM

I have found out that it is my firewall that is blocking icmp traffic from returning trough the firewall.
The traffic is going out through the firewall because of tcpdump but the traffic is blocking comming back in.

How do I accept and forward icmp traffic from eth 1 to eth2.
And how do I accept and forward the icmp reply back from eth2 to the eth1 network.

Nuke

logo · 02-12-2005, 03:27 PM

I'm by no means an expert, but I'll try and help. I suppose we're talking the IPTABLES firewall here. In a console with root rights try:
"iptables -A FORWARD -p ICMP -i ETH1 -o ETH2 -j ACCEPT" for enabling ETH1->ETH2 and
"iptables -A FORWARD -p ICMP -i ETH2 -o ETH1 -j ACCEPT" for ETH2->ETH1
If the packets are also meant for the linux machine itself, do the same commands, only with INPUT instead of FORWARD. You should also turn port forwarding on in oreder for the pacets to be traversed trough.
I also suggest that you study the man pages for iptables, so you know what you are doing.
Try typing "man iptables" into a console, it's written pretty nice.
Hope I helped, since IPTABLES is among the very few thing I've been able to undrestand so-far.

nukenstien · 02-13-2005, 11:12 PM

It is still not working this my tcpdump when I try to ping from windows, the windows box must go through the linux box, to 192.168.0.1 and the reply must come back through the linux box to the windows box.

23:14:36.573200 192.168.1.242 > 192.168.0.1: icmp: echo request
23:14:37.062479 192.168.0.1.1900 > 239.255.255.250.1900: udp 252
23:14:37.063416 192.168.0.1.1900 > 239.255.255.250.1900: udp 270
23:14:37.064460 192.168.0.104.32776 > 192.168.0.1.domain: 26878+ PTR? 250.255.255.239.in-addr.arpa. (46) (DF)
23:14:37.064437 192.168.0.1.1900 > 239.255.255.250.1900: udp 324
23:14:37.069575 192.168.0.1.1900 > 239.255.255.250.1900: udp 316
23:14:37.077237 192.168.0.1.1900 > 239.255.255.250.1900: udp 246
23:14:37.078211 192.168.0.1.1900 > 239.255.255.250.1900: udp 288
23:14:37.083455 192.168.0.1.1900 > 239.255.255.250.1900: udp 320
23:14:37.091742 192.168.0.1.1900 > 239.255.255.250.1900: udp 266
23:14:37.092753 192.168.0.1.1900 > 239.255.255.250.1900: udp 318
23:14:37.097837 192.168.0.1.1900 > 239.255.255.250.1900: udp 312
23:14:37.113012 192.168.0.1.domain > 192.168.0.104.32776: 26878 NXDomain 0/1/0 (103) (DF)
23:14:41.579886 192.168.1.242 > 192.168.0.1: icmp: echo request
23:14:46.586581 192.168.1.242 > 192.168.0.1: icmp: echo request

when I try it from the linux box i get

23:16:45.362306 192.168.0.104 > 192.168.0.1: icmp: echo request (DF)
23:16:45.363041 192.168.0.1 > 192.168.0.104: icmp: echo reply
23:16:46.372161 192.168.0.104 > 192.168.0.1: icmp: echo request (DF)
23:16:46.372948 192.168.0.1 > 192.168.0.104: icmp: echo reply
23:16:47.382156 192.168.0.104 > 192.168.0.1: icmp: echo request (DF)
23:16:47.382885 192.168.0.1 > 192.168.0.104: icmp: echo reply
23:16:48.392160 192.168.0.104 > 192.168.0.1: icmp: echo request (DF)
23:16:48.392895 192.168.0.1 > 192.168.0.104: icmp: echo reply

it seems to be working fine from the linux box.