CentOS 5.8 NAT router icmp unreachable admin prohibited problem
 

Hi,

I have a CentOS 5 set up as a NAT router between network A and Network B in a test environment, like so:

eth0 (NETWORK B) <==> CENTOS <==> eth1 (NETWORK A)

I have set up ipv4 forwarding and have added(what I think) are the correct entries in iptables. NETWORK A is our "Internet" in this test environment. CENTOS is set to provide DHCP service only on eth0 for NETWORK B computers as well as NAT functionality. But I have two problems (one on the first day, another on the second day...got no where on the third...):

Day 1) When I permit forwarding from eth0 to eth1 and postrouting masquerade, I cannot connect from any computer in NETWORK B to services (web, ssh, ftp, etc) on NETWORK A. The computers on NETWORK B are assigned the correct IP, subnet, gateway, and dns. So I pinged a few public IPs including: google.com and opendns.com and get replies. This seemed sugesstive of a DNS problem, so I manually set my DNS on one of my computers on NETWORK B to use opendns and still no name resolution. The next thing I did from NETWORK B was a traceroute for the public IP of google.com. Nothing! It goes to the gateway (the CentOS 5.8) and stops there with a !Z. I next did a tcpdum on the CentOS 5.8 gateway and found what looks like icmp requests to nameservers (charter, opendns, verizon, etc) resulting with an "unreachable - admin prohibited". I then disabled iptables completely, and bingo! I can connect to services in NETWORK A from computers in NETWORK B...(but leaving iptables off is maybe one of the last things I want to do). However, even with iptables off, I still noticed in the tcpdum a significant number of "unreachable - admin prohibited", which I can definitely experience when browsing the web - it's VERY SLOW and often times results with a timeout exception. What could be causing this? Is this normal activity? I'm starting to wonder if my box is incapable of keeping up with the workload - doubtful but here are the specs: it's has a Intel Pentium 2.7Ghz(Intel Pentium G630 Sandy Bridge 2.7GHz LGA 1155 65W Dual-Core Desktop Processor Intel HD Graphics BX80623G630 - http://www.newegg.com/Product/Produc...82E16819116406) and 4GB of RAM. Both NICs are 1Gbps.

Day 2) I thought maybe if I use the system-config-network-tui to configure the firewall, test the system to make sure it works and look at the generated config files I can better understand what I need to do to make my CentOS NAT work. So I went ahead with the guided system-config-network-tui and set both eth0 and eth1 as trusted and masqueraded. Saved the config and restarted iptables. This seemed to work! I was able to access services on NETWORK A from NETWORK B. But there are two problems with this: 1) The generated config file means gibberish to me (I most likely need to go back to my iptables book to remind my self what some of the options mean), and 2) the "unreachable - admin prohibited" problem in my tcpdump is not resolved. And once again I can expereince it when browsing the web - it's VERY SLOW and often times results with a timeout exception.

Day 3) head...banging...against...wall...

I apologize in advance for the long post and not providing any logs or config files. I'm posting this from work where I do not have remote access to my box at home. This has been on my mind for three days now and I can't seem to find anything from my searches. Any help is much appreciated!

Thanks,
Ken

Lets start at the start .. in plain english what exactly do you want to achieve? .. are you simulating connecting a private (RFC1918) network to the internet ? .. are you wanting to provide access from the (simulated) internet to specific services on the private network ?

Yes. My hope is to eventually make this CentOS box a firewall/gateway that will directly connect to my cable modem.

So something like this

My home network <===> CentOS Gateway/Firewall <===> Cable Modem

Lets get basic source NAT working first - perform these commands on the console not remotely ;)

Enable ip forwarding:
Flush the current iptables rules:
Set policies:
Add iptables NAT rules, these rules assume that eth1 connects to your private network and eth0 is your external interface:
Allow all traffic on eth1 and loopback:
Make the rules permanent in whichever way you please, possibly:
I haven't tested these commands but they're pretty straight forward. Hosts on the private network should have the firewall host as their default gateway and should be able to connect to the firewall itself or external hosts - please test and get back to us.

Commands executed on a fresh CentOS 5.8

eth0 faces external network DHCP (192.168.1.0/24) Gateway 192.168.1.1
eth1 faces private network Static (192.168.2.0/24)

Below is the physical setup:

|---------PRIVATE NETWORK:eth1----------|-------eth0:EXTERNAL NETWORK--------|-------------INTERNET
iBook G3 <=====> SWITCH <=====> CentOS NAT <=====> SWITCH <=====> ROUTER <====> MODEM

I did a ping for my centos eth1: 192.168.2.1, which worked.

I did a ping for my gateway (192.168.1.1), which didn't work.

I don't hear back....

tcpdump shows echo from 192.168.2.254 (my iBook) to the router on the external network (192.168.1.1).

I can also see both switches flickering as the ICMP requests are being sent.

Below is my iptables after running the commands:
Also to confirm ip forwarding is enabled:

.. looks like you put the wrong interface in, should be eth0.

Wow, that is my bad. I forgot that I had switched interfaces three days ago to eth1 -> internal and eth0 -> external....it used to be eth1 -> external and eth0-> internal because of the way the NIC cards were plugged in).

Thank you so very much! It all works now!

Ken