iptables NAT, no ACK data, resolves fine ...?
 

Here goes again (post failed to auth last time!! ARGH!)

Can't get NAT to work from laptop (WinXP Home) to desktop (Slackware 10.2).

I can, now I'm running named ping (out) and resolv external servers, no ACKs though. Ethereal shows lots of SYNs being sent when I try to surf to a website from laptop. Desktop connects fine to 'net and samba and pinging work between machines.

I've disabled windows firewall and Kerio on laptop and used simple NAT rules (several versions and several iptable config tools, currently firestarter) so as to ensure I'm not blocking required packets.

Any help greatly appreciated - before I finish tearing my hair out!

pbhj

====


Config:

laptop (192.168.0.2 [static]) --eth0--> desktop (192.168.0.1 [static]) --ppp0(pppoe)--> ISP (orange|wanadoo|freeserve).

route:
iptables -L (currently using firestarter)
ifconfig
I've got some ethereal libpcap style dump of a ping and a website access attempt if that helps ... let me know.

To be honest, that remains a very complex iptables setup. About the bare minimum for a NAT setup is (stolen from my box):
This assumes that you are using a 192.168.1.0/24 private network on eth0 with internet on eth1.

minimal NAT
 

Thanks for your reply.

I was under the impression that:

was the minimal NAT requirement. But I've also tried it with things like

.. to ensure that eth0 traffic was explicitly allowed; and with

.. to ensure it wasn't an problem with non-fragmentation of overlarge packets (this is a fix apparently, though it could be a phone home for an alien planet for all I know!).

Anyhow. I've tried your script with my ppp0 (pppoe to ISP) and eth0 (LAN) so that iptables-save now gives me:
This doesn't appear to have changed anything. I still can't access net from laptop via desktop. Any other thoughts??

(Incidentally, I've also switched to using dnsmasq instead of named).

===

What I'm getting according to Ethereal is this: deskflap ("D") gets a request from laptop ("L") and looks up the IP of the domain name on the net, returning it to L [OK so far!]. L then sends 4 SYN packets from port 1154 to port 80 of the appropriate webserver. Then I get to ARP packets one from D's MAC asking "who has 192.168.0.2" and the other responding correctly with the MAC of L [presumably this is setting up ready to return the HTTP data?]. Then I get an NBNS packet that says something about refreshing L. And then I get some packets mixed together including some ICMP,3 (host unreachables from D to L) and some more TCP SYN stuff from consecutive ports which appear to further connection attempts and which try a few different server addresses (perhaps due to load balanced servers). I also get more NBNS and ARP stuff.

Please help if you can.

Thanks.

So the desktop and the laptop can talk to each other, but all outbound packets are being rejected with the ICMP host unreachable?

Is echo "1" > /proc/sys/net/ipv4/ip_forward set as well? (Just checking)

Yes, cat /proc/sys/net/ipv4/ip_forward responds with "1". I've also tried with dyn_addr set to "1" and tried ftp / pop3 traffic and that doesn't work either.

But I've noticed I don't have ip_conntrack module, could this relate?

lsmod:

Yeah, you'll need conntrack. Looks like your kernel version is right in the middle of the transition from ipt_ to xt_. :) Somehow it's supposed to be more extensible... or something. :)

for sure?!
 

So conntrack is definitely needed for NAT? Were is it in the "make menuconfig" tree, I'll make the module and see if it fixes it. I do have xt_conntrack as it happens! Should I be up- or down-grading???

Thanks!

:confused: Incidentally, I thought kernels would be usable if they were released. I've just found that my CD writer no longer works and have been told to revert to a 2.4 kernel (but that's a different thread all together).

I've almost never heard of a kernel breaking support for hardware that worked fine previously... in the rare case it did, they fixed it ASAP. But as you say, that's a separate thread.

Conntrack should be in:
(Sorry if it's messy, it's a copy/paste from make menuconfig)

Symbol: IP_NF_CONNTRACK [=y] │
│ Prompt: Connection tracking (required for masq/NAT) │
│ Defined at net/ipv4/netfilter/Kconfig:23 │
│ Depends on: NET && INET && NETFILTER │
│ Location: │
│ -> Networking │
│ -> Networking support (NET [=y]) │
│ -> Networking options │
│ -> Network packet filtering (replaces ipchains) (NETFILTER [=y]) │
│ -> IP: Netfilter Configuration

OK. I have that, but it make xt_conntrack.

Now modinfo tells me that xt_conntrack is aliased as ipt_conntrack, but presumably this is something different to ip_conntrack??

Thanks for all your help on this btw Matir.

I know this aint Windows, but I'm going to try a reboot!

xt_conntrack is the 'new' name, I believe. Try modprobing it and see what happens. :)

w00t it works, nat now enabled ... posting from laptop!
 

Thanks Matir.

I went down the list and enabled all the modules in "IP: Netfilter Configuration" using "make menuconfig" and then did "make modules && make modules_install".

This borked my nvidia module (why? I don't know, I suspect it just sets a dirty flag and forces the module to be remade, luckily I've done that a few times and recognised the problem and knew the solution ... experience is great!).

So anyhow: I'm using dnsmasq and firestarter. So I'll use rc.dnsmasq and chmod it to a+x and I'll do an iptables-save to create an rc.firewall and chmod a+x that too.

I'm getting standard internet on the laptop and using ethereal on desktop I can see the ACKs rolling by. I still seem to have some ICMP unreachables from desktop to laptop, but it seems perhaps the ARP stuff is automagically compensating for that.

Great. I can get on with fixing my CDwriter now!!

Cheers again.

pbhj