iptables NAT, no ACK data, resolves fine ...?

pbhj · 07-24-2006, 04:36 PM

Here goes again (post failed to auth last time!! ARGH!)

Can't get NAT to work from laptop (WinXP Home) to desktop (Slackware 10.2).

I can, now I'm running named ping (out) and resolv external servers, no ACKs though. Ethereal shows lots of SYNs being sent when I try to surf to a website from laptop. Desktop connects fine to 'net and samba and pinging work between machines.

I've disabled windows firewall and Kerio on laptop and used simple NAT rules (several versions and several iptable config tools, currently firestarter) so as to ensure I'm not blocking required packets.

Any help greatly appreciated - before I finish tearing my hair out!

pbhj

====

Config:

laptop (192.168.0.2 [static]) --eth0--> desktop (192.168.0.1 [static]) --ppp0(pppoe)--> ISP (orange|wanadoo|freeserve).

route:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
ge0-1.lns5-c10. *               255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         *               0.0.0.0         U     0      0        0 ppp0

iptables -L (currently using firestarter)

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  resolver2.svr.pol.co.uk  anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     udp  --  resolver2.svr.pol.co.uk  anywhere
ACCEPT     tcp  --  resolver1.svr.pol.co.uk  anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     udp  --  resolver1.svr.pol.co.uk  anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            limit: avg 10/sec burst 5
DROP       all  --  anywhere             255.255.255.255
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8
DROP       all  --  255.255.255.255      anywhere
DROP       all  --  anywhere             0.0.0.0
DROP       all  --  anywhere             anywhere            state INVALID
LSI        all  -f  anywhere             anywhere            limit: avg 10/min burst 5
INBOUND    all  --  anywhere             anywhere
INBOUND    all  --  anywhere             ixthus
INBOUND    all  --  anywhere             user-6542.lns5-c10.dsl.pol.co.uk
INBOUND    all  --  anywhere             192.168.0.255
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level info prefix `Unknown Input'

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            limit: avg 10/sec burst 5
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
OUTBOUND   all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             192.168.0.0/24      state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             192.168.0.0/24      state RELATED,ESTABLISHED
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level info prefix `Unknown Forward'

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  user-6542.lns5-c10.dsl.pol.co.uk  resolver2.svr.pol.co.uk tcp dpt:domain
ACCEPT     udp  --  user-6542.lns5-c10.dsl.pol.co.uk  resolver2.svr.pol.co.uk udp dpt:domain
ACCEPT     tcp  --  user-6542.lns5-c10.dsl.pol.co.uk  resolver1.svr.pol.co.uk tcp dpt:domain
ACCEPT     udp  --  user-6542.lns5-c10.dsl.pol.co.uk  resolver1.svr.pol.co.uk udp dpt:domain
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8
DROP       all  --  255.255.255.255      anywhere
DROP       all  --  anywhere             0.0.0.0
DROP       all  --  anywhere             anywhere            state INVALID
OUTBOUND   all  --  anywhere             anywhere
OUTBOUND   all  --  anywhere             anywhere
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level info prefix `Unknown Output'

Chain INBOUND (4 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.0.0/24       anywhere
ACCEPT     tcp  --  192.168.0.0/24       anywhere            tcp dpts:netbios-ns:netbios-ssn
ACCEPT     udp  --  192.168.0.0/24       anywhere            udp dpts:netbios-ns:netbios-ssn
ACCEPT     tcp  --  192.168.0.0/24       anywhere            tcp dpt:microsoft-ds
ACCEPT     udp  --  192.168.0.0/24       anywhere            udp dpt:microsoft-ds
LSI        all  --  anywhere             anywhere

Chain LOG_FILTER (5 references)
target     prot opt source               destination

Chain LSI (2 references)
target     prot opt source               destination
LOG_FILTER  all  --  anywhere             anywhere
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST
LOG        icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP       icmp --  anywhere             anywhere            icmp echo-request
LOG        all  --  anywhere             anywhere            limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP       all  --  anywhere             anywhere

Chain LSO (0 references)
target     prot opt source               destination
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTBOUND (3 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

ifconfig

Code:

eth0      Link encap:Ethernet  HWaddr 00:E0:18:CC:D8:4B
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:18ff:fecc:d84b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9227 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4946 errors:0 dropped:0 overruns:1 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:902207 (881.0 KiB)  TX bytes:2350808 (2.2 MiB)
          Interrupt:5 Base address:0x1400

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:3507 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3507 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:147308 (143.8 KiB)  TX bytes:147308 (143.8 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:84.68.153.142  P-t-P:62.25.198.169  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:33124 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36280 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:27930296 (26.6 MiB)  TX bytes:6783392 (6.4 MiB)

I've got some ethereal libpcap style dump of a ping and a website access attempt if that helps ... let me know.

Matir · 07-24-2006, 05:57 PM

To be honest, that remains a very complex iptables setup. About the bare minimum for a NAT setup is (stolen from my box):

Code:

*nat
:PREROUTING ACCEPT [127116:11275682]
:POSTROUTING ACCEPT [359:18720]
:OUTPUT ACCEPT [1976:134673]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Mon Jul  3 01:43:54 2006
# Generated by iptables-save v1.3.1 on Mon Jul  3 01:43:54 2006
*filter
:INPUT DROP [35218:5766523]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [47799:4239308]
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Jul  3 01:43:54 2006

This assumes that you are using a 192.168.1.0/24 private network on eth0 with internet on eth1.

pbhj · 07-25-2006, 04:06 PM

Thanks for your reply.

I was under the impression that:

Code:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward

was the minimal NAT requirement. But I've also tried it with things like

Code:

iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -i eth0 -j ACCEPT

.. to ensure that eth0 traffic was explicitly allowed; and with

Code:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

.. to ensure it wasn't an problem with non-fragmentation of overlarge packets (this is a fix apparently, though it could be a phone home for an alien planet for all I know!).

Anyhow. I've tried your script with my ppp0 (pppoe to ISP) and eth0 (LAN) so that iptables-save now gives me:

Code:

# Generated by iptables-save v1.3.5 on Tue Jul 25 21:36:12 2006
*nat
:PREROUTING ACCEPT [18:1844]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [48:2892]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Jul 25 21:36:12 2006
# Generated by iptables-save v1.3.5 on Tue Jul 25 21:36:12 2006
*filter
:INPUT DROP [4:524]
:FORWARD DROP [6:288]
:OUTPUT ACCEPT [1330:85670]
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Jul 25 21:36:12 2006

This doesn't appear to have changed anything. I still can't access net from laptop via desktop. Any other thoughts??

(Incidentally, I've also switched to using dnsmasq instead of named).

===

What I'm getting according to Ethereal is this: deskflap ("D") gets a request from laptop ("L") and looks up the IP of the domain name on the net, returning it to L [OK so far!]. L then sends 4 SYN packets from port 1154 to port 80 of the appropriate webserver. Then I get to ARP packets one from D's MAC asking "who has 192.168.0.2" and the other responding correctly with the MAC of L [presumably this is setting up ready to return the HTTP data?]. Then I get an NBNS packet that says something about refreshing L. And then I get some packets mixed together including some ICMP,3 (host unreachables from D to L) and some more TCP SYN stuff from consecutive ports which appear to further connection attempts and which try a few different server addresses (perhaps due to load balanced servers). I also get more NBNS and ARP stuff.

Please help if you can.

Thanks.

Matir · 07-25-2006, 05:05 PM

So the desktop and the laptop can talk to each other, but all outbound packets are being rejected with the ICMP host unreachable?

Is echo "1" > /proc/sys/net/ipv4/ip_forward set as well? (Just checking)

pbhj · 07-25-2006, 05:19 PM

Yes, cat /proc/sys/net/ipv4/ip_forward responds with "1". I've also tried with dyn_addr set to "1" and tried ftp / pop3 traffic and that doesn't work either.

But I've noticed I don't have ip_conntrack module, could this relate?

lsmod:

Code:

Module                  Size  Used by
iptable_mangle          2624  0
ipt_TCPMSS              4032  0
xt_tcpudp               3200  5
xt_state                1984  7
ipt_MASQUERADE          3520  1
iptable_nat             8516  1
ip_nat                 17132  2 ipt_MASQUERADE,iptable_nat
iptable_filter          2816  1
ip_tables              12760  3 iptable_mangle,iptable_nat,iptable_filter
x_tables               12612  6 ipt_TCPMSS,xt_tcpudp,xt_state,ipt_MASQUERADE,iptable_nat,ip_tables
snd_mixer_oss          17280  0
ipv6                  226816  16
quickcam               68708  0
videodev                9024  1 quickcam
ohci_hcd               30788  0
via_agp                 9408  1
snd_ens1370            19296  1
snd_rawmidi            24992  1 snd_ens1370
snd_ak4531_codec        8640  1 snd_ens1370
ohci1394               31472  0
8139too                25664  0
nvidia               3922140  12
joydev                  9280  0
sr_mod                 14948  0
ide_scsi               15492  0
nvidia_agp              7388  0

Matir · 07-25-2006, 05:24 PM

Yeah, you'll need conntrack. Looks like your kernel version is right in the middle of the transition from ipt_ to xt_.

Somehow it's supposed to be more extensible... or something.

pbhj · 07-25-2006, 05:33 PM

Quote:

Originally Posted by Matir

Yeah, you'll need conntrack. Looks like your kernel version is right in the middle of the transition from ipt_ to xt_.

Somehow it's supposed to be more extensible... or something.

So conntrack is definitely needed for NAT? Were is it in the "make menuconfig" tree, I'll make the module and see if it fixes it. I do have xt_conntrack as it happens! Should I be up- or down-grading???

Thanks!

Incidentally, I thought kernels would be usable if they were released. I've just found that my CD writer no longer works and have been told to revert to a 2.4 kernel (but that's a different thread all together).

Matir · 07-25-2006, 05:43 PM

I've almost never heard of a kernel breaking support for hardware that worked fine previously... in the rare case it did, they fixed it ASAP. But as you say, that's a separate thread.

Conntrack should be in:

Code:

│   Location:                                                             │
  │     -> Networking                                                       │
  │       -> Networking support (NET [=y])                                  │
  │         -> Networking options                                           │
  │           -> Network packet filtering (replaces ipchains) (NETFILTER [= │
  │             -> IP: Netfilter Configuration

(Sorry if it's messy, it's a copy/paste from make menuconfig)

pbhj · 07-25-2006, 05:54 PM

Symbol: IP_NF_CONNTRACK [=y] │
│ Prompt: Connection tracking (required for masq/NAT) │
│ Defined at net/ipv4/netfilter/Kconfig:23 │
│ Depends on: NET && INET && NETFILTER │
│ Location: │
│ -> Networking │
│ -> Networking support (NET [=y]) │
│ -> Networking options │
│ -> Network packet filtering (replaces ipchains) (NETFILTER [=y]) │
│ -> IP: Netfilter Configuration

OK. I have that, but it make xt_conntrack.

Now modinfo tells me that xt_conntrack is aliased as ipt_conntrack, but presumably this is something different to ip_conntrack??

Thanks for all your help on this btw Matir.

I know this aint Windows, but I'm going to try a reboot!

Matir · 07-25-2006, 05:58 PM

xt_conntrack is the 'new' name, I believe. Try modprobing it and see what happens.

pbhj · 07-25-2006, 06:59 PM

Thanks Matir.

I went down the list and enabled all the modules in "IP: Netfilter Configuration" using "make menuconfig" and then did "make modules && make modules_install".

This borked my nvidia module (why? I don't know, I suspect it just sets a dirty flag and forces the module to be remade, luckily I've done that a few times and recognised the problem and knew the solution ... experience is great!).

So anyhow: I'm using dnsmasq and firestarter. So I'll use rc.dnsmasq and chmod it to a+x and I'll do an iptables-save to create an rc.firewall and chmod a+x that too.

I'm getting standard internet on the laptop and using ethereal on desktop I can see the ACKs rolling by. I still seem to have some ICMP unreachables from desktop to laptop, but it seems perhaps the ARP stuff is automagically compensating for that.

Great. I can get on with fixing my CDwriter now!!

Cheers again.

pbhj