Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Here goes again (post failed to auth last time!! ARGH!)
Can't get NAT to work from laptop (WinXP Home) to desktop (Slackware 10.2).
I can, now I'm running named ping (out) and resolv external servers, no ACKs though. Ethereal shows lots of SYNs being sent when I try to surf to a website from laptop. Desktop connects fine to 'net and samba and pinging work between machines.
I've disabled windows firewall and Kerio on laptop and used simple NAT rules (several versions and several iptable config tools, currently firestarter) so as to ensure I'm not blocking required packets.
Any help greatly appreciated - before I finish tearing my hair out!
was the minimal NAT requirement. But I've also tried it with things like
Code:
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -i eth0 -j ACCEPT
.. to ensure that eth0 traffic was explicitly allowed; and with
Code:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
.. to ensure it wasn't an problem with non-fragmentation of overlarge packets (this is a fix apparently, though it could be a phone home for an alien planet for all I know!).
Anyhow. I've tried your script with my ppp0 (pppoe to ISP) and eth0 (LAN) so that iptables-save now gives me:
Code:
# Generated by iptables-save v1.3.5 on Tue Jul 25 21:36:12 2006
*nat
:PREROUTING ACCEPT [18:1844]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [48:2892]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Jul 25 21:36:12 2006
# Generated by iptables-save v1.3.5 on Tue Jul 25 21:36:12 2006
*filter
:INPUT DROP [4:524]
:FORWARD DROP [6:288]
:OUTPUT ACCEPT [1330:85670]
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Jul 25 21:36:12 2006
This doesn't appear to have changed anything. I still can't access net from laptop via desktop. Any other thoughts??
(Incidentally, I've also switched to using dnsmasq instead of named).
===
What I'm getting according to Ethereal is this: deskflap ("D") gets a request from laptop ("L") and looks up the IP of the domain name on the net, returning it to L [OK so far!]. L then sends 4 SYN packets from port 1154 to port 80 of the appropriate webserver. Then I get to ARP packets one from D's MAC asking "who has 192.168.0.2" and the other responding correctly with the MAC of L [presumably this is setting up ready to return the HTTP data?]. Then I get an NBNS packet that says something about refreshing L. And then I get some packets mixed together including some ICMP,3 (host unreachables from D to L) and some more TCP SYN stuff from consecutive ports which appear to further connection attempts and which try a few different server addresses (perhaps due to load balanced servers). I also get more NBNS and ARP stuff.
Yes, cat /proc/sys/net/ipv4/ip_forward responds with "1". I've also tried with dyn_addr set to "1" and tried ftp / pop3 traffic and that doesn't work either.
But I've noticed I don't have ip_conntrack module, could this relate?
Yeah, you'll need conntrack. Looks like your kernel version is right in the middle of the transition from ipt_ to xt_. Somehow it's supposed to be more extensible... or something.
Yeah, you'll need conntrack. Looks like your kernel version is right in the middle of the transition from ipt_ to xt_. Somehow it's supposed to be more extensible... or something.
So conntrack is definitely needed for NAT? Were is it in the "make menuconfig" tree, I'll make the module and see if it fixes it. I do have xt_conntrack as it happens! Should I be up- or down-grading???
Thanks!
Incidentally, I thought kernels would be usable if they were released. I've just found that my CD writer no longer works and have been told to revert to a 2.4 kernel (but that's a different thread all together).
I've almost never heard of a kernel breaking support for hardware that worked fine previously... in the rare case it did, they fixed it ASAP. But as you say, that's a separate thread.
w00t it works, nat now enabled ... posting from laptop!
Thanks Matir.
I went down the list and enabled all the modules in "IP: Netfilter Configuration" using "make menuconfig" and then did "make modules && make modules_install".
This borked my nvidia module (why? I don't know, I suspect it just sets a dirty flag and forces the module to be remade, luckily I've done that a few times and recognised the problem and knew the solution ... experience is great!).
So anyhow: I'm using dnsmasq and firestarter. So I'll use rc.dnsmasq and chmod it to a+x and I'll do an iptables-save to create an rc.firewall and chmod a+x that too.
I'm getting standard internet on the laptop and using ethereal on desktop I can see the ACKs rolling by. I still seem to have some ICMP unreachables from desktop to laptop, but it seems perhaps the ARP stuff is automagically compensating for that.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.