IPTABLES rules for NAT of machines through the PPP interface
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IPTABLES rules for NAT of machines through the PPP interface
I have a CentOS 4.5 Linux machine which acts as my connection to the internet and firewall. Behind that, I have a small set of machines which are masqueraded through it to the Internet,
using IPTABLES.
The Linux machine has a 'lo' interface, as well as an internal (INT) interface for the local machines, and an external (EXT) interface for the connection to the Internet.
This all works fine.
Now, I am trying to add a PPP connection from my office Linux
machine to my machine at home. The PPP connection comes up
properly, and routes are added as needed, and connectivity
from my home Linux machine to my office network works as expected.
The problem is that my local (masqueraded) machines at home are not able to get IP packets to the office machines and back again.
I've added the following IPTABLES commands to my firewall scripts, but still cannot get the packets through:
$IPTABLES -A INPUT -i ppp0 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -j ACCEPT
$IPTABLES -A FORWARD -o ppp0 -j ACCEPT
I believe the problem is that the IPTABLES firewall needs to do some special NATing for the PPP interface.
Is this something I can get some help with on this forum? I can provide more details about my configuration, of course, but wanted to keep this initial message short and readable.
hmmm... OK, lets see whether the packet can go outside to the remote office using tcpdump on ppp0. or maybe it can go outside but your machine cant receive reply.
or for the simplicity --- just disable iptables first to check whether you can really send/receive the traffic (more over you use NAT).
hmmm... OK, lets see whether the packet can go outside to the remote office using tcpdump on ppp0. or maybe it can go outside but your machine cant receive reply.
I ran tcpdump -i ppp0 on my local Linux machine and saw that
when I pinged an IP at my office from the local Linux machine,
the packets were sent and received.
However, when I attempted to ping the same IP at my office from
my local masqueraded PC, there was no output from tcpdump.
Quote:
Originally Posted by rossonieri#1
or for the simplicity --- just disable iptables first to check whether you can really send/receive the traffic (more over you use NAT).
I'm not sure what you are asking for here. If I disable iptables, I'll lose the NATting functionaltiy as well, won't I?
Quote:
Originally Posted by rossonieri#1
i'll be waiting.
cheers.
Thank you so much for taking the time to help me.
Incidentally, I've been reading through the iptables tutorial, but nothing helpful gained just yet. I'll also be ordering the Linux Firewalls book by Robert Ziegler, but would sure like to get this working in the meantime.
I know that my iptables rules are working to masquerade my in-home machines, so I went through all the rules and created similar rules for the PPP interface.
The result is that my in-home machines are now able to ping the machines located on my office network, via the PPP interface.
I really appreciate the help, and realize that I still need to learn more about how to configure the iptables rules, and will continue to do so.
Here are the rules that I added to my firewall script in support of the PPP tunnel. If you see anything wrong with these, I would sure like to hear about it.
Thanks again!
INTIF is my internal interface (eth0)
EXTIF is my external interface (eth1)
UNIVERSE=0.0.0.0/32
INTNET=is my internal network (10.1.1.0/24)
PPPIF=ppp0
PPPIP is the IP address of my local Linux machine on the home-end of the PPP tunnel
$IPTABLES -A INPUT -i $PPPIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $PPPIF -p ICMP -s $UNIVERSE -d $PPPIP -j ACCEPT
$IPTABLES -A INPUT -i $PPPIF -s $UNIVERSE -d $PPPIP -m state --state ESTABLISHED,RELATED -j ACCEPT
"I know that my iptables rules are working to masquerade my in-home machines, so I went through all the rules and created similar rules for the PPP interface.
The result is that my in-home machines are now able to ping the machines located on my office network, via the PPP interface."
well, congrats then
from yours : $IPTABLES -A INPUT -i $PPPIF -s $UNIVERSE -d $PPPIP -m state --state ESTABLISHED,RELATED -j ACCEPT
and
$IPTABLES -A FORWARD -i $PPPIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.