Router Setup -IP Tables Masquerading

zhex900 · 07-03-2005, 04:42 AM

Hi guys:

I really hope there is someone can spare me some time to help me with this common problem (yet impossible for me).

Yes I have read & tried a few tutorials & threads on internet sharing and NAT. But for some reason it just doesn't work for me.

This is my current setup:

ISP -> Router->192.168.0.x eth0 Linux Router/Gateway eth1 192.168.1.1->clients

Router have ip: 192.168.0.1
eth0 is dhcp, which Router will allocate
eth1 is static ip: 192.168.1.1
clients will use 192.168.1.1 as gateway. For testing I will use static ip like 192.168.1.2

Right now my linux box can access internet. Also can ping other machines connected to the router. However when I have a cable connected from eth1 into a win box, no connection is detected.

Linux Box Config:
eth2 is not used.
both shorewall and squid are stopped.
even when I setup shorewall is not working either.

Code:

[root@TIGER sysconfig]# ipconfig
bash: ipconfig: command not found
[root@TIGER sysconfig]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:02:44:11:DD:24
          inet addr:192.168.0.5  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::202:44ff:fe11:dd24/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1933 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1863 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:991702 (968.4 Kb)  TX bytes:279811 (273.2 Kb)
          Interrupt:11

eth1      Link encap:Ethernet  HWaddr 00:02:44:11:DD:27
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::202:44ff:fe11:dd27/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
          TX packets:102 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22093 (21.5 Kb)  TX bytes:13503 (13.1 Kb)
          Interrupt:10 Base address:0x6400

eth2      Link encap:Ethernet  HWaddr 00:50:22:E9:8E:A4
          inet6 addr: fe80::250:22ff:fee9:8ea4/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:378 (378.0 b)
          Interrupt:9 Base address:0xc800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2669 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2669 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:452173 (441.5 Kb)  TX bytes:452173 (441.5 Kb)

sit0      Link encap:IPv6-in-IPv4
          inet6 addr: ::127.0.0.1/96 Scope:Unknown
          inet6 addr: ::192.168.0.5/96 Scope:Compat
          UP RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Code:

[root@TIGER sysconfig]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0

Code:

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

iptables -A FORWARD -i eth1 -o eth0
iptables -A FORWARD -i eth0 -o eth1

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE

Code:

[root@TIGER sysconfig]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID

Code:

[root@TIGER sysconfig]# cat /etc/sysctl.conf
net.ipv4.ip_forward=1

I feel I am really close getting this thing working. But right now I have no idea what the problem is. Can someone please please drop some ideas. Or point me to a better tutorial.

Thanks heaps

musicman_ace · 07-03-2005, 05:15 AM

Ok, why is ETH0 on a 192.168.x.y network? That would mean your ISP is NAT'ing all their clients.
renew the IP for ETH0 and verify that it is set for DHCP in your distro's config file.

peter_robb · 07-03-2005, 05:44 AM

To do masquerading, only 3 things are needed..

Default gateway on the linux box..
ip_forwarding =1
and MASQUERADING on the external interface..

Anything else is for better control/safety etc.. eg firewall rules.
Coz you have a 192.168.0.x numbering on your ISP's router, anyone wanting to force their way in would have to set up static routes to your network, so it's some extra protection.

Your iptables rules are DROPPING anything trying to pass through the FORWARD chain, unless you specifically ACCEPT it, and there are no ACCEPT rules in your list...

MASQUERADING should be only on the external interface, yours is eth0 not ethX

So I suggest you have a read of an iptables tutorial, eg http://iptables-tutorial.frozentux.n...-tutorial.html and see the difference between the INPUT and FORWARD chains. This tutorial also has ready to use scripts at the back.

zhex900 · 07-04-2005, 05:06 AM

Thanks for the reply I'll have a go at the iptable tutorial. I'll come back when I get stuck.