Simple network package forwarding using IPtables not working

maduino · 08-06-2016, 04:02 AM

Hi,

I'm trying to setup a simple network to experiment with NAT a little bit. But currently it isn't working. I can't ping from COMPUTER_B to COMPUTER_A (see bellow). Could you give me a hint how to fix it?

* When I perform "ping 192.168.0.2" on COMPUTER_B I get an error
* When I do a "tcpdump -i eth1" on COMPUTER_C and then perform "ping 192.168.0.2" on COMPUTER_B, tcpdump prints out something like "Request who-has 192.168.0.2 tell 192.168.100.2" but nothing more

Why does it fail?

The network setup is:

Code:

[COMPUTER_A] <192.168.0.2---| ETH0> [COMPUTER_C] <ETH1 |---192.168.100.2> [COMPUTER_B]

I didn't setup any kind of DHCP or DNS, all IP addresses are static:

Code:

=== COMPUTER_A (/etc/network/interfaces) ===
auto eth0
allow-hotplug eth0
iface eth0 inet static
        address 192.168.0.2
        netmask 255.255.255.0

=== COMPUTER_B (/etc/network/interfaces) ===
auto eth0
allow-hotplug eth0
iface eth0 inet static
        address 192.168.100.2
        netmask 255.255.255.0

=== COMPUTER_C (/etc/network/interfaces) ===
auto eth0
allow-hotplug eth0
iface eth0 inet static
        address 192.168.0.1
        netmask 255.255.255.0

auto eth1
allow-hotplug eth1
iface eth1 inet static
        address 192.168.100.1
        netmask 255.255.255.0

I used this simple script to setup IPtables:

Code:

#!/bin/sh
# Reset everything
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Enable forwarding
sysctl net.ipv4.ip_forward=1
echo 1 > /proc/sys/net/ipv4/ip_forward

# Set IPtable rules
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Print result
iptables -L

tshikose · 08-07-2016, 05:51 AM

Hi,

I think you need to first read a good iptables reference documentation.
Try googling a little or start by reading this and this.

From your samples, it seems to me that you are using a kind of Ubuntu or similar distro.
I am not familiar with them, but I will try to provide advices.

1. Why are you wiping all the existing rules and customised chains instead of starting from the default ones?
2. Having set the default policy for filter FORWARD chain to ACCEPT you do not need anymore the first two rules in your "# Set IPtable rules" section...
3. ... unless you expected to have final rule rejecting everything on those filter chains. But again this works well when modifying default rules.
4. For masquerading try this rule iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j MASQUERADE
5. Unfortunately all your settings (including the kernel behaviour for ip forwarding) will not survive a reboot. You better do it in persistent way through configuration files.

After teaching yourself a little more and going through my advices, you are welcome to post for more help.

PS: Is the new and actual firewalld not available on your system? Then you will not need to use iptables.

lazydog · 08-08-2016, 01:59 PM

First thing first is to setup a working network. Once that is finished you can move onto bigger and better things.

Make sure that COMPUTER_A and COMPUTER_B know that COMPUTER_C is their default gateway.

by running the following command;

Code:

route -n

On COMPUTER_A you should get something like this;

Code:

~ $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0

and for COMPUTER_B

Code:

~ $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.100.1   0.0.0.0         UG    100    0        0 eth0
192.168.100.0   0.0.0.0         255.255.224.0   U     100    0        0 eth0

On COMPUTER_C you will want to ensure that the firewall is stopped or allowing everything and that FOWARDING is turned on in the kernel.

This would work for the initial setup;

Code:

iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Since you want FORWARDing turned on I would suggest you enable it in sysctl.conf and add/change the following

Code:

net.ipv4.ip_forward = 1

Now ping from A to B and B to A should work.

Once you have a working network you can then go in and make changed and test things you want to test.

lazydog · 08-08-2016, 02:01 PM

Quote:

Originally Posted by tshikose

PS: Is the new and actual firewalld not available on your system? Then you will not need to use iptables.

Firewalld is a gimmick and uses iptables anyway so why switch?
There is no good reason to switch to firewalld as iptables will do the same.