Please find iptable rule as asked for.
# Generated by iptables-save v1.4.9 on Mon Aug 19 10:28:06 2013
*mangle
:PREROUTING ACCEPT [1142:229312]
:INPUT ACCEPT [364:39004]
:FORWARD ACCEPT [769:189480]
:OUTPUT ACCEPT [334:40932]
:POSTROUTING ACCEPT [1103:230412]
COMMIT
# Completed on Mon Aug 19 10:28:06 2013
# Generated by iptables-save v1.4.9 on Mon Aug 19 10:28:06 2013
*nat
:PREROUTING ACCEPT [1:48]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 1.16.16.43 -i eth1 -j DNAT --to-destination 192.168.1.200
-A POSTROUTING -s 192.168.1.200 -o eth1 -j SNAT --to-source 1.16.16.43
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 192.168.1.0/24 -j ACCEPT
-A POSTROUTING -d 192.168.1.0/24 -j ACCEPT
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j SNAT --to-source 1.16.16.44
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -o eth2 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -d 192.168.1.0/24 -j ACCEPT
COMMIT
# Completed on Mon Aug 19 10:28:06 2013
# Generated by iptables-save v1.4.9 on Mon Aug 19 10:28:06 2013
*filter
:INPUT ACCEPT [131:9532]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [96:10868]
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 4500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 3389 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 50:58 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 50:58 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -s 122.180.106.168/30 -i eth1 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -s 1.16.16.43 -j ACCEPT
-A FORWARD -d 1.16.16.43 -j ACCEPT
-A FORWARD -s 192.168.1.200 -j ACCEPT
-A FORWARD -d 192.168.1.200 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
COMMIT
# Completed on Mon Aug 19 10:28:06 2013
Quote:
Originally Posted by zhjim
Besides that once time you have .44 as WAN IP and inside your iptables rules you have .43 I can't see any errors. Are those the only rules in place? If not please give complete list of rules with iptables-save.
To debug iptables rules I use a lot of -j LOG --log-ip-options --log-prefix "Nat-POST-o-eth1" kinda like rules. This allows me to tail /var/log/syslog and see whats up and where the packets go through. Also tcpdump makes a nice tool for debugging. Also the connection tracking part of /proc or the binaries might come in handy.
|