iptables NAT not working

MagicFish1990 · 2014-01-26 13:40:06

Hello

I use racoon to set up an IPSec VPN server, but I cannot forward data packets to Internet.

Client from/to Server success.
But when the packet arrives at the server, and should forward to the Internet, it disappeared. No forward, No error.

Client IP range 192.168.2.1/24

I use MASQUERADE to SNAT packet from 192.168.2.1 to 50.x.x.x

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0

iptables

*filter
:INPUT DROP [2227:260349]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp -m multiport --dports 500,4500 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [913:61920]
:INPUT ACCEPT [15:996]
:OUTPUT ACCEPT [853:52483]
:POSTROUTING ACCEPT [853:52483]
-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

iptables -nvL

Chain INPUT (policy DROP 4376 packets, 512K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   18   720 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
81969   27M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
   11   924 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp multiport dports 500,4500

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      eth0    192.168.2.0/24       0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   20  2520 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 4390  282K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
75583   44M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,RELATED,ESTABLISHED

iptables -nvL -t nat

Chain PREROUTING (policy ACCEPT 1991 packets, 135K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 30 packets, 1976 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1659 packets, 102K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1659 packets, 102K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eth0    192.168.2.0/24       0.0.0.0/0

tcpdump capture

13:25:52.038563 IP 192.168.2.3.60235 > google-public-dns-a.google.com.domain: 34671+ AAAA? android.clients.google.com. (44)
13:25:57.050293 IP 192.168.2.3.60235 > google-public-dns-a.google.com.domain: 34671+ AAAA? android.clients.google.com. (44)
13:26:02.058146 IP 192.168.2.3.64973 > google-public-dns-a.google.com.domain: 5729+ A? android.clients.google.com. (44)
13:26:07.919578 IP 192.168.2.3.64973 > google-public-dns-a.google.com.domain: 5729+ A? android.clients.google.com. (44)
13:26:08.704411 IP 192.168.2.3.14552 > google-public-dns-a.google.com.domain: 16128+ AAAA? ssl.google-analytics.com. (42)
13:26:13.712940 IP 192.168.2.3.14552 > google-public-dns-a.google.com.domain: 16128+ AAAA? ssl.google-analytics.com. (42)
13:26:18.718656 IP 192.168.2.3.60952 > google-public-dns-a.google.com.domain: 245+ A? ssl.google-analytics.com. (42)
13:26:23.725283 IP 192.168.2.3.60952 > google-public-dns-a.google.com.domain: 245+ A? ssl.google-analytics.com. (42)
13:26:28.729428 IP 192.168.2.3.64993 > google-public-dns-a.google.com.domain: 62765+ AAAA? ssl.google-analytics.com. (42)
13:26:33.848203 IP 192.168.2.3.64993 > google-public-dns-a.google.com.domain: 62765+ AAAA? ssl.google-analytics.com. (42)
13:26:39.265046 IP 192.168.2.3.30923 > google-public-dns-a.google.com.domain: 32156+ A? ssl.google-analytics.com. (42)
13:26:44.268014 IP 192.168.2.3.30923 > google-public-dns-a.google.com.domain: 32156+ A? ssl.google-analytics.com. (42)
13:27:09.370725 IP 192.168.2.3.35249 > google-public-dns-a.google.com.domain: 42790+ AAAA? ssl.google-analytics.com. (42)
13:27:14.379137 IP 192.168.2.3.35249 > google-public-dns-a.google.com.domain: 42790+ AAAA? ssl.google-analytics.com. (42)
13:27:19.399348 IP 192.168.2.3.58003 > google-public-dns-a.google.com.domain: 51065+ A? ssl.google-analytics.com. (42)

Deal with this problem took a long time, anybody know where is the problem?
Thanks.

Last edited by MagicFish1990 (2014-01-26 13:44:54)

Arch Linux

#1 2014-01-26 13:40:06

iptables NAT not working

Board footer