You are not logged in.
I have a "private cloud" of vbox guests running all kinds of things. I need to learn more about firewalls for work and decided to set up a linux instance to do NAT from an interface that bridges with the host's NIC ( static 192.168.1.203/24) to one that's on an internal Virtualbox network (static 172.16.0.1/24). I stuck one of my other instances on the same Virtualbox network (static 172.16.0.2/24) and set the Arch instance as the gateway. I configured my firewall according to https://wiki.archlinux.org/index.php/Si … l_firewall and things work almost as I would expect them to: 172.168.0.2 can ping its gateway. It can ping other hosts on 192.168.1.0/24, including other machines and the main internet firewall on my LAN, 192.168.1.1.
What it CANNOT do is ping anything past 192.168.1.1. My broadband modem is 10.1.10.1:
josh@ticketserver:~$ ping 10.1.10.1
PING 10.1.10.1 (10.1.10.1) 56(84) bytes of data.
From 172.16.0.1 icmp_seq=1 Destination Net Unreachable
From 172.16.0.1 icmp_seq=2 Destination Net Unreachable
From 172.16.0.1 icmp_seq=3 Destination Net Unreachable
^C
--- 10.1.10.1 ping statistics ---
6 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4996msNothing past it either:
josh@ticketserver:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 172.16.0.1 icmp_seq=1 Destination Net Unreachable
From 172.16.0.1 icmp_seq=2 Destination Net Unreachable
From 172.16.0.1 icmp_seq=3 Destination Net Unreachable
From 172.16.0.1 icmp_seq=4 Destination Net Unreachable
^C
--- 8.8.8.8 ping statistics ---
8 packets transmitted, 0 received, +4 errors, 100% packet loss, time 6998msWhy can't it get past the other NAT?
Gateway Config:
[root@dnessy josh]# cat /etc/iptables/iptables.rules
# Generated by iptables-save v1.4.21 on Tue May 6 00:26:09 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1149:121159]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A fw-interfaces -i enp0s8 -j ACCEPT
COMMIT
# Completed on Tue May 6 00:26:09 2014
# Generated by iptables-save v1.4.21 on Tue May 6 00:26:09 2014
*nat
:PREROUTING ACCEPT [156:23199]
:INPUT ACCEPT [2:144]
:OUTPUT ACCEPT [3:187]
:POSTROUTING ACCEPT [12:547]
-A POSTROUTING -s 172.16.0.0/24 -o enp0s3 -j MASQUERADE
COMMIT
# Completed on Tue May 6 00:26:09 2014[root@dnessy josh]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:d0:67:a2 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.203/24 brd 192.168.1.255 scope global enp0s3
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fed0:67a2/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:a6:a5:c5 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.1/24 brd 172.16.0.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fea6:a5c5/64 scope link
valid_lft forever preferred_lft foreverTest Host config (debian):
It's got default iptables rules + fail2ban installed:
josh@ticketserver:~$ sudo iptables -nvL
[sudo] password for josh:
Chain INPUT (policy ACCEPT 700 packets, 66615 bytes)
pkts bytes target prot opt in out source destination
648 61339 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 498 packets, 57752 bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
648 61339 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 josh@ticketserver:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:3e:d6:d4 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.2/24 brd 172.16.0.255 scope global eth0
inet6 fe80::a00:27ff:fe3e:d6d4/64 scope link
valid_lft forever preferred_lft foreverLet me know if you want output from anything else. Thank you for reading. I can't figure this out!
Last edited by f0nd004u (2014-05-06 08:29:40)
Offline
Solved: Gateway Address was not specified for the Router's WAN IP. Set to 192.168.1.1 and it works as expected.
Offline