You are not logged in.

#1 2005-02-21 03:40:52

flex_strongo
Member
Registered: 2003-12-02
Posts: 55

NAT+Iptables problem

Hey arch champions, I've got a little network problem.  Actually, I already posted this tonight but it looks like it got erased.  So, here goes again.  Ive been working on making an arch router the last few days and I'm having trouble getting NAT to work.  I have a dhcp server set up on the box, and it works just fine, all other computers can connect to it, but they can't connect out to the internet.  The server connects just fine, but nothing else can get outside the LAN.  So here's my config's if anyone could offer advice, I would appreciate it greatly.

iptables config:

#First we flush our current rules
 iptables -F
 iptables -t nat -F

#Then we lock our services so they only work from the LAN
 iptables -I INPUT 1 -i eth1 -j ACCEPT
 iptables -I INPUT 1 -i lo -j ACCEPT
 iptables -A INPUT -p UDP --dport bootps -i ! eth1 -j REJECT
 iptables -A INPUT -p UDP --dport domain -i ! eth1 -j REJECT

#Allow access to our ssh server from the WAN
 iptables -A INPUT -p TCP --dport ssh -i eth0 -j ACCEPT

#Drop TCP / UDP packets to privileged ports
 iptables -A INPUT -p TCP -i ! eth1 -d 0/0 --dport 0:1023 -j DROP
 iptables -A INPUT -p UDP -i ! eth1 -d 0/0 --dport 0:1023 -j DROP
#Finally we add the rules for NAT
 iptables -I FORWARD -i eth1 -d 10.0.0.0/255.255.0.0 -j DROP
 iptables -A FORWARD -i eth1 -s 10.0.0.0/255.255.0.0 -j ACCEPT
 iptables -A FORWARD -i eth0 -d 10.0.0.0/255.255.0.0 -j ACCEPT
 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#Tell the kernel that ip forwarding is OK
 echo 1 > /proc/sys/net/ipv4/ip_forward

here's the dhcp config:

server-name "whatever";
server-identifier 10.0.0.1;

authoritative;
ddns-update-style ad-hoc;
subnet 10.0.0.0 netmask 255.255.255.0 {
        range 10.0.0.100 10.0.0.250;
        default-lease-time 259200;
        max-lease-time 518400;
        option subnet-mask 255.255.255.0;
        option broadcast-address 10.0.0.255;
        option routers 10.0.0.1;
        option domain-name-servers 10.0.0.1;
}

and finally here's the entry in rc.conf for the nic's:

eth0='dhcp'
eth1='eth1 10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0'
INTERFACE = (lo eth0 eth1)

And that's it, again, I'd be greatful if anyone could offer advice.
[/code]

Offline

#2 2005-02-21 04:31:57

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: NAT+Iptables problem

what do you have for ROUTES in rc.conf?


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2005-02-21 04:49:54

flex_strongo
Member
Registered: 2003-12-02
Posts: 55

Re: NAT+Iptables problem

gateway="default gw 10.0.0.1"
ROUTES=(!gateway)

I didn't think I'd need it since the dhcpd server I set up should send out ip addresses dynamically.

Offline

#4 2005-02-21 05:00:31

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: NAT+Iptables problem

The machine running dhcp for the clients still needs to know how to reach the external net.

EDIT: Just noticed a line in your post that I apparently had missed.

The server connects just fine, but nothing else can get outside the LAN.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#5 2005-02-21 19:15:01

flex_strongo
Member
Registered: 2003-12-02
Posts: 55

Re: NAT+Iptables problem

Hey guys,  I think i fixed the problem.  Apparently I forgot to have a dns server running.  And that apparently fixed the LAN connection. Who knew? chalk up another point on linux experience

Offline

#6 2005-03-03 23:01:32

mercy
Member
Registered: 2004-04-24
Posts: 62

Re: NAT+Iptables problem

just if somebody cares.. thats not NAT .. its PAT :-)

nat -> network address translation (1:1) -> one private machine gets its own public IP
pat -> port addres translation (n:1) -> several private machines share one public IP

Offline

#7 2005-03-03 23:54:04

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: NAT+Iptables problem

Errm, no. NAT is needed when the boxes don't have their own public IP, so you need to map one shared ip to a local ip.

Never heard of PAT, but by port translation probably is meant (automatic) port forwarding or something similar with ports and not IP addresses... (if two pc's behind the NAT have the same destination port then one of them needs to be mapped to something else, can call that PAT I suppose)

Offline

#8 2005-03-04 00:01:11

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: NAT+Iptables problem

http://computer.howstuffworks.com/nat1.htm

Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.

It is all NAT.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#9 2005-03-04 09:15:32

mercy
Member
Registered: 2004-04-24
Posts: 62

Re: NAT+Iptables problem

nice explanation on that page :-)

somehow a tricky topic cuz most ppl talk about PAT (masquerade for the iptablers wink but use the term NAT ...


not rly true.. not rly wrong.. but its nice to know the difference :-)

Offline

Board footer

Powered by FluxBB