RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

What do you see, when you tcpdump on your external interface? (tcpdump -I eth0). Can you see natted packets exiting that interface?

The reason, that you only see 4 packets in the iptables -t nat -L is that if you fire off 10 pings, iptables will see the latter 9 as belonging to the same connection and therefor only logs 1.

It might be as simple, that the host you are trying to ping is just unpingable.

Specify some more info, like what you are trying to ping, traceroute -I output.

-----Original Message-----
From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Mårten Segerkvist
Sent: Sunday, March 13, 2005 1:01 PM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

On Sun, 13 Mar 2005, Sietse van Zanen wrote:

> From man iptables:
> MASQUERADE
> This target is only valid in the nat table, in the POSTROUTING chain. 
> It should only be used with dynamically assigned IP (dialup) 
> connections: if you have  a  static  IP address,  you should use the 
> SNAT target.
>
> Try using regular SNAT rule:
>
> Iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT 
> --to-source:your.pub.ip.addr
>

Now using:

echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ipt_MASQUERADE
modprobe iptable_filter
iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT \
   --to-source 81.172.241.145
iptables --append FORWARD --in-interface eth1 -j ACCEPT

This gives me the same result as previosly. What confuses me further is 
that no packets seems to be accepted from the wlan-interface.

> iptables -L -v

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
   125  5000 ACCEPT     all  --  wlan0  any     anywhere 
anywhere

> iptables -t nat -L -v

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     4   295 SNAT       all  --  any    eth0    anywhere 
anywhere            to:<IP>

As before, I'd be most grateful for any suggestions!

/Mårten Segerkvist
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux