Re: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 13 Mar 2005 13:14:31 +0100, Sietse van Zanen <sietse@xxxxxxxxx> wrote:
> What do you see, when you tcpdump on your external interface? (tcpdump -I eth0). Can you see natted packets exiting that interface?
> 
> The reason, that you only see 4 packets in the iptables -t nat -L is that if you fire off 10 pings, iptables will see the latter 9 as belonging to the same connection and therefor only logs 1.

How come ???


> 
> It might be as simple, that the host you are trying to ping is just unpingable.
> 
> Specify some more info, like what you are trying to ping, traceroute -I output.
> 
> -----Original Message-----
> From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Mårten Segerkvist
> Sent: Sunday, March 13, 2005 1:01 PM
> To: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)
> 
> On Sun, 13 Mar 2005, Sietse van Zanen wrote:
> 
> > From man iptables:
> > MASQUERADE
> > This target is only valid in the nat table, in the POSTROUTING chain.
> > It should only be used with dynamically assigned IP (dialup)
> > connections: if you have  a  static  IP address,  you should use the
> > SNAT target.
> >
> > Try using regular SNAT rule:
> >
> > Iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT
> > --to-source:your.pub.ip.addr
> >
> 
> Now using:
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> modprobe ipt_MASQUERADE
> modprobe iptable_filter
> iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT \
>    --to-source 81.172.241.145
> iptables --append FORWARD --in-interface eth1 -j ACCEPT
> 
> This gives me the same result as previosly. What confuses me further is
> that no packets seems to be accepted from the wlan-interface.
> 
> > iptables -L -v
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>    125  5000 ACCEPT     all  --  wlan0  any     anywhere
> anywhere
> 
> > iptables -t nat -L -v
> 
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>      4   295 SNAT       all  --  any    eth0    anywhere
> anywhere            to:<IP>
> 
> As before, I'd be most grateful for any suggestions!
> 
> /Mårten Segerkvist
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux