Dear Brian,
How the routing is setup? Did you try to log the entries before the DROP rule? Since it is a PREROUTING NAT, the packet will be NATed before traversing in the INPUT, FORWARD or OUTPUT chains. You may proceed trouble-shooting in that direction.
John Mok
Brian Atkins wrote:
Jason,
Sorry for the delay in response. Catting either of those files doesn't return much. The ip_tables_names only returns: "filter"; ip_tables_targets is null.
I did use genkernel to build the new kernel. I did have multiple issues with the kernel config initially, but mostly related to disk drivers. I can forward my .config if that might be helpful.
I should say that other than trying to load the NATs, everything else is working fine. Here is the small config that I am currently running (don't worry, this isn't production, yet):
# Generated by iptables-save v1.2.11 on Mon May 16 13:42:26 2005 *filter :INPUT ACCEPT [89274:15206611] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [9009:1656730] -A INPUT -s xxx.xxx.xxx.0/255.0.0.0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s xxx.xxx.xxx.0/255.0.0.0 -p icmp -j ACCEPT -A INPUT -s xxx.xxx.xxx.64/255.255.255.192 -p icmp -j ACCEPT -A INPUT -s xxx.xxx.xxx.65 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -j DROP -A INPUT -p udp -j DROP -A FORWARD -d xxx.xxx.xxx.57 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.57 -p tcp -m tcp --dport 5666 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 1999 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 4899 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 5666 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.61 -p tcp -m tcp --dport 8080 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.62 -p tcp -m tcp --dport 4899 -j ACCEPT -A FORWARD -d xxx.xxx.xxx.63 -p tcp -m tcp --dport 5666 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -p icmp -j DROP -A OUTPUT -p tcp -j DROP -A OUTPUT -p udp -j DROP COMMIT # Completed on Mon May 16 13:42:26 2005
Jason Opperisano wrote:
On Fri, May 13, 2005 at 01:04:31PM -0700, Brian Atkins wrote:
Greetings:
I'm in the process of building my first dedicated firewall using iptables/netfilter (v 1.2.11) on Gentoo Linux (2.6.11 kernel). I want to enable the natting of IPs, but I am having trouble getting the rules to take. Essentially, I would like to take a specific group of IPs (servers) and nat them specifically to an internal ip address. The remainder of the internal IPs (workstations - dhcp) should be natted outbound within a range of IPs.
Based on the docs on Netfilter.org and the man pages, I decided to start off with the following:
iptables -t nat -A PREROUTING -i eth0 -d 141.xxx.xxx.xxx -j DNAT --to-destination 10.xxx.xxx.xxx
But, when I try to run the command, it just hangs. After a while, I can break out of it with CTL-C.
What gives? Am I missing something?
the syntax of that rule looks fine to me. i'm going to go out on a limb and say there is something rotten in your kernel config.
out of curiosity, how did you compile the kernel for this machine, by hand, or by using genkernel?
also, what does:
$ cat /proc/net/ip_tables_names and $ cat /proc/net/ip_tables_targets
have to say?
-j
-- "Tom Tucker: Now let's go to Greg The Weather Mime. OK... it's going to be cold...lots of wind... and it looks like parents are going to throw human fecal matter from the rooftops onto their children... oh, GOD. That's awful. No wait, it looks like rain. Yes, rain." --Family Guy
