> ----- Original Message ----- > From: jwlargent <jwlargent@xxxxxxxxxxx> > To: "k bah" <kbah@xxxxxxxxxxxxx> > Subject: Re: UDP packets are not being forwarded to pc on the local net. > Date: Thu, 17 May 2007 09:48:11 -0500 > > I would suggest you start with just a basic NAT setup and then once > that is working add the additional rules you need. > > Minimal NAT setup > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE The initial setup was like this. Everything was allowed, since it didn't work I started to explicitly allow some traffic. > > iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP > iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP > > and don't forget to turn on forwarding in the kernel > echo 1 > /proc/sys/net/ipv4/ip_forward Ok, I read some more and this is my setup a little more clear: (eth0 - router netcard to internet; eth1 router netcard to internal net) ---------- *raw :PREROUTING ACCEPT :OUTPUT ACCEPT *mangle :PREROUTING ACCEPT :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT -A INPUT -i eth1 -p udp -m udp -j ACCEPT # *so the p2p client can send udp out? * -A INPUT -i eth0 -p icmp -j ACCEPT -A INPUT -p tcp -m state --state RELATED -j ACCEPT -A INPUT -p udp -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 41001 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 41002 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 41002 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 41004 -j ACCEPT -A FORWARD -p udp -m udp --sport 41002 -j LOG --log-prefix "H015 -t fwd udp41002 sport" -A FORWARD -p udp -m udp --dport 41002 -j LOG --log-prefix "H015 -t fwd udp41002 dport" -A FORWARD -p udp -m udp --sport 41004 -j LOG --log-prefix "H015 -t fwd udp41004 sport" -A FORWARD -p udp -m udp --dport 41004 -j LOG --log-prefix "H015 -t fwd udp41004 dport" -A FORWARD -p tcp -m tcp --dport 41001 -j LOG --log-prefix "H015 -t fwd tcp41001 dport" -A FORWARD -p tcp -m tcp --sport 41001 -j LOG --log-prefix "H015 -t fwd tcp41001 sport" -A OUTPUT -p udp -m udp --sport 41002 -j LOG --log-prefix " H015 -t out udp41002 sport" -A OUTPUT -p udp -m udp --dport 41002 -j LOG --log-prefix " H015 -t out udp41002 dport" -A OUTPUT -p udp -m udp --sport 41004 -j LOG --log-prefix " H015 -t out udp41004 sport" -A OUTPUT -p udp -m udp --dport 41004 -j LOG --log-prefix " H015 -t out udp41004 dport" -A OUTPUT -o eth0 -p udp -m udp -j ACCEPT -A OUTPUT -o eth1 -p udp -m udp -j ACCEPT *nat :PREROUTING ACCEPT :POSTROUTING ACCEPT :OUTPUT ACCEPT -A PREROUTING -i eth0 -p tcp -m tcp --dport 41001 -j LOG --log-prefix "H015 -t:nat:prerouting 01dpt" -A PREROUTING -i eth0 -p udp -m udp --dport 41002 -j LOG --log-prefix "H015 -t:nat:prerouting 02dpt" -A PREROUTING -i eth0 -p udp -m udp --dport 41004 -j LOG --log-prefix "H015 -t:nat:prerouting 04dpt" -A PREROUTING -i eth0 -p tcp -m tcp --dport 41001 -j DNAT --to-destination 10.1.1.15:41001 -A PREROUTING -i eth0 -p udp -m udp --dport 41002 -j DNAT --to-destination 10.1.1.15:41002 -A PREROUTING -i eth0 -p udp -m udp --dport 41004 -j DNAT --to-destination 10.1.1.15:41004 -A POSTROUTING -s 10.1.1.0/255.255.255.0 -o eth0 -j MASQUERADE ---------- I sent packets from a shell outside my network on the internet (to my router ip address on the internet, 201.x, not 10.1.1.1, of course): ----- tcp port 41001 ----- PACKET GOT TO MY NETWORK ROUTER H015 -t:nat:prerouting 01 dpt IN=eth0 OUT= MAC=ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:=) SRC=87.227.31.20 DST=201.OK.OK.=) LEN=60 TOS=0x00 PREC=0x20 TTL=42 ID=20327 DF PROTO=TCP SPT=38631 DPT=41001 WINDOW=5840 RES=0x00 SYN URGP=0 PACKET INSIDE MY NETWORK BEING FORWARDED TO MACHINE INSIDE THE NET H015 -t fwd tcp41001 dport IN=eth0 OUT=eth1 SRC=87.227.31.20 DST=10.1.1.15 LEN=60 TOS=0x00 PREC=0x20 TTL=41 ID=20327 DF PROTO=TCP SPT=38631 DPT=41001 WINDOW=5840 RES=0x00 SYN URGP=0 MACHINE INSIDE MY NETWORK SENDING REPLY TO INTERNET MACHINE WHERE THE PACKET ORIGINATED H015 -t fwd tcp41001 sport IN=eth1 OUT=eth0 SRC=10.1.1.15 DST=87.227.31.20 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=20293 PROTO=TCP SPT=41001 DPT=38631 WINDOW=0 RES=0x00 ACK RST URGP=0 ----- tcp port 41001 ----- ----- udp port 41002 ----- PACKET GOT TO NETWORK ROUTER H015 -t:nat:prerouting 02 dpt IN=eth0 OUT= MAC=ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:=) SRC=87.227.31.20 DST=201.OK.OK.=) LEN=54 TOS=0x00 PREC=0x20 TTL=42 ID=55587 DF PROTO=UDP SPT=53050 DPT=41002 LEN=34 PACKET INSIDE MY NETWORK BEING FORWARDED TO MACHINE INSIDE THE NET H015 -t fwd udp41002 dport IN=eth0 OUT=eth1 SRC=87.227.31.20 DST=10.1.1.15 LEN=54 TOS=0x00 PREC=0x20 TTL=41 ID=55587 DF PROTO=UDP SPT=53050 DPT=41002 LEN=34 ----- udp port 41002 ----- ----- udp port 41004 ----- PACKET GOT TO NETWORK ROUTER H015 -t:nat:prerouting 04 dpt IN=eth0 OUT= MAC=ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:=) SRC=87.227.31.20 DST=201.OK.OK.=) LEN=54 TOS=0x00 PREC=0x20 TTL=42 ID=61379 DF PROTO=UDP SPT=53050 DPT=41004 LEN=34 PACKET INSIDE MY NETWORK BEING FORWARDED TO MACHINE INSIDE THE NET H015 -t fwd udp41004 dport IN=eth0 OUT=eth1 SRC=87.227.31.20 DST=10.1.1.15 LEN=54 TOS=0x00 PREC=0x20 TTL=41 ID=61379 DF PROTO=UDP SPT=53050 DPT=41004 LEN=34 ----- udp port 41004 ----- now check item 3.2 from http://www.stearns.org/iptables/netfilter-hacking-HOWTO.txt if it shows weird here (the ascii illustration showing packet flow): ----ascii---- --->PRE------>[ROUTE]--->FWD---------->POST------> Conntrack | Filter ^ NAT (Src) Mangle | | Conntrack NAT (Dst) | [ROUTE] (QDisc) v | IN Filter OUT Conntrack | Conntrack ^ Mangle | | NAT (Dst) v | Filter ----ascii---- I disabled WinXP firewall on the machine inside the network, and checked it again after reboot. Now I think the problem is not with packet forwarding, I think it's with the p2p client OR maybe the p2p client is not able to send out stuff? Anyone agrees with me? thanks for your time = -- Powered by Outblaze
