Hello: I'm trying to set up simple NAT/masquerading on a dual NIC host (hostname == "psi") running fedora 19, so hosts on my LAN can access Internet by routing thru host "psi". Interface p1p1 is on my LAN, p2p1 is on Internet. I got the "design" of below /etc/iptables from another of my older (fedora core 10) hosts, where NAT/masquerading works fine. Everything but the NAT/masquerading works. On one of my LAN windows hosts named 'neon' I changed the default route point to host "psi" on LAN side (10.164.123.202): # neon adm_tsr $ ping 10.164.123.202 64 1 PING 10.164.123.202 (10.164.123.202): 64 data bytes 72 bytes from 10.164.123.202: icmp_seq=0 ttl=64 time=0 ms --snip 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip (ms) min/avg/max/med = 0/0/0/0 # neon adm_tsr $ ipconfig --snip IP Address. . . . . . . . . . . . : 10.164.123.211 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.164.123.202 # neon adm_tsr $ wget http://208.118.235.148 -O - # 208.118.235.148 == gnu.org --2013-09-19 11:16:48-- http://208.118.235.148/ Connecting to 208.118.235.148:80... failed: Connection timed out. --snip I ran "tcpdump -vv host 10.164.123.202 and 10.164.123.211" and saw nothing during the wget. Constructive comments or help would be appreciated. -- thanks/regards, Tom -- # 11:02:19 Thu 0919 /etc/sysconfig # psi root # ifconfig lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 0 (Local Loopback) RX packets 2 bytes 140 (140.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2 bytes 140 (140.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 p1p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.164.123.202 netmask 255.255.255.0 broadcast 10.164.123.255 inet6 fe80::20a:cdff:fe21:413b prefixlen 64 scopeid 0x20<link> ether 00:0a:cd:21:41:3b txqueuelen 1000 (Ethernet) RX packets 10271 bytes 808599 (789.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 21931 bytes 6241567 (5.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 p2p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet THREE_OCTETS_HERE.130 netmask 255.255.255.248 broadcast THREE_OCTETS_HERE.135 inet6 fe80::96de:80ff:fe70:5cc0 prefixlen 64 scopeid 0x20<link> ether 94:de:80:70:5c:c0 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 18 # 11:02:56 Thu 0919 /etc/sysconfig # psi root # cat iptables # iptables comments apparently require poundsign in column 1 # http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html # some comments taken from: http://serverfault.com/questions/84963/why-not-block-icmp # Firewall configuration written by system-config-firewall # Internet facing port is p2p1 # LAN: p1p1 *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o p2p1 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Accept any packets that have something to do with ones we've sent on outbound -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ESTABLISHED: A packet which belongs to an existing connection # (i.e., a reply packet, or outgoing packet on a connection which has seen replies). # # RELATED: A packet which is related to, but not part of, an existing # connection, such as an ICMP error, or (with the FTP module # inserted), a packet establishing an ftp data connection. # Accept ICMP -A INPUT -p icmp -j ACCEPT # Accept any packets coming or going on localhost (this can be very important) -A INPUT -i lo -j ACCEPT # trust LAN -A INPUT -i p1p1 -j ACCEPT # TBD: do I need these: -A INPUT -p ah -j ACCEPT -A INPUT -p esp -j ACCEPT # -------------------------------------------------------------------- # accept ssh, http, https, mail # -------------------------------------------------------------------- -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT # https -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT # -------------------------------------------------------------------- # setup forwarding for nat/masquerading # -------------------------------------------------------------------- -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -i p1p1 -j ACCEPT -A FORWARD -o p2p1 -j ACCEPT # reject other traffic # TBD: reconcile w/ http://www.redhat.com/archives/rhl-list/2009-September/msg01757.html -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A INPUT -i p1p1 -s 10.164.123.202/255.255.255.0 -j ACCEPT COMMIT # 11:03:22 Thu 0919 /etc/sysconfig # psi root # iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3084 563K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 5 213 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT all -- lo any anywhere anywhere 15 2305 ACCEPT all -- p1p1 any anywhere anywhere 0 0 ACCEPT ah -- any any anywhere anywhere 0 0 ACCEPT esp -- any any anywhere anywhere 1 48 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 2 120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp state NEW,ESTABLISHED 5 240 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited 0 0 ACCEPT all -- p1p1 any 10.164.123.0/24 anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- p1p1 any anywhere anywhere 0 0 ACCEPT all -- any p2p1 anywhere anywhere 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 19391 packets, 5556K bytes) pkts bytes target prot opt in out source destination # 11:03:29 Thu 0919 /etc/sysconfig # psi root # uname -a Linux psi 3.10.10-200.fc19.i686.PAE #1 SMP Thu Aug 29 19:16:15 UTC 2013 i686 i686 i386 GNU/Linux -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html