SNAT not working

Jason Pappas jpappas@sharemedia.com
Mon, 29 Oct 2001 09:00:20 -0500 

> Reply-To: "Pedro Fonseca" <pedro.fonseca@iscte.pt>
> From: "Pedro Fonseca" <pedro.fonseca@netcabo.pt>
> To: "Netfilter ML" <netfilter@lists.samba.org>
> Subject: SNAT not working...
> Date: Sun, 28 Oct 2001 18:17:01 -0000
>
> Greetings.
>
> I'm in front of my computer since friday night, with only a few hours of
> sleep, trying to solve this. I scavenged the Internet looking for a
> solution, but nothing... I now give up and beg for your help...
>
> I have a small network with:
> . 1 linux box running Apache (PostgreSQL, etc) at internal IP 192.168.1.2
> . 3 Windows98 computers at IPs 192.168.1.10-192.168.1.12
> . 1 linux box with two IPs: one static IP accessible to the outside world
at
> eth0, and an internal IP at eth1 (192.168.1.1)
>
> I think this is the typical home-network that everybody nowadays has...
The
> last linuxbox (the one accessible from the Internet) used to run the
Apache
> webserver and the nameserver, and used to do Masquerading with ipchains,
for
> more than 1 year. Last friday I upgraded this computer to Red Hat 7.1 and
to
> iptables, and moved the webserver to the 192.168.1.2 computer. Every since
> then, I can only access the Internet from the gateway computer
> (192.168.1.1), meaning that there's something wrong with the NAT tables
...
>
> Please take some time to view the iptables script I'm using:
>
> #!/bin/sh
> IPTABLES=/sbin/iptables
> EXTERNAL_IP=1.2.3.4
>
> #IP forwarding enabled
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Clean up
> $IPTABLES -F
> $IPTABLES -X
>
> # Deny everything not local, while the firewall is not completely up
> $IPTABLES -A INPUT -i ! lo -j DROP
> $IPTABLES -A OUTPUT -o ! lo -j DROP
>
> # SNAT
> $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j
> SNAT --to-source $EXTERNAL_IP
>
> # DNAT (redirection) of HTTP requests to the Apache linuxbox server
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
> 192.168.1.2:80
This would intercept stuff from your internal lan to outside.  Your only
restriction on this rule is that the destination port is 80.  When you
browse to www.whatever.com  your destination port is 80 also.

Try qualifying this rule better:

$IPTABLES -t nat -A PREROUTING -p tcp [-i eth0][-d YOUR IP ADDR] --dport
80 -j DNAT --to 192.168.1.2:80

Use one of the options in brackets to help qualify that you only want
requests coming in from the internet (eth0 most likely, ppp0 if needed etc.
or your public IP Address) to be redirected to the inside gateway.

> # From here on its the general packet filtering rules for various services
> $IPTABLES -A INPUT -p udp --destination-port 53 -j ACCEPT
> $IPTABLES -A INPUT -p udp --source-port 53 -j ACCEPT
> $IPTABLES -A INPUT -p tcp -s 192.168.1.0/24 --destination-port 512 -j
ACCEPT
> $IPTABLES -A INPUT -p tcp -s 192.168.1.0/24 --destination-port 21 -j
ACCEPT
> $IPTABLES -A INPUT -p tcp --destination-port 22 -j ACCEPT
> $IPTABLES -A INPUT -p tcp -s 192.168.1.0/24 --destination-port 23 -j
ACCEPT
>
> # Accept all already established connections
> $IPTABLES -A INPUT -p tcp ! --syn -j ACCEPT
>
> # Ping Of Death filtering?
> $IPTABLES -A INPUT -p icmp -f -j LOG --log-prefix "PingOfDeath:"
>
> # ICMP local requests
> $IPTABLES -A INPUT -p icmp -s 192.168.1.0/24 -j ACCEPT
>
> # local-to-local connections
> $IPTABLES -A INPUT -i lo -j ACCEPT
>
> # Logging everything that arrived so far
> $IPTABLES -A INPUT -j LOG
>
> # The default policies
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
>
> # Delete the first rules from these chains - the firewall is now up!
> $IPTABLES -D INPUT 1
> $IPTABLES -D OUTPUT 1
>
> At first sight the NAT rules look ok... Please don't forget that the only
> thing that changed in my setup was the Red Hat 7.1 upgrade (on the
linuxbox
> with the 2 IPs - previously it had Red Hat 6.2). So I assume all the other
> computers on the network are still correctly configured...
>
> Oh! One more thing (just tried it now): I *can* ping from the internal
> network (for example 192.168.1.10) to the Internet (just tried to ping
> www.yahoo.com). But apparently I can't use browsers, telnet, yahoo
messenger
> (all these were programs that worked fine previously)...
>
> Please, any ideas? I ran out of them...
> ______________________________________________________________________
> Pedro Fonseca (pedro.fonseca@iscte.pt)
> Mob.: (+351)964598357
> http://www.pedrofonseca.com
> ADETTI/ISCTE (Instituto Superior de Ciências do Trabalho e da Empresa)