iptables masquerading/snat stop working upon moving to kernel 2.6

Web Server Talk > Unix and Linux reviews > Red Hat support > Red Hat Topics > iptables masquerading/snat stop working upon moving to kernel 2.6

Last Thread Next Thread Next

iptables masquerading/snat stop working upon moving to kernel 2.6

S P Arif Sahari Wibowo

08-22-05 10:52 PM

Hi!

Upon moving from RH 9 (kernel 2.4.18 and 2.4.20) to WBEL 4 (RHEL
4 recompile, kernel 2.6.9), a simple masquerading snat stop
working. Packet reach the PREROUTING chain but never reach
POSTROUTING chain.

Any idea why and how to fix it?

Here is the iptables saved rules on the gateway machine:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT


route -n (say 24.24.24.24 is the external IP):

192.168.1.0   0.0.0.0       255.255.255.0  U   0  0  0 eth0
24.24.24.24   0.0.0.0       255.255.255.0  U   0  0  0 eth1
169.254.0.0   0.0.0.0       255.255.0.0    U   0  0  0 eth1
0.0.0.0       24.24.24.24   0.0.0.0        UG  0  0  0 eth1


to get the logging, I added few rules:


*nat
-A PREROUTING -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix PRE--
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix POST--
COMMIT

*filter
-A INPUT -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix INP--
-A FORWARD -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix FOR--
COMMIT


This rules loaded by iptables without problem.

Now when a machine in local network (yes they got the correct IP
and gateway) try to reach the Internet, entry on PREROUTING
shows up, but no entry on POSTROUTING shows, the packet just
lost:

Aug 22 09:26:19 thegateway kernel: PRE--IN=eth0 OUT= MAC=00:20:ed:64:a2:89:0
0:50:ba:3e:bd:2e:80:00 SRC=192.168.1.5 DST=24.24.24.24 LEN=60 TOS=0x10 PREC=
0x00 TTL=64 ID=40000 DF PROTO=TCP SPT=1027 DPT=23 WINDOW=5840 RES=0x00 SYN U
RGP=0
Aug 22 09:26:22 thegateway kernel: PRE--IN=eth0 OUT= MAC=00:20:ed:64:a2:89:0
0:50:ba:3e:bd:2e:80:00 SRC=192.168.1.5 DST=24.24.24.24 LEN=60 TOS=0x10 PREC=
0x00 TTL=64 ID=40002 DF PROTO=TCP SPT=1027 DPT=23 WINDOW=5840 RES=0x00 SYN U
RGP=0
Aug 22 09:26:28 thegateway kernel: PRE--IN=eth0 OUT= MAC=00:20:ed:64:a2:89:0
0:50:ba:3e:bd:2e:80:00 SRC=192.168.1.5 DST=24.24.24.24 LEN=60 TOS=0x10 PREC=
0x00 TTL=64 ID=40004 DF PROTO=TCP SPT=1027 DPT=23 WINDOW=5840 RES=0x00 SYN U
RGP=0

Thanks!

--
Stephan Paul Arif Sahari Wibowo
_____  _____  _____  _____
/____  /____/ /____/ /____
_____/ /      /    / _____/       http://www.arifsaha.com/

[ Post a follow-up to this message ]

Re: iptables masquerading/snat stop working upon moving to kernel 2.6

Llanzlan Klazmon

08-23-05 07:46 AM

S P Arif Sahari Wibowo <arifsaha@yahoo.com> wrote in
news:Pine.LNX.4.63.0508220850270.5253@localhost.localdomain:

> Hi!
>
> Upon moving from RH 9 (kernel 2.4.18 and 2.4.20) to WBEL 4 (RHEL
> 4 recompile, kernel 2.6.9), a simple masquerading snat stop
> working. Packet reach the PREROUTING chain but never reach
> POSTROUTING chain.
>
> Any idea why and how to fix it?

Do you have ip_forward turned on?

Klazmon.

<SNIP>

[ Post a follow-up to this message ]

Re: iptables masquerading/snat stop working upon moving to kernel 2.6

lasseboo

08-23-05 07:46 AM

hi,

i would say the same - assumed you compiled your kernel under
/usr/local/src/linux-2.6.x, can you check

your-server:/usr/local/src/linux-2.6.x# cat .config | grep MASQ

CONFIG_IP_NF_TARGET_MASQUERADE=y

your-server:/usr/local/src/linux-2.6.x# cat .config | grep NAT

CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_NATSEMI=m

you have to enable FUL_NAT or something like this under the
Netfilter-Options.

does

cat /proc/sys/net/ipv4/ip_forward

returning a "1"?


greetings


lasseboo

[ Post a follow-up to this message ]

Re: iptables masquerading/snat stop working upon moving to kernel 2.6

Raqueeb Hassan

08-23-05 12:46 PM

> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE
> COMMIT


Where is forwarding mode?



--
Raqueeb Hassan
Bangladesh

[ Post a follow-up to this message ]

Re: iptables masquerading/snat stop working upon moving to kernel 2.6

Llanzlan Klazmon

08-24-05 07:46 AM

S P Arif Sahari Wibowo <arifsaha@yahoo.com> wrote in
news:Pine.LNX.4.63.0508230145010.6856@localhost.localdomain:

> On Mon, 23 Aug 2005, Llanzlan Klazmon wrote: 
>
> <hitting my own head profusely>
>
> <maintain composure with difficulty> Well, it seems that you got
> the problem correctly, I should know, I did it before.
>
> Thank you!
>
> <digging a hole to hide my head>
>

Don't worry. I've been caught out myself by things like that plenty of
times. It's often the things that you know well that get overlooked.

Klazmon.

[ Post a follow-up to this message ]