Hey guys,

im trying to get my unix box to foward some packets so i will explain the setup first.

The unix box eth0 is connected to a router which acts as a DHCP server. thi is fine and it connects to the net.


eth1 is connected via crossover cable to a windwos maching, the unix box has been given (on eth1) the ip 192.168.0.1 and the windows machine has been given 192.168.0.2

they can ping each other fine.

the problem is i want the unix machine to be able to foward the windows machine packets to the net and back.

i turned on packet fowarding and checked it was on. i turned off all firewalls, and yet i still cant get the windows machine to see the net, and i know the unix machine isnt fowarding them because i ran tcpdump and it recieves the request and gets no reply.


any help would be appreciated.

you will need to nat or masquerade on the unix box because the router does not know where to return the packets.

check the routers routing table to make sure it knows where 192.168.0/24 is.

what it is trying to do is when it gets that packet it check's it's routing table, goes i don't know where that ip is so i iwll send to my default gateway. the routers default gateway is the internet

yeah ok thanks that makes sense, i thought it was a NAT problem. Your saying its a routing problem on the router? can i just turn NAT on on the unix box, and it will send all the packets on behalf of 192.168.0.2? or am i talking proxy there.

thanks capt0

you cna turn nat on the unix box and it will work.

the current problem exists with therouter because it does not know where you windows machine is.

the router gets this packet with a return address and does not know where the return address is.

if you enable nat on the unix box then the router will know to return the packet to the unix box and the unix box knows to return it to the windows box.

another solution would be adding the 192.168.0/24 network to the routing table of the router.

eg:
if packet from 192.168.0.0 subnet 255.255.255.0, return the packet to the unix box which has this x ip address and sent it out the inferface conencted to the unix box.

Thanks that makes a whole lot of sense .

hit a problem

im reading the fedora book and it talks about setting up NAT on the unix box in a strange way. An example from the book is:

iptables -t nat -A PRETROUTING -i eth0 -j DNAT --to-destination 192.168.0.3

this however fowards ALL traffic from eth0 to that ip, i just want it to handle for 192.168.0.2

is what i want to do instead ip masquerading? is ip masquerading in unix as simple as turning it on? the ip masquerade in the book again does it for am interface. what if i dont want it to foward EVERY packet from an interface e.g. i want the windows box to talk to the unix box not the internet.

Unix or Linux?

i always thought linux but the lecturer always reffered to it as unix. (Fedora Core i mean)

then rather than using -i eth0 use -s 192.168.0.2/32

capt0 how does the unix box know when that packets coming back who its for? if it changes the address of destination to 10.1.1.7 (unix box) when it comes back how does it know to send it to the windows machine?

nat uses a table and assigns particular sockets on external to sockets on internal. so when packets come back through te external socket it knows where to map it to

so i supply a NAT rule changing packets from 192.168.0.2 to 10.1.1.7


The tables take care of converting the destination back to 192.168.0.2 when the reply get to 10.1.1.7 so i dont need another rule changing it to 192.168.0.2?

gaybar,

i added a rule and now at least the windows box and ping the router and gets replies, but it cant ping 'out' as in i cant ping any internet site.

i used the rule

iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source 10.1.1.7


ive got DNS on the windows box as 192.168.0.1 (unix connection to windows box) is this wrong?

rather than using --to-soruce use -o eth1

or out interface

can't specify an interface as to source, not sure why.

still the problem is the windows machine can now ping unix box, router, other computer ON the network, just not the internet.

no idea why?

Hey evil1, I don't mean to be rude, but you might benefit from reading some of these resources:

netfilter how-to (netfilter/iptables homepage)

That how-to page recommends thse links:

iptables tutorial
Set up a gateway for home or office
iptables basics
iptables - what is it
How to use iptables
Part I of an introductory iptables tutorial
Part II of an introductory iptables tutorial

Another good resource:

http://www.billauer.co.il/ipmasq-html.html

The reason I pasted these is because you'll do better from several sources that explain iptables in a step-by-step manner. You won't learn much from quick-fixes on a forum ...

Secondly .. if you still want help, can you paste your whole script? I can think of several reasons for your pinging problem .. hard to pinpoint without more information.

last edited by parabol at 13:07:10 28/Nov/04

Parabol thanks, i realise i should read up about it but i thought it might be a one line NAT rule...and my unix monitor is nasty.

here is where im at:

i addded a NAT rule

iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source 10.1.1.7

and well now the windows machine can ping the router or any computer on the network.

however it cant ping the internet.

heres the tcpdump of a ping to the internet on eth1 (windows to unix machine)

cpdump: listening on eth1
11:24:16.299472 192.168.0.2.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:24:17.041968 arp who-has 192.168.0.1 tell 192.168.0.2
11:24:17.042038 arp reply 192.168.0.1 is-at 0:9:5b:9:c9:2f
11:24:17.042100 192.168.0.2.2280 > 192.168.0.1.domain: 29920+ A? www.google.com. (32)
11:24:17.042269 192.168.0.1 > 192.168.0.2: icmp: 192.168.0.1 udp port domain unreachable [tos 0xc0]
11:24:17.042368 192.168.0.2.2280 > 192.168.0.1.domain: 29920+ A? www.google.com. (32)
11:24:17.042430 192.168.0.1 > 192.168.0.2: icmp: 192.168.0.1 udp port domain unreachable [tos 0xc0]
11:24:17.042504 192.168.0.2.2280 > 192.168.0.1.domain: 29920+ A? www.google.com. (32)
11:24:17.042560 192.168.0.1 > 192.168.0.2: icmp: 192.168.0.1 udp port domain unreachable [tos 0xc0]
11:24:17.042637 192.168.0.2.2280 > 192.168.0.1.domain: 29920+ A? www.google.com. (32)
11:24:17.042692 192.168.0.1 > 192.168.0.2: icmp: 192.168.0.1 udp port domain unreachable [tos 0xc0]
11:24:17.042766 192.168.0.2.2280 > 192.168.0.1.domain: 29920+ A? www.google.com. (32)
11:24:17.042823 192.168.0.1 > 192.168.0.2: icmp: 192.168.0.1 udp port domain unreachable [tos 0xc0]
11:24:17.042976 192.168.0.2.2281 > 192.168.0.1.domain: 53986 PTR? 1.0.0.127.in-addr.arpa. (40)
11:24:17.043070 192.168.0.1 > 192.168.0.2: icmp: 192.168.0.1 udp port domain unreachable [tos 0xc0]
11:24:17.043146 192.168.0.2.2281 > 192.168.0.1.domain: 53986 PTR? 1.0.0.127.in-addr.arpa. (40)
11:24:17.046643 192.168.0.2.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:24:17.796723 192.168.0.2.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST




here is the unix to router connection eth0

absolutely nothing happens.

Try each of these in order until it works ...

1) ping 66.102.7.147 manually (google's ip)
2) set the windows box's DNS setting to your ISP's DNS server or ...
3) make the unix box serve DNS requests without rejecting your windows box


last edited by parabol at 14:06:53 28/Nov/04

yup thanks you were right DNS was wrong, set it to ISP and it works fine now, thanks everyone for your help.

well now that your problem is solved you wont mind me asking a question in this thread..

just quick question about iptables in Fedora Core(the Firewall rules) is there any quick way to simply say block everything, i dont want anyhting comming or going...

last edited by Irhabi at 14:57:17 28/Nov/04

Irhabi: These set of rules should do the trick. You must allow traffic on loopback as in the last two lines or else some programs might freak out. There is a more correct way of doing this but I thought I'd keep this simple.

# clear stale rules
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# set default rules
iptables -t nat -P PREROUTING ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat -P POSTROUTING ACCEPT

# allow all traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

I don't know how Fedora itself is configured, but that's the way you'd normally do it.



last edited by parabol at 15:12:06 28/Nov/04

thaks parabol ill give it a go

turn on forwarding in the kernel:

echo 1 > /proc/sys/net/ipv4/ip_forward


enable nat:

iptables -t nat -A POSTROUTING -o [external interface] -s [internal network] -j SNAT --to [external ip]



stick this in your script to dynamically work out your external ip if you want, where $EXTIF is your external interface, such as eth0:

EXTIP="`ifconfig $EXTIF | awk /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

EXTIP="`ifconfig $EXTIF | awk /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

Hmm.. that sure beats the hell out of my:

/sbin/ifconfig $netdev |grep 'inet addr:2' | sed -e 's/[ ]*inet addr://' |sed -e 's/[ ]*P-t-P:\([0-9]*\.\)\{3\}[0-9]*[ ]*Mask:[0-9]*\(\.[0-9]*\)\{3\}$//'`

Freaking sed headaches. Thanks!



last edited by parabol at 02:38:36 01/Dec/04

sif use Jim's shell script, he's a Lunix n00b.