[H-GEN] can't get IP forwarding/NAT working on new install

Troy Piggins troy at piggo.com
Tue Jun 6 00:54:04 EDT 2006 

[I don't normally reply to myself, but I noticed Russell Stuart replied to me
according to Humbug's list archive yesterday's date at archive.humbug.org.au,
although I never actually received the mail directly]

* Troy Piggins <troy at piggo.com> :
> On Mon, 2006-06-05 at 23:41 +1000, Troy Piggins wrote:
> > On previous installs this has been enough to get things going.  To be
> > honest, I've changed the network addresses between router and dapper from
> > the previous install.  They were 10.1.1.1 and 10.1.1.10 resp.
> 
> And it should be enough to get this going as well.  My
> guess is that Dapper has a default firewall in place.

My understanding was that it doesn't, and Ubuntu's policy is to not run any
services by default other than DHCP etc.

When I had done the clean install, I did iptable-save and it output nothing.

> Could you please run and post the results of:
> 
> sudo iptables-save

# Generated by iptables-save v1.3.3 on Tue Jun  6 14:48:47 2006
*nat
:PREROUTING ACCEPT [576:92099]
:POSTROUTING ACCEPT [111:6948]
:OUTPUT ACCEPT [410:26513]
-A POSTROUTING -o eth0 -j MASQUERADE 
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE 
COMMIT
# Completed on Tue Jun  6 14:48:47 2006
# Generated by iptables-save v1.3.3 on Tue Jun  6 14:48:47 2006
*mangle
:PREROUTING ACCEPT [57201:19516488]
:INPUT ACCEPT [262367:126738812]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [61263:12128507]
:POSTROUTING ACCEPT [248553:56615558]
COMMIT
# Completed on Tue Jun  6 14:48:47 2006
# Generated by iptables-save v1.3.3 on Tue Jun  6 14:48:47 2006
*filter
:INPUT DROP [273:41203]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udpincoming_packets - [0:0]
-A INPUT -p tcp -j bad_tcp_packets 
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 192.168.0.255 -i eth1 -j ACCEPT 
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth0 -p tcp -j tcp_packets 
-A INPUT -i eth0 -p udp -j udpincoming_packets 
-A INPUT -i eth0 -p icmp -j icmp_packets 
-A FORWARD -p tcp -j bad_tcp_packets 
-A FORWARD -i eth1 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -j bad_tcp_packets 
-A OUTPUT -s 127.0.0.1 -j ACCEPT 
-A OUTPUT -s 192.168.0.1 -j ACCEPT 
-A OUTPUT -o eth0 -j ACCEPT 
-A allowed -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A allowed -p tcp -j DROP 
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A icmp_packets -p icmp -j ACCEPT 
-A tcp_packets -p tcp -m tcp --dport 22 -j allowed 
-A tcp_packets -p tcp -m tcp --dport 25 -j allowed 
-A tcp_packets -p tcp -m tcp --dport 80 -j allowed 
-A tcp_packets -p tcp -m tcp --dport 143 -j allowed 
-A tcp_packets -p tcp -m tcp --dport 993 -j allowed 
-A tcp_packets -p tcp -m tcp --dport 9999 -j allowed 
-A udpincoming_packets -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT 
COMMIT
# Completed on Tue Jun  6 14:48:47 2006

> ip route show
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.10 
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1 
default via 192.168.1.1 dev eth0 

> ip rule show
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

> cat /proc/sys/net/ipv4/ip_forward
1

> > Read here http://ubuntuforums.org/showthread.php?t=91370&highlight=route
> > that you should also install dnsmasq and ipmasq.  Not too sure about that,
> > since dnsmasq appears to be a DNS and DHCP server (for small/basic
> > networks), and ipmasq seems to simply "take over" the firewall (iptables)
> > rules table.  I have already set that up as per above.  (FTR I /have/
> > installed them, but don't think they are the problem.  Wasn't working
> > before I installed, still not working after).
> 
> As a general rule if you aren't using it make sure
> it isn't being run.  The easiest way to ensure that
> is to uninstall it.  There are two good reasons for
> this.  Firstly, every running daemon introduces more
> complexity into an already complex system, and
> secondly the less things you have running the less
> potential vulnerabilities you expose.

Good advice.

> That said, dnsmasq replaces two programs (bind and dhcpd)
> and is much easier to configure then either of those.
> Trying to get bind and dhcpd to work together the way
> dnsmasq does out of the box can be a black art.  If
> dnsmasq meets your needs use it, and uninstall bind9

Yeah, I will look into it once I get this working.

-- 
Troy Piggins
  ,-o   Ubuntu v6.06 (Dapper Drake): kernel 2.6.15-23-server, 
 o   )  postfix 2.2.4, procmail 3.22, mutt 1.5.11i,
  `-o   slrn 0.9.8.1, vim 6.4

More information about the General mailing list