# [SOLVED] - iptables (NAT, Masquerade) problems

## xcable

I have replaced my Mandrake gateway/router computer with Gentoo (been running Gentoo on my laptop and workstation for over a year).  I'm having massive probelms getting iptables working.  

Setup : 

server (gateway/router) with two nics 

cable modem (Cox) connected to eth0

eth1 connected to switch

other computers conneced to switch

I have emerged user land iptables and compiled 2.6.0-gentoo for iptables.

Kernel :

I have enabled:

Network packet filtering (replaces ipchains)

Connection tracking

IP tables support

Packet filtering

Full NAT

MASQUERADE target support 

I have created a script to generate the ip tables rules

```

#!/bin/bash

iptables --flush

iptables --table nat --flush

iptables --delete-chain

iptables --table nat --delete-chain

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

/etc/init.d/iptables save

/etc/init.d/iptables restart

```

By all things that I have read this sould work but... I does not.  I have to add:

```

iptables -A INPUT -j ACCEPT -i lo

iptables -A INPUT -j ACCEPT -i eth0

iptables -A INPUT -j ACCEPT -i eth1

iptables -A FORWARD -i eth1 -j ACCEPT

```

in order to get the system to be able to rsync from the server and ping a conneced computer from the server.

What am I doing wrong??

EDIT

SOLVED

It finaly works.  I can't pinpoint the exact cause for the inital failures.  I downloaded the latest 2.4 ck-sources, compiled, installed, and booted to them.  Emerged the regular version of iptables (emerge iptables).  Ran my script and it worked.  I then booted to my 2.6 kernel and it also worked.  I tried to break it by emergeing the unstable iptables (ACCEPT_KEYWORDS="~x86" emerge iptables), but it also worked.  Don't know exactly what I did to fix it.  I'm back at work and away from my server, but latter I will post all relovent stuff (scripts etc..).

Thanks for everybodies help!!

END EDIT

Heath HolcombLast edited by xcable on Tue Dec 30, 2003 2:38 pm; edited 1 time in total

----------

## Genone

What does `iptables -L` say before you run the ACCEPT commands ?

----------

## xcable

With only the "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" command started, "iptables -L" reports nothing.  Nothing in the INPUT, FOWARD, or OUTPUT fields.

heath

----------

## Genone

I was more interested in the POLICY value.

----------

## xcable

"iptables -L" returns :

```

Chain  INPUT (policy ACCEPT)

target            prot opt source                  destination

Chain  FORWARD (policy ACCEPT)

target            prot opt source                  destination

Chain  OUTPUT (policy ACCEPT)

target            prot opt source                  destination

```

heath

----------

## Genone

And you can't connect/ping to any computer on your LAN or the Internet from the router with that ? Or is it just the masquerading that doesn't work ?

----------

## xcable

When i add those extra rules I can ping other computers on the lan and rsync the server to a gentoo rsync server.  Without thoes extra rules I can't rsync (ie the server can not access the i-net).  Other computers can't access the i-net, masquerading is not working.

Any ideas?

heath

----------

## Mnemia

What's the output from this before you add the extra commands?

```
iptables -L -t nat
```

----------

## xcable

The output of "iptables -L" , before I add those extra rules, is :

```

Chain  INPUT (policy ACCEPT)

target            prot opt source                  destination

Chain  FORWARD (policy ACCEPT)

target            prot opt source                  destination

Chain  OUTPUT (policy ACCEPT)

target            prot opt source                  destination

```

heath

----------

## fleed

What about the output of iptables -t nat -L, like Mnemia asked for?

----------

## xcable

Output of "iptables -L -t nat" is :

```

Chain  PREROUTING (policy ACCEPT)

target            prot opt source                  destination

Chain  POSTROUTING (policy ACCEPT)

target            prot opt source                  destination

MASQUERADE  all  --  anywhere

Chain  OUTPUT (policy ACCEPT)

target            prot opt source                  destination

```

heath

----------

## xcable

Ok that's it, I give up.  I've wasted to much time on trying to set up NAT (iptables).  I'm giveing up on Gentoo as a server and I've going to install Suse.

Will try again on setting up Gentoo as a server when I have a couple of days to spend on it.

heath

----------

## Decibels

I wrote a tutorial on IP Masq and got stuck myself trying to add another box yesterday. I could ping each computer, but couldn't ping outside LAN.

Forgot to add the nameserver's to my /etc/resolv.conf file.

Make sure your /etc/resolv.conf file is setup correctly. There should be nameservers in there.

At least that was my problem, then had to add it to my tutorial, so wouldn't forget it again.   :Idea: 

----------

## xcable

Well I installed Suse 9 onto my server.  It is extremely slow!!  KDE takes for ever to load.  I knew gentoo seemed faster than the other distos i've used before, but it's been so long since I used another distro I forgot how much faster gentoo is.  Gave up on Suse.

I actullay got NAT to work on Gentoo!  But only for a few hours??  Got it working (using some extra rules I got from kmyfirewall), set up my mahcine behind the servers to emerge -u world.  And when I wook up in the morning it failed to download some of the new source (about half way through).  Very very weird.  So i'm back to NAT not working, getting really really pissed.

Please, can someone point me in the right direction.

heath

----------

## primero.gentoo

What about an interface to iptables like Shorewall?

Easy to use , well documented and in a little time you get what you want ...  :Smile: 

bye

Primero

----------

## Peracles

You also need this line to enable forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward

BTW, typically when I do large emerge jobs, I fetch all the packages before I do an emerge.  You can do this by specifying emerge -f <blah> and then after all the packages download do an emerge -u <blah>

----------

## triwebb1

Like the guy above asked, do you have "1" in /proc/sys/net/ipv4/ip_forward?  If you don't the server will not forward any requests from the clients to the internet.  

So, lets clear this up a bit, I'm a unsure about the status of your setup.  Can your server/gateway communicate with the internet?  Can your clients communicate with your server?  Is your DNS setup right on your server AND your clients?  What do you see if you run a packet sniffer (like ethereal or tethereal) on your server and try to ping from your clients to the internet?  You should be able to see where the destination is..........  If the destination is the internet, then you know that it is indeed masquerading that isn't working.  If the destination is your server, then masquerading is working and the problem is somewhere else.

----------

