NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

[Mårten Segerkvist]

Hello!

I'm setting up a simple linux router to forward packets between my local wlan 
and internet; while doing so, I'm using the _same rules_ as on another machine 
doing the same thing at another location, that is:

echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ipt_MASQUERADE
modprobe iptable_filter
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan0 -j ACCEPT

The packages from wlan never get through, though. A verbose listing of the 
different chains after a few minutes of pinging varios location gives me:

> iptables -L -v

Chain INPUT (policy ACCEPT 6316 packets, 727K bytes)
  pkts bytes target     prot opt in     out     source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source destination
   314 12560 ACCEPT     all  --  wlan0  any     anywhere anywhere

Chain OUTPUT (policy ACCEPT 4976 packets, 762K bytes)
  pkts bytes target     prot opt in     out     source destination

> iptables -t nat -L -v

Chain PREROUTING (policy ACCEPT 14 packets, 668 bytes)
  pkts bytes target     prot opt in     out     source destination

Chain POSTROUTING (policy ACCEPT 1 packets, 228 bytes)
  pkts bytes target     prot opt in     out     source destination
    18  1080 MASQUERADE  all  --  any    eth0    anywhere anywhere
     0     0 LOG        all  --  any    any     anywhere anywhere            LOG 
level warning

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source destination

As only 18 out of 314 (compared with 37959 out of 3836K packets on the working 
router with the same rules) packets reaches the POSTROUTING chain (out of which 
none results in a pong), i figured this might have something to do with the 
problem?

I tried to log the packets reaching POSTROUTING with

> iptables -t nat -A POSTROUTING -j log

but none of them showed up in the syslog; that's a minor? problem though.

I'd be most grateful for any suggestions!

(iptables is compiled with the 2004.3 gentoo-ppc-livecd toolset against 
2.6.8.1, running on a mac mini with a d-link dwl-122 802.11b dongle 
using linux-wlan-ng).

/M. Segerkvist

Re: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

[Jason Opperisano]

On Sun, 2005-03-13 at 05:11, MÃ¥rten Segerkvist wrote:
> I tried to log the packets reaching POSTROUTING with
> 
> > iptables -t nat -A POSTROUTING -j log
> 
> but none of them showed up in the syslog; that's a minor? problem though.

fixating on what does/doesn't get logged in NAT POSTROUTING is
counter-productive to the task at hand.  if you wish to log POSTROUTING
packets for the purposes of troubleshooting, please do it in MANGLE:

  iptables -t mangle -A POSTROUTING -j LOG --log-prefix "POSTROUTED: "

> I'd be most grateful for any suggestions!

the wire never lies:

run:
  tcpdump -n -nn -p -i wlan0 icmp

and ping something.

run:
  tcpdump -n -nn -p -i eth0 icmp

and ping something.

from looking at the counters, it looks like the packets are making it
out of the gateway, but not making it back to it for whatever reason...

-j

--
"Dear Mr. President, there are too many states nowadays, please
 eliminate three. I am not a crackpot."
	--The Simpsons

RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

[Jose Maria Lopez Hernandez]

El dom, 13-03-2005 a las 14:34 +0100, Sietse van Zanen escribió:
> Because netfilter is a stateful firewall basically.
> It logs the first per NEW and marks the latter as RELATED,ESTABLISHED.
> 
> Only packets that match the NEW state will increment the counters. It counts how many connections have been set-up. Not how many packets belonging to a connection pass. These will be counted in a -j ACEEPT --state RELATED,ESTABLISHED rule, if present.
> 
> You could bypass this by creating stateless rule, but that would defeat the purpose of a stateless firewall.

But you can use stateful rules to ACCEPT or DROP the packets and
also stateless rules to LOG the packets, or sending them before the
stateful rules ACCEPT of DROP them to a chain that contains RETURN 
rules to get the counters.

This is what I do and it works quite well.

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

[Mohamed Eldesoky]

On Sun, 13 Mar 2005 14:34:52 +0100, Sietse van Zanen <sietse@wizdom.nu> wrote:
> Because netfilter is a stateful firewall basically.
> It logs the first per NEW and marks the latter as RELATED,ESTABLISHED.
> 
But every new ping, is a new connection, not relate to the other ping !!!
It is not a ping-pong-ping-pong
It is ping-pong ping-pong

May be I am wrong !!!

> Only packets that match the NEW state will increment the counters. It counts how many connections have been set-up. Not how many packets belonging to a connection pass. These will be counted in a -j ACEEPT --state RELATED,ESTABLISHED rule, if present.
> 
> You could bypass this by creating stateless rule, but that would defeat the purpose of a stateless firewall.
> 
> -----Original Message-----
> From: Mohamed Eldesoky [mailto:eldesoky.lists@gmail.com]
> Sent: Sunday, March 13, 2005 2:21 PM
> To: Sietse van Zanen; netfilter
> Subject: Re: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)
> 
> On Sun, 13 Mar 2005 13:14:31 +0100, Sietse van Zanen <sietse@wizdom.nu> wrote:
> > What do you see, when you tcpdump on your external interface? (tcpdump -I eth0). Can you see natted packets exiting that interface?
> >
> > The reason, that you only see 4 packets in the iptables -t nat -L is that if you fire off 10 pings, iptables will see the latter 9 as belonging to the same connection and therefor only logs 1.
> 
> How come ???
> 
> >
> > It might be as simple, that the host you are trying to ping is just unpingable.
> >
> > Specify some more info, like what you are trying to ping, traceroute -I output.
> >
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Mårten Segerkvist
> > Sent: Sunday, March 13, 2005 1:01 PM
> > To: netfilter@lists.netfilter.org
> > Subject: RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)
> >
> > On Sun, 13 Mar 2005, Sietse van Zanen wrote:
> >
> > > From man iptables:
> > > MASQUERADE
> > > This target is only valid in the nat table, in the POSTROUTING chain.
> > > It should only be used with dynamically assigned IP (dialup)
> > > connections: if you have  a  static  IP address,  you should use the
> > > SNAT target.
> > >
> > > Try using regular SNAT rule:
> > >
> > > Iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT
> > > --to-source:your.pub.ip.addr
> > >
> >
> > Now using:
> >
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > modprobe ipt_MASQUERADE
> > modprobe iptable_filter
> > iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT \
> >    --to-source 81.172.241.145
> > iptables --append FORWARD --in-interface eth1 -j ACCEPT
> >
> > This gives me the same result as previosly. What confuses me further is
> > that no packets seems to be accepted from the wlan-interface.
> >
> > > iptables -L -v
> >
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >   pkts bytes target     prot opt in     out     source
> > destination
> >    125  5000 ACCEPT     all  --  wlan0  any     anywhere
> > anywhere
> >
> > > iptables -t nat -L -v
> >
> > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> >   pkts bytes target     prot opt in     out     source
> > destination
> >      4   295 SNAT       all  --  any    eth0    anywhere
> > anywhere            to:<IP>
> >
> > As before, I'd be most grateful for any suggestions!
> >
> > /Mårten Segerkvist
> >
> >
> 
> --
> Mohamed Eldesoky
> www.eldesoky.net
> RHCE
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

[Sietse van Zanen]

Because netfilter is a stateful firewall basically.
It logs the first per NEW and marks the latter as RELATED,ESTABLISHED.

Only packets that match the NEW state will increment the counters. It counts how many connections have been set-up. Not how many packets belonging to a connection pass. These will be counted in a -j ACEEPT --state RELATED,ESTABLISHED rule, if present.

You could bypass this by creating stateless rule, but that would defeat the purpose of a stateless firewall.

-----Original Message-----
From: Mohamed Eldesoky [mailto:eldesoky.lists@gmail.com] 
Sent: Sunday, March 13, 2005 2:21 PM
To: Sietse van Zanen; netfilter
Subject: Re: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

On Sun, 13 Mar 2005 13:14:31 +0100, Sietse van Zanen <sietse@wizdom.nu> wrote:
> What do you see, when you tcpdump on your external interface? (tcpdump -I eth0). Can you see natted packets exiting that interface?
> 
> The reason, that you only see 4 packets in the iptables -t nat -L is that if you fire off 10 pings, iptables will see the latter 9 as belonging to the same connection and therefor only logs 1.

How come ???


> 
> It might be as simple, that the host you are trying to ping is just unpingable.
> 
> Specify some more info, like what you are trying to ping, traceroute -I output.
> 
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Mårten Segerkvist
> Sent: Sunday, March 13, 2005 1:01 PM
> To: netfilter@lists.netfilter.org
> Subject: RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)
> 
> On Sun, 13 Mar 2005, Sietse van Zanen wrote:
> 
> > From man iptables:
> > MASQUERADE
> > This target is only valid in the nat table, in the POSTROUTING chain.
> > It should only be used with dynamically assigned IP (dialup)
> > connections: if you have  a  static  IP address,  you should use the
> > SNAT target.
> >
> > Try using regular SNAT rule:
> >
> > Iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT
> > --to-source:your.pub.ip.addr
> >
> 
> Now using:
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> modprobe ipt_MASQUERADE
> modprobe iptable_filter
> iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT \
>    --to-source 81.172.241.145
> iptables --append FORWARD --in-interface eth1 -j ACCEPT
> 
> This gives me the same result as previosly. What confuses me further is
> that no packets seems to be accepted from the wlan-interface.
> 
> > iptables -L -v
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>    125  5000 ACCEPT     all  --  wlan0  any     anywhere
> anywhere
> 
> > iptables -t nat -L -v
> 
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>      4   295 SNAT       all  --  any    eth0    anywhere
> anywhere            to:<IP>
> 
> As before, I'd be most grateful for any suggestions!
> 
> /Mårten Segerkvist
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

[Mohamed Eldesoky]

On Sun, 13 Mar 2005 13:14:31 +0100, Sietse van Zanen <sietse@wizdom.nu> wrote:
> What do you see, when you tcpdump on your external interface? (tcpdump -I eth0). Can you see natted packets exiting that interface?
> 
> The reason, that you only see 4 packets in the iptables -t nat -L is that if you fire off 10 pings, iptables will see the latter 9 as belonging to the same connection and therefor only logs 1.

How come ???


> 
> It might be as simple, that the host you are trying to ping is just unpingable.
> 
> Specify some more info, like what you are trying to ping, traceroute -I output.
> 
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Mårten Segerkvist
> Sent: Sunday, March 13, 2005 1:01 PM
> To: netfilter@lists.netfilter.org
> Subject: RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)
> 
> On Sun, 13 Mar 2005, Sietse van Zanen wrote:
> 
> > From man iptables:
> > MASQUERADE
> > This target is only valid in the nat table, in the POSTROUTING chain.
> > It should only be used with dynamically assigned IP (dialup)
> > connections: if you have  a  static  IP address,  you should use the
> > SNAT target.
> >
> > Try using regular SNAT rule:
> >
> > Iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT
> > --to-source:your.pub.ip.addr
> >
> 
> Now using:
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> modprobe ipt_MASQUERADE
> modprobe iptable_filter
> iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT \
>    --to-source 81.172.241.145
> iptables --append FORWARD --in-interface eth1 -j ACCEPT
> 
> This gives me the same result as previosly. What confuses me further is
> that no packets seems to be accepted from the wlan-interface.
> 
> > iptables -L -v
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>    125  5000 ACCEPT     all  --  wlan0  any     anywhere
> anywhere
> 
> > iptables -t nat -L -v
> 
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>      4   295 SNAT       all  --  any    eth0    anywhere
> anywhere            to:<IP>
> 
> As before, I'd be most grateful for any suggestions!
> 
> /Mårten Segerkvist
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

[Sietse van Zanen]

What do you see, when you tcpdump on your external interface? (tcpdump -I eth0). Can you see natted packets exiting that interface?

The reason, that you only see 4 packets in the iptables -t nat -L is that if you fire off 10 pings, iptables will see the latter 9 as belonging to the same connection and therefor only logs 1.

It might be as simple, that the host you are trying to ping is just unpingable.

Specify some more info, like what you are trying to ping, traceroute -I output.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Mårten Segerkvist
Sent: Sunday, March 13, 2005 1:01 PM
To: netfilter@lists.netfilter.org
Subject: RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

On Sun, 13 Mar 2005, Sietse van Zanen wrote:

> From man iptables:
> MASQUERADE
> This target is only valid in the nat table, in the POSTROUTING chain. 
> It should only be used with dynamically assigned IP (dialup) 
> connections: if you have  a  static  IP address,  you should use the 
> SNAT target.
>
> Try using regular SNAT rule:
>
> Iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT 
> --to-source:your.pub.ip.addr
>

Now using:

echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ipt_MASQUERADE
modprobe iptable_filter
iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT \
   --to-source 81.172.241.145
iptables --append FORWARD --in-interface eth1 -j ACCEPT

This gives me the same result as previosly. What confuses me further is 
that no packets seems to be accepted from the wlan-interface.

> iptables -L -v

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
   125  5000 ACCEPT     all  --  wlan0  any     anywhere 
anywhere

> iptables -t nat -L -v

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     4   295 SNAT       all  --  any    eth0    anywhere 
anywhere            to:<IP>

As before, I'd be most grateful for any suggestions!

/Mårten Segerkvist

RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

[Mårten Segerkvist]

On Sun, 13 Mar 2005, Sietse van Zanen wrote:

> From man iptables:
> MASQUERADE
> This target is only valid in the nat table, in the POSTROUTING chain. 
> It should only be used with dynamically assigned IP (dialup) 
> connections: if you have  a  static  IP address,  you should use the 
> SNAT target.
>
> Try using regular SNAT rule:
>
> Iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT 
> --to-source:your.pub.ip.addr
>

Now using:

echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ipt_MASQUERADE
modprobe iptable_filter
iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT \
   --to-source 81.172.241.145
iptables --append FORWARD --in-interface eth1 -j ACCEPT

This gives me the same result as previosly. What confuses me further is 
that no packets seems to be accepted from the wlan-interface.

> iptables -L -v

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
   125  5000 ACCEPT     all  --  wlan0  any     anywhere 
anywhere

> iptables -t nat -L -v

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     4   295 SNAT       all  --  any    eth0    anywhere 
anywhere            to:<IP>

As before, I'd be most grateful for any suggestions!

/Mårten Segerkvist

RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

[Sietse van Zanen]

From man iptables:
MASQUERADE
       This target is only valid in the nat table, in the POSTROUTING chain.  It should only
       be used with dynamically assigned IP (dialup) connections: if you have  a  static  IP
       address,  you should use the SNAT target.  

Try using regular SNAT rule:

Iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT --to-source:your.pub.ip.addr

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Mårten Segerkvist
Sent: Sunday, March 13, 2005 11:11 AM
To: netfilter@lists.netfilter.org
Subject: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain)

Hello!

I'm setting up a simple linux router to forward packets between my local wlan 
and internet; while doing so, I'm using the _same rules_ as on another machine 
doing the same thing at another location, that is:

echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ipt_MASQUERADE
modprobe iptable_filter
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan0 -j ACCEPT

The packages from wlan never get through, though. A verbose listing of the 
different chains after a few minutes of pinging varios location gives me:

> iptables -L -v

Chain INPUT (policy ACCEPT 6316 packets, 727K bytes)
  pkts bytes target     prot opt in     out     source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source destination
   314 12560 ACCEPT     all  --  wlan0  any     anywhere anywhere

Chain OUTPUT (policy ACCEPT 4976 packets, 762K bytes)
  pkts bytes target     prot opt in     out     source destination

> iptables -t nat -L -v

Chain PREROUTING (policy ACCEPT 14 packets, 668 bytes)
  pkts bytes target     prot opt in     out     source destination

Chain POSTROUTING (policy ACCEPT 1 packets, 228 bytes)
  pkts bytes target     prot opt in     out     source destination
    18  1080 MASQUERADE  all  --  any    eth0    anywhere anywhere
     0     0 LOG        all  --  any    any     anywhere anywhere            LOG 
level warning

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source destination

As only 18 out of 314 (compared with 37959 out of 3836K packets on the working 
router with the same rules) packets reaches the POSTROUTING chain (out of which 
none results in a pong), i figured this might have something to do with the 
problem?

I tried to log the packets reaching POSTROUTING with

> iptables -t nat -A POSTROUTING -j log

but none of them showed up in the syslog; that's a minor? problem though.

I'd be most grateful for any suggestions!

(iptables is compiled with the 2004.3 gentoo-ppc-livecd toolset against 
2.6.8.1, running on a mac mini with a d-link dwl-122 802.11b dongle 
using linux-wlan-ng).

/M. Segerkvist