iptables masquerading/snat stop working upon moving to kernel 2.6 - Redhat

This is a discussion on iptables masquerading/snat stop working upon moving to kernel 2.6 - Redhat ; Hi! Upon moving from RH 9 (kernel 2.4.18 and 2.4.20) to WBEL 4 (RHEL 4 recompile, kernel 2.6.9), a simple masquerading snat stop working. Packet reach the PREROUTING chain but never reach POSTROUTING chain. Any idea why and how to ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: iptables masquerading/snat stop working upon moving to kernel 2.6

  1. iptables masquerading/snat stop working upon moving to kernel 2.6

    Hi!

    Upon moving from RH 9 (kernel 2.4.18 and 2.4.20) to WBEL 4 (RHEL
    4 recompile, kernel 2.6.9), a simple masquerading snat stop
    working. Packet reach the PREROUTING chain but never reach
    POSTROUTING chain.

    Any idea why and how to fix it?

    Here is the iptables saved rules on the gateway machine:

    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE
    COMMIT

    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT


    route -n (say 24.24.24.24 is the external IP):

    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    24.24.24.24 0.0.0.0 255.255.255.0 U 0 0 0 eth1
    169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
    0.0.0.0 24.24.24.24 0.0.0.0 UG 0 0 0 eth1


    to get the logging, I added few rules:


    *nat
    -A PREROUTING -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix PRE--
    -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix POST--
    COMMIT

    *filter
    -A INPUT -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix INP--
    -A FORWARD -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix FOR--
    COMMIT


    This rules loaded by iptables without problem.

    Now when a machine in local network (yes they got the correct IP
    and gateway) try to reach the Internet, entry on PREROUTING
    shows up, but no entry on POSTROUTING shows, the packet just
    lost:

    Aug 22 09:26:19 thegateway kernel: PRE--IN=eth0 OUT= MAC=00:20:ed:64:a2:89:00:50:ba:3e:bd:2e:80:00 SRC=192.168.1.5 DST=24.24.24.24 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=40000 DF PROTO=TCP SPT=1027 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
    Aug 22 09:26:22 thegateway kernel: PRE--IN=eth0 OUT= MAC=00:20:ed:64:a2:89:00:50:ba:3e:bd:2e:80:00 SRC=192.168.1.5 DST=24.24.24.24 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=40002 DF PROTO=TCP SPT=1027 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
    Aug 22 09:26:28 thegateway kernel: PRE--IN=eth0 OUT= MAC=00:20:ed:64:a2:89:00:50:ba:3e:bd:2e:80:00 SRC=192.168.1.5 DST=24.24.24.24 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=40004 DF PROTO=TCP SPT=1027 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

    Thanks!

    --
    Stephan Paul Arif Sahari Wibowo
    _____ _____ _____ _____
    /____ /____/ /____/ /____
    _____/ / / / _____/ http://www.arifsaha.com/

  2. Re: iptables masquerading/snat stop working upon moving to kernel 2.6

    S P Arif Sahari Wibowo wrote in
    news:Pine.LNX.4.63.0508220850270.5253@localhost.lo caldomain:

    > Hi!
    >
    > Upon moving from RH 9 (kernel 2.4.18 and 2.4.20) to WBEL 4 (RHEL
    > 4 recompile, kernel 2.6.9), a simple masquerading snat stop
    > working. Packet reach the PREROUTING chain but never reach
    > POSTROUTING chain.
    >
    > Any idea why and how to fix it?


    Do you have ip_forward turned on?

    Klazmon.



  3. Re: iptables masquerading/snat stop working upon moving to kernel 2.6

    hi,

    i would say the same - assumed you compiled your kernel under
    /usr/local/src/linux-2.6.x, can you check

    your-server:/usr/local/src/linux-2.6.x# cat .config | grep MASQ

    CONFIG_IP_NF_TARGET_MASQUERADE=y

    your-server:/usr/local/src/linux-2.6.x# cat .config | grep NAT

    CONFIG_IP_NF_NAT=y
    CONFIG_IP_NF_NAT_NEEDED=y
    # CONFIG_IP_NF_NAT_SNMP_BASIC is not set
    CONFIG_IP_NF_NAT_IRC=y
    CONFIG_IP_NF_NAT_FTP=y
    CONFIG_IP_NF_NAT_TFTP=y
    CONFIG_NATSEMI=m

    you have to enable FUL_NAT or something like this under the
    Netfilter-Options.

    does

    cat /proc/sys/net/ipv4/ip_forward

    returning a "1"?


    greetings


    lasseboo


  4. Re: iptables masquerading/snat stop working upon moving to kernel2.6

    On Mon, 23 Aug 2005, Llanzlan Klazmon wrote:
    > Do you have ip_forward turned on?




    Well, it seems that you got
    the problem correctly, I should know, I did it before.

    Thank you!



    --
    Stephan Paul Arif Sahari Wibowo
    _____ _____ _____ _____
    /____ /____/ /____/ /____
    _____/ / / / _____/ http://www.arifsaha.com/

  5. Re: iptables masquerading/snat stop working upon moving to kernel 2.6

    > *nat
    > :PREROUTING ACCEPT [0:0]
    > :POSTROUTING ACCEPT [0:0]
    > :OUTPUT ACCEPT [0:0]
    > -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE
    > COMMIT



    Where is forwarding mode?



    --
    Raqueeb Hassan
    Bangladesh


  6. Re: iptables masquerading/snat stop working upon moving to kernel2.6

    Llanzlan Klazmon wrote:
    > S P Arif Sahari Wibowo wrote in
    > news:Pine.LNX.4.63.0508220850270.5253@localhost.lo caldomain:
    >
    >
    >>Hi!
    >>
    >>Upon moving from RH 9 (kernel 2.4.18 and 2.4.20) to WBEL 4 (RHEL
    >>4 recompile, kernel 2.6.9), a simple masquerading snat stop
    >>working. Packet reach the PREROUTING chain but never reach
    >>POSTROUTING chain.
    >>
    >>Any idea why and how to fix it?

    >
    >
    > Do you have ip_forward turned on?
    >

    Here is part of my /etc/sysctl.conf:

    # Kernel sysctl configuration file for Red Hat Linux
    #
    # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
    # sysctl.conf(5) for more details.

    # Controls IP packet forwarding
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.ip_forward = 1 <---<<<
    net.ipv4.conf.eth0.forwarding = 1
    net.ipv4.conf.eth1.forwarding = 1

    # Controls source route verification
    net.ipv4.conf.default.rp_filter = 1

    --
    .~. Jean-David Beyer Registered Linux User 85642.
    /V\ PGP-Key: 9A2FC99A Registered Machine 241939.
    /( )\ Shrewsbury, New Jersey http://counter.li.org
    ^^-^^ 06:30:00 up 69 days, 25 min, 3 users, load average: 4.18, 4.20, 4.10

  7. Re: iptables masquerading/snat stop working upon moving to kernel 2.6

    S P Arif Sahari Wibowo wrote in
    news:Pine.LNX.4.63.0508230145010.6856@localhost.lo caldomain:

    > On Mon, 23 Aug 2005, Llanzlan Klazmon wrote:
    >> Do you have ip_forward turned on?

    >
    >
    >
    > Well, it seems that you got
    > the problem correctly, I should know, I did it before.
    >
    > Thank you!
    >
    >
    >


    Don't worry. I've been caught out myself by things like that plenty of
    times. It's often the things that you know well that get overlooked.

    Klazmon.

+ Reply to Thread