This is the result of tcpdump when I attempt to make a connection: 14:45:56.454006 arp who-has h-207-228-x-x.gen.cadvision.com tell h-207- 228-x-x.gen.cadvision.com 14:45:56.455227 h-207-228-x-x.gen.cadvision.com.1031 > ns1.cadvision.com.domain: 29645+ PTR? x.x.228.207.in-addr.arpa. (43) (DF)
Several messages like this appear. Do I need to get my isp to flush the arp cache on the router? I pared the cfg file down to the bare minimum, just for the purposes of troubleshooting. This is not my normal config file at all. #! /bin/bash #call insmod script /etc/sysconfig/modsprobe #activate kernel forwarding echo 1>/proc/sys/net/ipv4/ip_forward LOOPBACK_INTERFACE="lo" #loopback interface INET_INTERFACE="eth0" #internet-connected interface LAN_INTERFACE="eth1" #LAN-connected interface LAN_ADDRESS="192.168.41.237" #LAN Address INET_ADDRESS="207.228.82.3" #Internet address ISP_GATEWAY="207.228.82.1" #ISP gateway address PRIVPORTS="0:1023" #well-known, priviledged port range UNPRIVPORTS="1024:65535" #unpriviledged ports SSH_PORT="22" #SSH Port MAIL_PORT="25" #SMTP Port WEB_PORT="80" #HTTP Service port WPS2_EX="207.228.82.4" #WPS2 External address WPS2_INT="192.168.41.6" #WPS2 Internal address #remove existing rules /sbin/iptables --flush /sbin/iptables -t nat --flush /sbin/iptables -t mangle --flush #set default chain policies /sbin/iptables --policy INPUT ACCEPT /sbin/iptables --policy OUTPUT ACCEPT /sbin/iptables --policy FORWARD ACCEPT #enable loopback interface /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT #NAT for wps2 /sbin/iptables -t nat -A PREROUTING -i $INET_INTERFACE -d $WPS2_EX -j DNAT --to-dest $WPS2_INT /sbin/iptables -t nat -A POSTROUTING -o $INET_INTERFACE -s $WPS2_INT -j SNAT --to-source $WPS2_EX ----- Original Message ----- From: Brent Scriver <[EMAIL PROTECTED]> Date: Monday, May 27, 2002 1:02 pm Subject: Re: NAT problem - help please > > Hmm, well, indicating that established and related are accepted is > a little > redundant since those chains are already set with the policy of > accept.This was done to track down what statement was blocking > traffic? Have you > tried tcpdump to get an idea what traffic on the interfaces aren't > goingwhere they should? What aspects are not working? > > I've created some documentation of what I've done up at > http://www.oneoddsock.com/resources/linuxrouter.html. It probably > has more > stuff than you need, but might help get things going by comparing the > differences. > > HTH, > Brent > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, May 27, 2002 10:58 AM > Subject: NAT problem - help please > > > > Hi, > > > > I posted this a couple weeks ago, but there was no response so I'll > > post again in the hopes someone might be able to help me with > it. I was > > having trouble with a single NAT connection with a very basic > script,> and someone suggested adding the second ip address for > the purpose of > > arp response from the upstream router. I did this, but still > have no > > luck. Here is my config, and my ip address info (hidden last > bits). The > > ip addr show command output has the 3 addresses configured for that > > interface. > > > > Am I missing something really basic? Is there something else I > should> be looking at? This is red hat 7.2 with iptables 1.2.5 > compiled (not > > rpm's). I can ping to/from the box from the lan and inet, is > there some > > routing thing I should be doing? (inserted routing output for info) > > > > IPTABLES SCRIPT > > > > #call insmod script > > /etc/sysconfig/modsprobe > > > > #activate kernel forwarding > > echo 1>/proc/sys/net/ipv4/ip_forward > > > > INET_INTERFACE="eth0" #internet-connected > interface> LAN_INTERFACE="eth1" #LAN-connected > interface> > > LAN_ADDRESS="192.168.41.237" #LAN Address > > INET_ADDRESS="207.228.x.x" #Internet address > > > > PRIVPORTS="0:1023" #well-known, priviledged > port> range > > UNPRIVPORTS="1024:65535" #unpriviledged ports > > > > WEB_PORT="80" #HTTP Service port > > > > WPS2_EX="207.228.x.x" #WPS2 External address > > WPS2_INT="192.168.41.6" #WPS2 Internal address > > > > #remove existing rules > > /sbin/iptables --flush > > /sbin/iptables -t nat --flush > > /sbin/iptables -t mangle --flush > > > > #set default chain policies > > /sbin/iptables --policy INPUT ACCEPT > > /sbin/iptables --policy OUTPUT ACCEPT > > /sbin/iptables --policy FORWARD ACCEPT > > > > #enable loopback interface > > /sbin/iptables -A INPUT -i lo -j ACCEPT > > /sbin/iptables -A OUTPUT -o lo -j ACCEPT > > > > #enable state-related connections > > /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j > ACCEPT> /sbin/iptables -A OUTPUT -m state --state > ESTABLISHED,RELATED -j ACCEPT > > /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED - > j ACCEPT > > > > #NAT for wps2 > > /sbin/iptables -t nat -A PREROUTING -i $INET_INTERFACE -d > $WPS2_EX -j > > DNAT --to-dest $WPS2_INT > > /sbin/iptables -t nat -A POSTROUTING -o $INET_INTERFACE -s > $WPS2_INT -j > > SNAT --to-source $WPS2_EX > > > > IP ADDR SHOW output > > > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > > link/ether 00:02:b3:93:be:ea brd ff:ff:ff:ff:ff:ff > > inet 207.228.x.x/29 brd 207.228.x.x scope global eth0 > > inet 207.228.x.x/29 scope global secondary eth0 > > inet 207.228.x.x/29 scope global secondary eth0 > > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > > link/ether 00:02:b3:93:be:eb brd ff:ff:ff:ff:ff:ff > > inet 192.168.41.237/24 brd 192.168.41.255 scope global eth1 > > 4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100 > > link/ether 00:02:b3:8f:2e:bc brd ff:ff:ff:ff:ff:ff > > > > ROUTE output > > > > 207.228.x.x * 255.255.255.248 U 0 0 > 0 > > eth0 > > 192.168.41.0 * 255.255.255.0 U 0 0 > 0 > > eth1 > > 127.0.0.0 * 255.0.0.0 U 0 0 > 0 > > lo > > default h-207-228-x-x. 0.0.0.0 UG 0 0 > 0 > > eth0 > > > > I'm confused - I have had other iptables systems working before, > which> is why I'm so irritated :) > > > > Thanks! > > Max > > > > > > > > > >
