[ale] NAT Help needed!

Robert L. Harris Robert.L.Harris at rdlg.net
Wed Feb 9 14:34:32 EST 2005 


right.  Make sure you have a "-j LOG" rule like I posted before.  Then
you can ping from 192.168.0.10 to 10.0.0.50 and see why your firewall is
blocking it.  

Can you send me your iptables script?



Thus spake Philip Polstra (ppolstra at gmail.com):

> Nothing is showing up in the logs?!
> 
> The address of eth1 which is connected to the local network is
> 192.168.1.5.  Eth0 is connected to the ISP using DHCP off a 10.0.0.0
> network.
> 
> I can ping 192.168.1.5 from anywhere and also can ping from the router
> machine to anywhere inside or outside the network.  The other machines
> (which dual boot FC3/Windozes) have the gateway set to 192.168.1.5.
> 
> 
> 
> 
> On Wed, 9 Feb 2005 14:03:08 -0500, Robert L. Harris
> <Robert.L.Harris at rdlg.net> wrote:
> > 
> > 
> > Ok, do this:
> > 
> >   Make sure that your iptable output error messages are being logged.  I
> > do it with this:
> > 
> > $IPTABLES -A cleanup -j LOG --log-level debug --log-prefix "IPTables v4 Dropped: "
> > $IPTABLES -A cleanup -j DROP
> > 
> > That way you can check to see if it's your firewall with this:
> > 
> > {130}:/var/log>tail -20f syslog | grep IPT
> > Feb  9 13:59:29 wally kernel: IPTables v4 Dropped: IN=eth0 OUT= MAC=00:60:08:1c:7a:b5:00:0b:bf:7c:cc:a8:08:00 SRC=70.49.25.19 DST=68.184.148.196 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=10687 DF PROTO=TCP SPT=2044 DPT=21505 WINDOW=65535 RES=0x00 SYN URGP=0
> > Feb  9 13:59:35 wally kernel: IPTables v4 Dropped: IN=eth0 OUT= MAC=00:60:08:1c:7a:b5:00:0b:bf:7c:cc:a8:08:00 SRC=70.49.25.19 DST=68.184.148.196 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=11136 DF PROTO=TCP SPT=2044 DPT=21505 WINDOW=65535 RES=0x00 SYN URGP=0
> > 
> > That way you can get a machine behind to ping out and see where you're
> > getting blocked.
> > 
> > 
> > Thus spake Philip Polstra (ppolstra at gmail.com):
> > 
> > > On Wed, 9 Feb 2005 13:48:26 -0500, Robert L. Harris
> > > <Robert.L.Harris at rdlg.net> wrote:
> > > >
> > > >
> > > > Ok, from the FC3, can you ping the default gateway outwards to the
> > > > Internet?  Can you ping a couple machines behind the FC3 in the nat'd
> > > > area?
> > > Yes, and yes.
> > > >
> > > > What do you get for "cat /proc/sys/net/ipv4/ip_forward"?
> > > 1
> > > >
> > > > Thus spake Philip Polstra (ppolstra at gmail.com):
> > > >
> > > > > Our router went down yesterday at the high school so we decided to set
> > > > > up a FC3 machine to be the new router.  I can't get it to forward
> > > > > packets from other machines in the network despite following the
> > > > > instructions to set up the router with NAT exactly.  I have the
> > > > > ability to connect to the internet and the local network on the router
> > > > > machine, but nothing gets forwarded.
> > > > >
> > > > > I'm using iptables.  Any ideas?
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > http://www.ale.org/mailman/listinfo/ale
> > > >
> > > > :wq!
> > > > ---------------------------------------------------------------------------
> > > > Robert L. Harris                     | GPG Key ID: E344DA3B
> > > >                                          @ x-hkp://pgp.mit.edu
> > > > DISCLAIMER:
> > > >       These are MY OPINIONS             With Dreams To Be A King,
> > > >        ALONE.  I speak for              First One Should Be A Man
> > > >        no-one else.                       - Manowar
> > > >
> > > >
> > > >
> > >
> > >  ** CRM114 Whitelisted by: mit.edu **
> > 
> > :wq!
> > ---------------------------------------------------------------------------
> > Robert L. Harris                     | GPG Key ID: E344DA3B
> >                                          @ x-hkp://pgp.mit.edu
> > DISCLAIMER:
> >       These are MY OPINIONS             With Dreams To Be A King,
> >        ALONE.  I speak for              First One Should Be A Man
> >        no-one else.                       - Manowar
> > 
> > 
> >

:wq!
---------------------------------------------------------------------------
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS             With Dreams To Be A King,
       ALONE.  I speak for              First One Should Be A Man
       no-one else.                       - Manowar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature

More information about the Ale mailing list