help with simple NAT forwarding

I'm very new to iptables and have read as much of the literature as my
weary brain can absorb. Still, I am having some difficulty with a
simple NAT setup.

My network consists of:

ethernet --> ADSL -- > Linksys Router --> 3Com Switch --> clients

ppoe
assigned 192.168.1.0/24 network
address

The linksys router does the ppoe negotiation and, of course, the WAN ip
is not static.

I am attempting to configure an embedded device (called an AXIS 82) as a
simple NAT MASQUERADE device. It's running the 2.4.26 kernel. The AXIS
82 has two ethernet ports (eth0 and eth1). eth0 is static and is
attached to the 3Com switch. I assigned 192.168.1.90 to eth0. eth1 is
also set static and is assigned 192.168.0.90 (note that it's on a
different subnet, as per some of the reading I've been doing regarding
setting this up).

I have udhcpd running on the device and it's able to give out ip
addresses within the 192.168.0.20 - 192.168.0.100 range. Another linux
box attached to the AXIS 82 eth1 port (through another switch) is able
to get an ip address just fine.

What I want to do is have a workstation attached to eth1 connect to the
local LAN (192.168.1.0/24) via the AXIS 82's eth0 and therefore out to
the WAN. I belive this is called "many to one" nat. I am assuming
(hope this is correct) that my destination wants to be 192.168.1.90 (the
eth0 ip address).

What I'm doing currently is just for testing purposes. In its final
configuration, the AXIS will attach to a cable modem (with a fixed ip
address) instead of the internal LAN.

Here's a diagram of what I want to do:

INTERNET
..
..
ADSL MODEM
.. {Dynamic WAN ADDRESS)
..
LINKSYS ROUTER
.. {192.168.1.0/24)
..
3COM SWITCH
..
..
AXIS 82 ETH0 (192.168.1.90)
{AXIS 82 running udhcpd and with iptables nat setup}
AXIS 82 ETH1 (192.168.0.90)
..
..
linux client 192.168.0.20 (supplied by AXIS 82)


Here's what i'm using as a simple NAT setup on the axis 82:

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j
MASQUERADE

iptables -A FORWARD -t filter -i eth1 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -t filter -i eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT


Based on this setup, although my client at 192.168.0.20 gets an ip, when
I try to ping anything out on the net i get "destination host unreachable".

I should think if this were working I could ping 192.168.1.90, the eth0
address, and get a reply. This also fails.

The routing table for the client is:

192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
169.250.0.0 * 255.255.0.0 U 0 0 0 eth1

The routing table for the AXIS 82 is:

192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

Any ideas? All thoughts are welcome. If I've done something stupid,
don't be afraid to say so!

Thanks!!

-m-

On Wed, 28 Jul 2004 18:04:20 -0400, Mark Richards wrote:
> I'm very new to iptables and have read as much of the literature as my
> weary brain can absorb. Still, I am having some difficulty with a
> simple NAT setup.

Looks like you're trying to make things really complicated? You only need
NAT at your ISP connection because that is where you have to mash all of
your traffic onto 1 IP address. I would just route all my private LAN
stuff "straight up" with routing tables and without anymore NAT. I'm not
even sure if you can (or if it's wise) to use NAT within NAT? I suppose
you should be able to (too tired to check), but why bother? All those
192.168.*.* address can be used by your LAN. How many do you need?

--
Juhan Leemet
Logicognosis, Inc.

Juhan,

What I'm doing now is only for development purposes. The intention is
that this setup will sit where my router is now. So I just need to get
this working as configured and then transfer it to the intended
environment later.

I would think that, since I'm trying to NAT to a different subnet, it
ought to work.

But it doesn't

-m-






Juhan Leemet wrote:
> On Wed, 28 Jul 2004 18:04:20 -0400, Mark Richards wrote:
>
>>I'm very new to iptables and have read as much of the literature as my
>>weary brain can absorb. Still, I am having some difficulty with a
>>simple NAT setup.
>
>
> Looks like you're trying to make things really complicated? You only need
> NAT at your ISP connection because that is where you have to mash all of
> your traffic onto 1 IP address. I would just route all my private LAN
> stuff "straight up" with routing tables and without anymore NAT. I'm not
> even sure if you can (or if it's wise) to use NAT within NAT? I suppose
> you should be able to (too tired to check), but why bother? All those
> 192.168.*.* address can be used by your LAN. How many do you need?
>