iptables masquerading/snat stop working upon moving to kernel 2.6

Hi!

Upon moving from RH 9 (kernel 2.4.18 and 2.4.20) to WBEL 4 (RHEL
4 recompile, kernel 2.6.9), a simple masquerading snat stop
working. Packet reach the PREROUTING chain but never reach
POSTROUTING chain.

Any idea why and how to fix it?

Here is the iptables saved rules on the gateway machine:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT


route -n (say 24.24.24.24 is the external IP):

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
24.24.24.24 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 24.24.24.24 0.0.0.0 UG 0 0 0 eth1


to get the logging, I added few rules:


*nat
-A PREROUTING -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix PRE--
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix POST--
COMMIT

*filter
-A INPUT -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix INP--
-A FORWARD -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix FOR--
COMMIT


This rules loaded by iptables without problem.

Now when a machine in local network (yes they got the correct IP
and gateway) try to reach the Internet, entry on PREROUTING
shows up, but no entry on POSTROUTING shows, the packet just
lost:

Aug 22 09:26:19 thegateway kernel: PRE--IN=eth0 OUT= MAC=00:20:ed:64:a2:89:00:50:ba:3e:bd:2e:80:00 SRC=192.168.1.5 DST=24.24.24.24 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=40000 DF PROTO=TCP SPT=1027 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 22 09:26:22 thegateway kernel: PRE--IN=eth0 OUT= MAC=00:20:ed:64:a2:89:00:50:ba:3e:bd:2e:80:00 SRC=192.168.1.5 DST=24.24.24.24 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=40002 DF PROTO=TCP SPT=1027 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 22 09:26:28 thegateway kernel: PRE--IN=eth0 OUT= MAC=00:20:ed:64:a2:89:00:50:ba:3e:bd:2e:80:00 SRC=192.168.1.5 DST=24.24.24.24 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=40004 DF PROTO=TCP SPT=1027 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

Thanks!

--
Stephan Paul Arif Sahari Wibowo
_____ _____ _____ _____
/____ /____/ /____/ /____
_____/ / / / _____/ http://www.arifsaha.com/

S P Arif Sahari Wibowo <(E-Mail Removed)> wrote in
news:(E-Mail Removed) caldomain:

> Hi!
>
> Upon moving from RH 9 (kernel 2.4.18 and 2.4.20) to WBEL 4 (RHEL
> 4 recompile, kernel 2.6.9), a simple masquerading snat stop
> working. Packet reach the PREROUTING chain but never reach
> POSTROUTING chain.
>
> Any idea why and how to fix it?

Do you have ip_forward turned on?

Klazmon.

<SNIP>

hi,

i would say the same - assumed you compiled your kernel under
/usr/local/src/linux-2.6.x, can you check

your-server:/usr/local/src/linux-2.6.x# cat .config | grep MASQ

CONFIG_IP_NF_TARGET_MASQUERADE=y

your-server:/usr/local/src/linux-2.6.x# cat .config | grep NAT

CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_NATSEMI=m

you have to enable FUL_NAT or something like this under the
Netfilter-Options.

does

cat /proc/sys/net/ipv4/ip_forward

returning a "1"?


greetings


lasseboo

On Mon, 23 Aug 2005, Llanzlan Klazmon wrote:
> Do you have ip_forward turned on?

<hitting my own head profusely>

<maintain composure with difficulty> Well, it seems that you got
the problem correctly, I should know, I did it before.

Thank you!

<digging a hole to hide my head>

--
Stephan Paul Arif Sahari Wibowo
_____ _____ _____ _____
/____ /____/ /____/ /____
_____/ / / / _____/ http://www.arifsaha.com/

> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE
> COMMIT


Where is forwarding mode?



--
Raqueeb Hassan
Bangladesh

Llanzlan Klazmon wrote:
> S P Arif Sahari Wibowo <(E-Mail Removed)> wrote in
> news:(E-Mail Removed) caldomain:
>
>
>>Hi!
>>
>>Upon moving from RH 9 (kernel 2.4.18 and 2.4.20) to WBEL 4 (RHEL
>>4 recompile, kernel 2.6.9), a simple masquerading snat stop
>>working. Packet reach the PREROUTING chain but never reach
>>POSTROUTING chain.
>>
>>Any idea why and how to fix it?
>
>
> Do you have ip_forward turned on?
>
Here is part of my /etc/sysctl.conf:

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_forward = 1 <---<<<
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth1.forwarding = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key: 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 06:30:00 up 69 days, 25 min, 3 users, load average: 4.18, 4.20, 4.10

S P Arif Sahari Wibowo <(E-Mail Removed)> wrote in
news:(E-Mail Removed) caldomain:

> On Mon, 23 Aug 2005, Llanzlan Klazmon wrote:
>> Do you have ip_forward turned on?
>
> <hitting my own head profusely>
>
> <maintain composure with difficulty> Well, it seems that you got
> the problem correctly, I should know, I did it before.
>
> Thank you!
>
> <digging a hole to hide my head>
>

Don't worry. I've been caught out myself by things like that plenty of
times. It's often the things that you know well that get overlooked.

Klazmon.