View previous topic :: View next topic |
Author |
Message |
cwr Veteran
Joined: 17 Dec 2005 Posts: 1969
|
Posted: Fri Jun 21, 2013 6:38 pm Post subject: Iptables and nat [SOLVED] |
|
|
I've been trying to forward packets from one interface to another, without having to build
a full-scale firewall. Every document I can find says that it's a question of adding
port forwarding and masquerading, but that fails every time for me. The machine has
valid interfaces to each destination, and I can log to the machines each side, but trying
to add forwarding gives me:
Code: |
tuppence cwr # iptables -F
tuppence cwr # iptables -t nat -F
tuppence cwr # iptables --delete-chain
tuppence cwr # iptables --table nat --delete-chain
tuppence cwr # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables: No chain/target/match by that name.
tuppence cwr #
|
I've checked the kernel configs, and they are ok, and forwarding is set up in sysctl.conf;
does anyone have any ideas that I could try before building a full-scale firewall/router?
Thanks - Will
Last edited by cwr on Sat Jun 22, 2013 7:57 am; edited 1 time in total |
|
Back to top |
|
|
papahuhn l33t
Joined: 06 Sep 2004 Posts: 626
|
Posted: Fri Jun 21, 2013 6:57 pm Post subject: |
|
|
Seems that your kernel config is not okay after all. However, which networks do you need to route (to)? Maybe you don't need NAT? _________________ Death by snoo-snoo! |
|
Back to top |
|
|
dE_logics Advocate
Joined: 02 Jan 2009 Posts: 2253 Location: $TERM
|
Posted: Sat Jun 22, 2013 7:28 am Post subject: |
|
|
There appears to be something wrong with one of --
-A POSTROUTING -o eth0 -j MASQUERADE
How about changing the jump, match and chain to something that is known to work on your system, e.g. drop for, tcp match and -A to input one by one, so you can figure out the missing modules. _________________ My blog |
|
Back to top |
|
|
cwr Veteran
Joined: 17 Dec 2005 Posts: 1969
|
Posted: Sat Jun 22, 2013 7:56 am Post subject: |
|
|
OK, problem solved. I had the "standard" iptables stuff configured in the kernel, but that's
apparently not enough. I went back and added every iptables option in sight and rebuilt
the kernel and it worked.
Thanks for the ideas - Will |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sat Jun 22, 2013 4:11 pm Post subject: |
|
|
The MASQUERADE target is part of NAT and is not standard for a simple packet filter. Enabling that was likely the key. |
|
Back to top |
|
|
cwr Veteran
Joined: 17 Dec 2005 Posts: 1969
|
Posted: Sun Jun 23, 2013 7:10 pm Post subject: |
|
|
Yes, at a some point I need to go back and weed out all the obviously irrelevant stuff and
test it again, but for now, it "just works".
Thanks for the tip - Will |
|
Back to top |
|
|
|