NAT problems

On Wed, Sep 12, 2007 at 02:19:50PM -0300, Carlos Pasqualini - SETI Soluciones Informáticas wrote:
> i'm working with debian since potato, i had a lots of firewalls but...
> now with lenny i execute my script and it didn't work well (or it didn't
> work at all ough!)
>
> what changed from kernel 2.6.18 / iptales 1.3.6 to kernel
> 2.6.22 /iptables 1.3.8 ????
>
> a simple syntax as
> # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> seems not to work well

What error message are you getting?

-dsr-

--
Every time you give up a right, the terrorists win.

http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Pascal


El mié, 12-09-2007 a las 22:22 +0200, Pascal Hambourg escribió:
> Hello,
........

------------------------------------------------------------------------------
> A new NAT framework alternative (nf_nat) was introduced in kernel 2.6.20
> in addition to the new IPv4+IPv6 conntrack framework alternative
> (nf_conntrack) that was introduced in kernel 2.6.15. The old IPv4-only
> conntrack+NAT framework (ip_conntrack+ip_nat) was removed from kernel
> 2.6.22. Many configuration options related to iptables, connection
> tracking and NAT changed location and name.
>

this is what i'm looking for documentation about
do you know where the new nf_nat framework is documented??
i want to learn just about it

------------------------------------------------------------------------------
>
.....

> Where does your kernel come from ? Is it a precompiled Debian package or
> did you build it from the source ? AFAIK, the latest kernel version in
> lenny is 2.6.21.
>
my fault.. it's 2.6.21 (lenny binary)
>


thanks !!


charly


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Carlos Pasqualini a écrit :
>
> this is what i'm looking for documentation about
> do you know where the new nf_nat framework is documented??
> i want to learn just about it

I'm afraid there is not much documentation. Anyway there is not so much
to say about it. The primary goal was to add connection tracking for
ip6tables (IPv6). Anything that was not layer 3 (i.e. IPv4 or IPv6)
specific, such as TCP, UDP, FTP... connection tracking was moved away
from IPv4 conntrack and made common. The major difference is that most
ip_conntrack_* and ip_nat_* modules were renamed nf_conntrack* and
nf_nat*. However this should be transparent to iptables. Also aliases of
the old names were added in the new conntrack/nat helper modules for
compatibility so, for instance :
# modprobe ip_nat_ftp
would still work as expected and load the module nf_nat_ftp.ko.

The biggest visible change was in the build options, but it does not
matter if you use a binary kernel package.

>>Where does your kernel come from ? Is it a precompiled Debian package or
>>did you build it from the source ? AFAIK, the latest kernel version in
>>lenny is 2.6.21.
>
> my fault.. it's 2.6.21 (lenny binary)

This one has nf_conntrack/nf_nat enabled anyway.
Again, please describe precisely what is going wrong.


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

El jue, 13-09-2007 a las 10:27 +0200, Pascal Hambourg escribió:
> Carlos Pasqualini a écrit :
> >
> This one has nf_conntrack/nf_nat enabled anyway.
> Again, please describe precisely what is going wrong.
>
>

the point is just that i don't know what it's going on... so i'm looking
for changes that could be the source of the problem.

when i start to implement a linux box as router, i test it with a script
that do not filter anything, it just make masquerade. after all works
well i restart the script but filtering everythng and say "this packet >
accpet"

the early script (the really unsecure one) give me failures in the
network, the script it's so simple:

iptables -F for every table / chain...
iptables -P ACCEPT for everything
iptables -P INPUT DROP

$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
iptables -N permitido
iptables -A permitido -p tcp --syn -j ACCEPT
iptables -A permitido -p tcp -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A permitido -p tcp -j DROP
# external tcp open ports
for i in `cat /etc/firewall/conf/ext_tcp_open_ports`; do
echo -n "iptables -A INPUT --protocol tcp -i $EXT --dport $i -j
permitido"
iptables -A INPUT -m state --state NEW --protocol tcp -i $EXT
--dport $i -j permitido && echo " done!"
done
(same for input tcp/udp ext/int ports)
#squid routing:
iptables -t nat -A PREROUTING -d ! 192.168.20.0/24 --protocol tcp -i
$INT --dport 80 -j REDIRECT --to-ports 3128
echo 1 > /proc/sys/net/ipv4/ip_forward


as you can see, it's a very stupid script that it can't fail!!!
(it can be a security risk, it's ulgy.. but no problem about nat !)


now i'm making tests at home with this box, the same script, but only
one change:

the external device it's a dhcp client on eth0, not a pppoe ppp0 and you
know what?? IT WORKS!

so, it's nothing about the iptables script ¿WTF?... it's another thing
that i can't find...

when i use ppp0 as internet connection, i run the script
from /etc/ppp/ip-up.d/firewall.sh for example. so it executes whenever
the ppp device it's going up, and whe have internet access.

the failure was that some websites didn't work, no MSN messenger (WTF?)
and other things like that... some things works, others don't... in a
way that i can't find any logic about it. that's why i'm asking for
documentation and not describing the entire situation.

the point that iptables don't change anything between the old and new
frameworks, tells me a lot. it tells me that i'm doing another even more
stupid error !!

again
thanks!!

chary


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.DeleteThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.DeleteThis@lists.debian.org

On Thursday 13 September 2007 05:13, Carlos Pasqualini wrote:
> El jue, 13-09-2007 a las 10:27 +0200, Pascal Hambourg escribió:
> > Carlos Pasqualini a écrit :
> >
> > This one has nf_conntrack/nf_nat enabled anyway.
> > Again, please describe precisely what is going wrong.
>
> the point is just that i don't know what it's going on... so i'm looking
> for changes that could be the source of the problem.
>
> when i start to implement a linux box as router, i test it with a script
> that do not filter anything, it just make masquerade. after all works
> well i restart the script but filtering everythng and say "this packet >
> accpet"
>
> the early script (the really unsecure one) give me failures in the
> network, the script it's so simple:
>
> iptables -F for every table / chain...
> iptables -P ACCEPT for everything
> iptables -P INPUT DROP
>
> $IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE
>
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A INPUT -p icmp -j ACCEPT
> iptables -N permitido
> iptables -A permitido -p tcp --syn -j ACCEPT
> iptables -A permitido -p tcp -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A permitido -p tcp -j DROP
> # external tcp open ports
> for i in `cat /etc/firewall/conf/ext_tcp_open_ports`; do
> echo -n "iptables -A INPUT --protocol tcp -i $EXT --dport $i -j
> permitido"
> iptables -A INPUT -m state --state NEW --protocol tcp -i $EXT
> --dport $i -j permitido && echo " done!"
> done
> (same for input tcp/udp ext/int ports)
> #squid routing:
> iptables -t nat -A PREROUTING -d ! 192.168.20.0/24 --protocol tcp -i
> $INT --dport 80 -j REDIRECT --to-ports 3128
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> as you can see, it's a very stupid script that it can't fail!!!
> (it can be a security risk, it's ulgy.. but no problem about nat !)
>
>
> now i'm making tests at home with this box, the same script, but only
> one change:
>
> the external device it's a dhcp client on eth0, not a pppoe ppp0 and you
> know what?? IT WORKS!
>
> so, it's nothing about the iptables script ¿WTF?... it's another thing
> that i can't find...
>
> when i use ppp0 as internet connection, i run the script
> from /etc/ppp/ip-up.d/firewall.sh for example. so it executes whenever
> the ppp device it's going up, and whe have internet access.
>
> the failure was that some websites didn't work, no MSN messenger (WTF?)
> and other things like that... some things works, others don't... in a
> way that i can't find any logic about it. that's why i'm asking for
> documentation and not describing the entire situation.
>
> the point that iptables don't change anything between the old and new
> frameworks, tells me a lot. it tells me that i'm doing another even more
> stupid error !!
>
> again
> thanks!!
>
> chary
-----------------------------------------------------
When you say some websites work and others don't. Do you possibly mean the
websites on your system or web sites on the internet?
Do you have NAT addresses listed on the router that are specifically for your
system? example 10.10.10.1 is your main box 10.10.10.2 is a box in the next
room 10.10.10.3 is a server in your office and the address of your router
box that feeds all of these is ###.###.###.### ( your real network IP
address)
You probably know more about this than I do but this looks a lot like a
problem that I ran into when connecting my Adtran hardware router/firewall to
my system. I had to completely reset all of my network addresses & connection
names for my small business network when I implemented NAT addressing
internally but wanted to leave my wife's XP box alone with its DHCP
connection.
--
John W. Foster

Héctor

gracias por la sugerencia me parece mas que interesate, te voy a pedir
que recuerdes siempre responder a la lista mas que al mail originario,
así todas las respuestas quedan registradas en l alista de correo

saludos!

charly

El jue, 13-09-2007 a las 11:36 -0500, Héctor González escribió:
> Hola Carlos, he tenido problemas similares, parece que por alguna razón,
> el código de NAT requiere que aceptes los paquetes de entrada, en el
> interface del NAT, y no sólo paquetes relacionados, sino todo.
>
> Una manera de que averigües qué pasa es insertar reglas de LOG, antes de
> cada punto donde tiras paquetes, o niegas accesos, de manera que en tu
> log se ve de inmediato cuando las reglas están tirando información que
> debería pasar.
>
> Héctor González
> cacho.RemoveThis@genac.org
>
> Carlos Pasqualini wrote:
> > El jue, 13-09-2007 a las 10:27 +0200, Pascal Hambourg escribió:
> >
> >> Carlos Pasqualini a écrit :
> >>
> >> This one has nf_conntrack/nf_nat enabled anyway.
> >> Again, please describe precisely what is going wrong.
> >>
> >>
> >>
> >
> > the point is just that i don't know what it's going on... so i'm looking
> > for changes that could be the source of the problem.
> >
> > when i start to implement a linux box as router, i test it with a script
> > that do not filter anything, it just make masquerade. after all works
> > well i restart the script but filtering everythng and say "this packet >
> > accpet"
> >
> > the early script (the really unsecure one) give me failures in the
> > network, the script it's so simple:
> >
> > iptables -F for every table / chain...
> > iptables -P ACCEPT for everything
> > iptables -P INPUT DROP
> >
> > $IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE
> >
> > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A INPUT -i lo -j ACCEPT
> > $IPTABLES -A INPUT -p icmp -j ACCEPT
> > iptables -N permitido
> > iptables -A permitido -p tcp --syn -j ACCEPT
> > iptables -A permitido -p tcp -m state --state ESTABLISHED,RELATED -j
> > ACCEPT
> > iptables -A permitido -p tcp -j DROP
> > # external tcp open ports
> > for i in `cat /etc/firewall/conf/ext_tcp_open_ports`; do
> > echo -n "iptables -A INPUT --protocol tcp -i $EXT --dport $i -j
> > permitido"
> > iptables -A INPUT -m state --state NEW --protocol tcp -i $EXT
> > --dport $i -j permitido && echo " done!"
> > done
> > (same for input tcp/udp ext/int ports)
> > #squid routing:
> > iptables -t nat -A PREROUTING -d ! 192.168.20.0/24 --protocol tcp -i
> > $INT --dport 80 -j REDIRECT --to-ports 3128
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> >
> > as you can see, it's a very stupid script that it can't fail!!!
> > (it can be a security risk, it's ulgy.. but no problem about nat !)
> >
> >
> > now i'm making tests at home with this box, the same script, but only
> > one change:
> >
> > the external device it's a dhcp client on eth0, not a pppoe ppp0 and you
> > know what?? IT WORKS!
> >
> > so, it's nothing about the iptables script ¿WTF?... it's another thing
> > that i can't find...
> >
> > when i use ppp0 as internet connection, i run the script
> > from /etc/ppp/ip-up.d/firewall.sh for example. so it executes whenever
> > the ppp device it's going up, and whe have internet access.
> >
> > the failure was that some websites didn't work, no MSN messenger (WTF?)
> > and other things like that... some things works, others don't... in a
> > way that i can't find any logic about it. that's why i'm asking for
> > documentation and not describing the entire situation.
> >
> > the point that iptables don't change anything between the old and new
> > frameworks, tells me a lot. it tells me that i'm doing another even more
> > stupid error !!
> >
> > again
> > thanks!!
> >
> > chary
> >
> >
> >
>
>


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org