Iptables Forwarding Problem – Troubleshooting Guide

iptableslinuxlinux-networking

I had initally asked question about sertting up my linux box for natting for my home network and was given suggestions in the thread here. Did not want to clutter the old question so starting a new one here.

based on the earlier suggestions, i have come up with the following rules …

:PREROUTING ACCEPT [1:48]
:OUTPUT ACCEPT [12:860]
:POSTROUTING ACCEPT [3:228]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

*filter
:INPUT DROP [3:228]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth1 -p icmp -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT

If you notice, i do have the proper MASQURADING rule and the proper FORWARD filter rule as well.
However i am facing 2 problems

  1. On the linux box itself DNS resolving is not working
  2. the lan clients connected to the linux box, are still not able to get to internet. when i ping something from them, i see the DROP count in iptables INPUT rule increasing.

now my question is, when i am pinging something from the lan client, how come it is being matched by the input chain ?! should it be in the forward chain ?

Chain INPUT (policy DROP 20 packets, 2314 bytes)
 pkts bytes target     prot opt in     out     source               destination
   99  9891 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     icmp --  eth0   any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:http
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:https
  122  9092 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:ssh

Thanks ankit

UPDATE:

I have managed to work out the DNS problems. the only thing not working right now is the forwarding.

These are the rules i have right now

Chain INPUT (policy DROP 1158 packets, 89867 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
   59  5448 ACCEPT     icmp --  any    any     anywhere             anywhere
  643 47995 ACCEPT     udp  --  eth0   any     anywhere             anywhere            udp spt:domain dpts:1024:65535
   54  7811 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:http
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:https
 4168  273K ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
 1806  156K ACCEPT     tcp  --  eth1   any     anywhere             anywhere            tcp dpt:http
   91 19451 ACCEPT     tcp  --  eth1   any     anywhere             anywhere            tcp dpt:https
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spts:1024:65535 dpt:domain
10973  638K LOG_DROP   all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   80  6734 ACCEPT     icmp --  any    any     anywhere             anywhere
 6327 2445K ACCEPT     all  --  any    any     anywhere             anywhere

Chain LOG_DROP (1 references)
 pkts bytes target     prot opt in     out     source               destination
10973  638K LOG        all  --  any    any     anywhere             anywhere            LOG level warning tcp-options ip-options prefix `[IPTABLES DROP] :'
10973  638K DROP       all  --  any    any     anywhere             anywhere
  1. As you can see i have created a LOG_DROP rule to log all the dropped packets
  2. on one of my LAN clients i am pinging google, but get no reply

this is what i see in the message log

Feb 12 17:15:15 LINUX-GATEWAY kernel: [206384.605899] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15546 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11288
Feb 12 17:15:20 LINUX-GATEWAY kernel: [206389.606038] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15560 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11289
Feb 12 17:15:25 LINUX-GATEWAY kernel: [206394.607171] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15573 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11290
Feb 12 17:15:30 LINUX-GATEWAY kernel: [206399.606336] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11291
Feb 12 17:15:35 LINUX-GATEWAY kernel: [206404.620397] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15603 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11292

So the ping packets from the lan client are being dropped in the forward chain (only chain with log_drop)

I cant figure out why .. any ideas ?

Best Answer

Since you're having problems, I would start by simplyfing your configuration. Get rid of all the extraneous rules until you have a basic configuration working. That is, start with:

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

And make sure you have the necessary sysctl set:

# sysctl -w net.ipv4.ip_forward=1

And now see if things work. If they do work, slowly start making changes. If they don't work, let us know and we'll proceed from there.

Related Topic