Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.
I have created a good firewall with fwbuilder. It's quite basic : Interface em1 facing outside with static public IP, Interface em2 facing inside with static private IP.
Everything is worked as desired except NAT.
This is the NAT line I have :
# ================ Table 'nat', rule set NAT
# Rule 0 (NAT)
echo "Rule 0 (NAT)"
$IPTABLES -t nat -A POSTROUTING -o em1 -s 192.168.0.0/24 -j SNAT -to-source PUBLICIP
IPv4 Forward is on on the fwbuilder options.
I have checked the user guide and that should be correct.
However, if for example I try to ping from 192.168.0.101 an internet host, using as default gw the firewall host ip (192.168.0.100) it doesn't work.
I have tried this on the Linux host running the firewall just to check :
service iptables stop
iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
iptables -A FORWARD -i em1 -o em2 -m state -state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i em2 -o em1 -j ACCEPT
And this works! A 192.168.0.101 client can ping internet hosts, using as gateway the firewall host IP.
Could someone please help me ?
Thanks in advance.
check if you have policy rule to permit packets from 192.168.0.0/24 to any
make sure checkbox "permit packets in states ESTABLISHED,RELATED" is turned on in the firewall object settings dialog
check if generated iptables script is actually activated on the firewall and if it loaded with no errors
check log files on the firewall to see if packets are blocked and which rule blocks them. Iptables log records should include "RULE NN - DENY" (where NN is rule number). If they do not include rule number like that, then something is wrong and iptables rules that work on the firewall are not those generated by fwbuilder
The checkbox is ok.
The generated iptables script is activated.
I don't have a policy rule to permit packets from 192.168.0.0/24 to any.
Should I safely add the following rule :
From 192.168.0.0/24 (Source) to any (Destination) any (Service) private (Interface) both (Direction) accept (Action)
Do you think it's allright ?
you need a rule to permit packets, NAT alone does only translation but does not permit packets. The rule you suggest looks ok. You probably dont need to match interface in it since you only have two interfaces. Make sure this rule is above the last "catch all" rule in your policy
Ok. I can confirm after adding that rule, it works!!!
Thanks man! You made my day!