Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

NAT not working

2012-03-22
2013-03-05
  • David McGiven
    David McGiven
    2012-03-22

    Hi there!

    I have created a good firewall with fwbuilder. It's quite basic : Interface em1 facing outside with static public IP, Interface em2 facing inside with static private IP.

    Everything is worked as desired except NAT.

    This is the NAT line I have :

        # ================ Table 'nat',  rule set NAT
        #
        # Rule 0 (NAT)
        #
        echo "Rule 0 (NAT)"
        #
        $IPTABLES -t nat -A POSTROUTING -o em1   -s 192.168.0.0/24  -j SNAT -to-source PUBLICIP

    IPv4 Forward is on on the fwbuilder options.

    I have checked the user guide and that should be correct.

    However, if for example I try to ping from 192.168.0.101 an internet host, using as default gw the firewall host ip (192.168.0.100) it doesn't work.

    I have tried this on the Linux host running the firewall just to check :
    service iptables stop
    iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
    iptables -A FORWARD -i em1 -o em2 -m state  -state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i em2 -o em1 -j ACCEPT

    And this works! A 192.168.0.101 client can ping internet hosts, using as gateway the firewall host IP.

    Could someone please help me ?

    Thanks in advance.

    Regards,
    D.

     
  • Vadim Kurland
    Vadim Kurland
    2012-03-22

    check if you have policy rule to permit packets from 192.168.0.0/24 to any

    make sure checkbox "permit packets in states ESTABLISHED,RELATED" is turned on in the firewall object settings dialog

    check if generated iptables script is actually activated on the firewall and if it loaded with no errors

    check log files on the firewall to see if packets are blocked and which rule blocks them. Iptables log records should include "RULE NN - DENY" (where NN is rule number). If they do not include rule number like that, then something is wrong and iptables rules that work on the firewall are not those generated by fwbuilder

     
  • David McGiven
    David McGiven
    2012-03-22

    Hi vkurland,

    The checkbox is ok.

    The generated iptables script is activated.

    I don't have a policy rule to permit packets from 192.168.0.0/24 to any.

    Should I safely add the following rule :

    From 192.168.0.0/24 (Source) to any (Destination) any (Service) private (Interface) both (Direction) accept (Action)

    Do you think it's allright ?

     
  • Vadim Kurland
    Vadim Kurland
    2012-03-22

    you need a rule to permit packets, NAT alone does only translation but does not permit packets. The rule you suggest looks ok. You probably dont need to match interface in it since you only have two interfaces. Make sure this rule is above the last "catch all" rule in your policy

     
  • David McGiven
    David McGiven
    2012-03-22

    Ok. I can confirm after adding that rule, it works!!!

     
  • David McGiven
    David McGiven
    2012-03-22

    Thanks man! You made my day!