Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

NAT rule not working on Ubuntu 12.04

2012-10-13
2013-03-05
  • Hi, I followed your excellent article on Linux Journal on how to setup a cluster using conntrackd and keepalived.  I believe I have everything configured correctly, however, my NAT policy to allow the internal network outbound Internet access is not working.  Is there an issue using SNAT with Linux 3.x kernels (like Ubuntu 12.04)?  In the .fw script, I have the following line (generated by fwbuilder, of course):

        echo "Rule 0 (NAT)"
        #
        $IPTABLES -t nat -A POSTROUTING -o eth0   -s 10.7.112.0/22  -j SNAT -to-source 67.202.219.212

    However, that one rule doesn't seem to take (everything else takes just fine):

    root@cstfw01:/etc/fw# iptables -S|grep NAT
    root@cstfw01:/etc/fw#

    Here is the complete output of iptables -S:

    root@cstfw01:/etc/fw# iptables -S
    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT DROP
    -N In_RULE_0
    -N RULE_5
    -N RULE_7
    -A INPUT -m state -state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -s 10.7.112.7/32 -d 224.0.0.18/32 -i eth1 -p vrrp -j ACCEPT
    -A INPUT -s 67.202.219.214/32 -d 224.0.0.18/32 -i eth0 -p vrrp -j ACCEPT
    -A INPUT -s 10.7.112.5/32 -i eth0 -j In_RULE_0
    -A INPUT -s 10.7.112.6/32 -i eth0 -j In_RULE_0
    -A INPUT -s 10.7.112.0/22 -i eth0 -j In_RULE_0
    -A INPUT -s 127.0.0.1/32 -i eth0 -j In_RULE_0
    -A INPUT -s 192.168.100.2/32 -i eth0 -j In_RULE_0
    -A INPUT -i eth2 -m state -state NEW -j ACCEPT
    -A INPUT -i lo -m state -state NEW -j ACCEPT
    -A INPUT -s 10.7.112.0/22 -p tcp -m tcp -dport 22 -m state -state NEW -j ACCEPT
    -A INPUT -j RULE_5
    -A INPUT -s 10.7.112.0/22 -m state -state NEW -j ACCEPT
    -A INPUT -j RULE_7
    -A FORWARD -m state -state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 10.7.112.5/32 -i eth0 -j In_RULE_0
    -A FORWARD -s 10.7.112.6/32 -i eth0 -j In_RULE_0
    -A FORWARD -s 10.7.112.0/22 -i eth0 -j In_RULE_0
    -A FORWARD -s 127.0.0.1/32 -i eth0 -j In_RULE_0
    -A FORWARD -s 192.168.100.2/32 -i eth0 -j In_RULE_0
    -A FORWARD -i eth2 -m state -state NEW -j ACCEPT
    -A FORWARD -o eth2 -m state -state NEW -j ACCEPT
    -A FORWARD -s 10.7.112.0/22 -m state -state NEW -j ACCEPT
    -A FORWARD -j RULE_7
    -A OUTPUT -m state -state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -d 224.0.0.18/32 -o eth1 -p vrrp -j ACCEPT
    -A OUTPUT -d 224.0.0.18/32 -o eth0 -p vrrp -j ACCEPT
    -A OUTPUT -o eth2 -m state -state NEW -j ACCEPT
    -A OUTPUT -o lo -m state -state NEW -j ACCEPT
    -A OUTPUT -d 10.7.112.0/22 -p tcp -m tcp -dport 53 -m state -state NEW -j ACCEPT
    -A OUTPUT -d 10.7.112.0/22 -p udp -m udp -dport 53 -m state -state NEW -j ACCEPT
    -A OUTPUT -d 10.7.112.5/32 -j RULE_5
    -A OUTPUT -d 10.7.112.6/32 -j RULE_5
    -A OUTPUT -d 67.202.219.212/32 -j RULE_5
    -A OUTPUT -d 67.202.219.213/32 -j RULE_5
    -A OUTPUT -d 192.168.100.2/32 -j RULE_5
    -A OUTPUT -s 10.7.112.0/22 -m state -state NEW -j ACCEPT
    -A OUTPUT -j RULE_7
    -A In_RULE_0 -j LOG -log-prefix "RULE 0 - DENY " -log-level 6
    -A In_RULE_0 -j DROP
    -A RULE_5 -j LOG -log-prefix "RULE 5 - DENY " -log-level 6
    -A RULE_5 -j DROP
    -A RULE_7 -j LOG -log-prefix "RULE 7 - DENY " -log-level 6
    -A RULE_7 -j DROP

     
  • Vadim Kurland
    Vadim Kurland
    2012-10-13

    Try

    iptables -t nat -S
    
     
  • Ok, wow, FWbuilder was working just fine.  I messed up and had two default routes on my layer 3 switch, which meant most traffic wasn't even flowing to my iptables host.

    Thanks for making such a great piece of software.  FWbuilder rocks!