NAT not working

  • David McGiven

    David McGiven - 2012-03-22

    Hi there!

    I have created a good firewall with fwbuilder. It's quite basic : Interface em1 facing outside with static public IP, Interface em2 facing inside with static private IP.

    Everything is worked as desired except NAT.

    This is the NAT line I have :

        # ================ Table 'nat',  rule set NAT
        # Rule 0 (NAT)
        echo "Rule 0 (NAT)"
        $IPTABLES -t nat -A POSTROUTING -o em1   -s  -j SNAT -to-source PUBLICIP

    IPv4 Forward is on on the fwbuilder options.

    I have checked the user guide and that should be correct.

    However, if for example I try to ping from an internet host, using as default gw the firewall host ip ( it doesn't work.

    I have tried this on the Linux host running the firewall just to check :
    service iptables stop
    iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
    iptables -A FORWARD -i em1 -o em2 -m state  -state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i em2 -o em1 -j ACCEPT

    And this works! A client can ping internet hosts, using as gateway the firewall host IP.

    Could someone please help me ?

    Thanks in advance.


  • Vadim Kurland

    Vadim Kurland - 2012-03-22

    check if you have policy rule to permit packets from to any

    make sure checkbox "permit packets in states ESTABLISHED,RELATED" is turned on in the firewall object settings dialog

    check if generated iptables script is actually activated on the firewall and if it loaded with no errors

    check log files on the firewall to see if packets are blocked and which rule blocks them. Iptables log records should include "RULE NN - DENY" (where NN is rule number). If they do not include rule number like that, then something is wrong and iptables rules that work on the firewall are not those generated by fwbuilder

  • David McGiven

    David McGiven - 2012-03-22

    Hi vkurland,

    The checkbox is ok.

    The generated iptables script is activated.

    I don't have a policy rule to permit packets from to any.

    Should I safely add the following rule :

    From (Source) to any (Destination) any (Service) private (Interface) both (Direction) accept (Action)

    Do you think it's allright ?

  • Vadim Kurland

    Vadim Kurland - 2012-03-22

    you need a rule to permit packets, NAT alone does only translation but does not permit packets. The rule you suggest looks ok. You probably dont need to match interface in it since you only have two interfaces. Make sure this rule is above the last "catch all" rule in your policy

  • David McGiven

    David McGiven - 2012-03-22

    Ok. I can confirm after adding that rule, it works!!!

  • David McGiven

    David McGiven - 2012-03-22

    Thanks man! You made my day!


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks