NAT rule not working on Ubuntu 12.04

2012-10-13
2013-03-05
  • Luke Youngblood

    Luke Youngblood - 2012-10-13

    Hi, I followed your excellent article on Linux Journal on how to setup a cluster using conntrackd and keepalived.  I believe I have everything configured correctly, however, my NAT policy to allow the internal network outbound Internet access is not working.  Is there an issue using SNAT with Linux 3.x kernels (like Ubuntu 12.04)?  In the .fw script, I have the following line (generated by fwbuilder, of course):

        echo "Rule 0 (NAT)"
        #
        $IPTABLES -t nat -A POSTROUTING -o eth0   -s 10.7.112.0/22  -j SNAT -to-source 67.202.219.212

    However, that one rule doesn't seem to take (everything else takes just fine):

    root@cstfw01:/etc/fw# iptables -S|grep NAT
    root@cstfw01:/etc/fw#

    Here is the complete output of iptables -S:

    root@cstfw01:/etc/fw# iptables -S
    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT DROP
    -N In_RULE_0
    -N RULE_5
    -N RULE_7
    -A INPUT -m state -state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -s 10.7.112.7/32 -d 224.0.0.18/32 -i eth1 -p vrrp -j ACCEPT
    -A INPUT -s 67.202.219.214/32 -d 224.0.0.18/32 -i eth0 -p vrrp -j ACCEPT
    -A INPUT -s 10.7.112.5/32 -i eth0 -j In_RULE_0
    -A INPUT -s 10.7.112.6/32 -i eth0 -j In_RULE_0
    -A INPUT -s 10.7.112.0/22 -i eth0 -j In_RULE_0
    -A INPUT -s 127.0.0.1/32 -i eth0 -j In_RULE_0
    -A INPUT -s 192.168.100.2/32 -i eth0 -j In_RULE_0
    -A INPUT -i eth2 -m state -state NEW -j ACCEPT
    -A INPUT -i lo -m state -state NEW -j ACCEPT
    -A INPUT -s 10.7.112.0/22 -p tcp -m tcp -dport 22 -m state -state NEW -j ACCEPT
    -A INPUT -j RULE_5
    -A INPUT -s 10.7.112.0/22 -m state -state NEW -j ACCEPT
    -A INPUT -j RULE_7
    -A FORWARD -m state -state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 10.7.112.5/32 -i eth0 -j In_RULE_0
    -A FORWARD -s 10.7.112.6/32 -i eth0 -j In_RULE_0
    -A FORWARD -s 10.7.112.0/22 -i eth0 -j In_RULE_0
    -A FORWARD -s 127.0.0.1/32 -i eth0 -j In_RULE_0
    -A FORWARD -s 192.168.100.2/32 -i eth0 -j In_RULE_0
    -A FORWARD -i eth2 -m state -state NEW -j ACCEPT
    -A FORWARD -o eth2 -m state -state NEW -j ACCEPT
    -A FORWARD -s 10.7.112.0/22 -m state -state NEW -j ACCEPT
    -A FORWARD -j RULE_7
    -A OUTPUT -m state -state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -d 224.0.0.18/32 -o eth1 -p vrrp -j ACCEPT
    -A OUTPUT -d 224.0.0.18/32 -o eth0 -p vrrp -j ACCEPT
    -A OUTPUT -o eth2 -m state -state NEW -j ACCEPT
    -A OUTPUT -o lo -m state -state NEW -j ACCEPT
    -A OUTPUT -d 10.7.112.0/22 -p tcp -m tcp -dport 53 -m state -state NEW -j ACCEPT
    -A OUTPUT -d 10.7.112.0/22 -p udp -m udp -dport 53 -m state -state NEW -j ACCEPT
    -A OUTPUT -d 10.7.112.5/32 -j RULE_5
    -A OUTPUT -d 10.7.112.6/32 -j RULE_5
    -A OUTPUT -d 67.202.219.212/32 -j RULE_5
    -A OUTPUT -d 67.202.219.213/32 -j RULE_5
    -A OUTPUT -d 192.168.100.2/32 -j RULE_5
    -A OUTPUT -s 10.7.112.0/22 -m state -state NEW -j ACCEPT
    -A OUTPUT -j RULE_7
    -A In_RULE_0 -j LOG -log-prefix "RULE 0 - DENY " -log-level 6
    -A In_RULE_0 -j DROP
    -A RULE_5 -j LOG -log-prefix "RULE 5 - DENY " -log-level 6
    -A RULE_5 -j DROP
    -A RULE_7 -j LOG -log-prefix "RULE 7 - DENY " -log-level 6
    -A RULE_7 -j DROP

     
  • Vadim Kurland

    Vadim Kurland - 2012-10-13

    Try

    iptables -t nat -S
    
     
  • Luke Youngblood

    Luke Youngblood - 2012-10-14

    Ok, wow, FWbuilder was working just fine.  I messed up and had two default routes on my layer 3 switch, which meant most traffic wasn't even flowing to my iptables host.

    Thanks for making such a great piece of software.  FWbuilder rocks!

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks