Hi,
I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
I have the following setup:
eth0: connects to internet with static public IP 1.2.3.1 (obscured here for privacy) eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy) eth2: connects to LAN with static private IP 192.168.0.1
Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
I tried masqueradig the LAN with following:
ptables -A FORWARD -i eth2 -j ACCEPT iptables -A FORWARD -o eth2 -j ACCEPT iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 1.2.3.1
After this I can ssh to a server in the Internet from the LAN using the server's IP address but not its name. The w command on the server tells me that my address has not been masqueraded (its 192.168.0.2, the LAN client's private IP).
What am I doing wrong?
Best, Peter
On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen peter.peltonen@gmail.com wrote:
Hi,
I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
I have the following setup:
eth0: connects to internet with static public IP 1.2.3.1 (obscured here for privacy) eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy) eth2: connects to LAN with static private IP 192.168.0.1
Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
I tried masqueradig the LAN with following:
ptables -A FORWARD -i eth2 -j ACCEPT iptables -A FORWARD -o eth2 -j ACCEPT iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 1.2.3.1
After this I can ssh to a server in the Internet from the LAN using the server's IP address but not its name. The w command on the server tells me that my address has not been masqueraded (its 192.168.0.2, the LAN client's private IP).
If you can ssh to a server on the Internet then your connectivity is working. You might want to check if DNS is allowed and working from the LAN hosts to the Internet.
The fact that 'w' shows your internal IP address is because you're connecting from the LAN to the gateway, which doesn't trigger the SNAT because it's not forwarding any packets... only accepting your connection.
Hi,
On Mon, Nov 23, 2009 at 4:15 PM, Giovanni Tirloni tirloni@gmail.com wrote:
On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen peter.peltonen@gmail.com wrote:
Hi,
I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
I have the following setup:
eth0: connects to internet with static public IP 1.2.3.1 (obscured here for privacy) eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy) eth2: connects to LAN with static private IP 192.168.0.1
Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
I tried masqueradig the LAN with following:
ptables -A FORWARD -i eth2 -j ACCEPT iptables -A FORWARD -o eth2 -j ACCEPT iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 1.2.3.1
After this I can ssh to a server in the Internet from the LAN using the server's IP address but not its name. The w command on the server tells me that my address has not been masqueraded (its 192.168.0.2, the LAN client's private IP).
If you can ssh to a server on the Internet then your connectivity is working. You might want to check if DNS is allowed and working from the LAN hosts to the Internet.
The fact that 'w' shows your internal IP address is because you're connecting from the LAN to the gateway, which doesn't trigger the SNAT because it's not forwarding any packets... only accepting your connection.
Hmm,I am SSHing not to the gateway but to a server in the Internet, so shouldn't it masquerade the address and w show the gateway's IP and not the client's -- isn't this the whole point of the SNAT?
No other service than SSH seems to work. If I do "telnet mydnsip 53" there is no response, it just hangs. I also have correct DNS in /etc/resolv.conf.
Best, Peter
On Mon, Nov 23, 2009 at 4:31 PM, Peter Peltonen peter.peltonen@gmail.com wrote:
Hi,
On Mon, Nov 23, 2009 at 4:15 PM, Giovanni Tirloni tirloni@gmail.com wrote:
On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen peter.peltonen@gmail.com wrote:
Hi,
I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
I have the following setup:
eth0: connects to internet with static public IP 1.2.3.1 (obscured here for privacy) eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy) eth2: connects to LAN with static private IP 192.168.0.1
Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
I tried masqueradig the LAN with following:
ptables -A FORWARD -i eth2 -j ACCEPT iptables -A FORWARD -o eth2 -j ACCEPT iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 1.2.3.1
After this I can ssh to a server in the Internet from the LAN using the server's IP address but not its name. The w command on the server tells me that my address has not been masqueraded (its 192.168.0.2, the LAN client's private IP).
If you can ssh to a server on the Internet then your connectivity is working. You might want to check if DNS is allowed and working from the LAN hosts to the Internet.
The fact that 'w' shows your internal IP address is because you're connecting from the LAN to the gateway, which doesn't trigger the SNAT because it's not forwarding any packets... only accepting your connection.
Hmm,I am SSHing not to the gateway but to a server in the Internet, so shouldn't it masquerade the address and w show the gateway's IP and not the client's -- isn't this the whole point of the SNAT?
No other service than SSH seems to work. If I do "telnet mydnsip 53" there is no response, it just hangs. I also have correct DNS in /etc/resolv.conf.
Nobody has any other ideas what I might be doing wrong here?
Best, Peter
On Thu, 2009-11-26 at 00:58 +0200, Peter Peltonen wrote:
On Mon, Nov 23, 2009 at 4:31 PM, Peter Peltonen peter.peltonen@gmail.com wrote:
Hi,
On Mon, Nov 23, 2009 at 4:15 PM, Giovanni Tirloni tirloni@gmail.com wrote:
On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen peter.peltonen@gmail.com wrote:
Hi,
I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
I have the following setup:
eth0: connects to internet with static public IP 1.2.3.1 (obscured here for privacy) eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy) eth2: connects to LAN with static private IP 192.168.0.1
Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
I tried masqueradig the LAN with following:
ptables -A FORWARD -i eth2 -j ACCEPT iptables -A FORWARD -o eth2 -j ACCEPT iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 1.2.3.1
After this I can ssh to a server in the Internet from the LAN using the server's IP address but not its name. The w command on the server tells me that my address has not been masqueraded (its 192.168.0.2, the LAN client's private IP).
If you can ssh to a server on the Internet then your connectivity is working. You might want to check if DNS is allowed and working from the LAN hosts to the Internet.
The fact that 'w' shows your internal IP address is because you're connecting from the LAN to the gateway, which doesn't trigger the SNAT because it's not forwarding any packets... only accepting your connection.
Hmm,I am SSHing not to the gateway but to a server in the Internet, so shouldn't it masquerade the address and w show the gateway's IP and not the client's -- isn't this the whole point of the SNAT?
No other service than SSH seems to work. If I do "telnet mydnsip 53" there is no response, it just hangs. I also have correct DNS in /etc/resolv.conf.
Nobody has any other ideas what I might be doing wrong here?
Best, Peter
I had to get the VPN address range masqueraded on the LAN as the gateway address.. so for example:
VPN Server LAN IP: 192.168.1.20 (not the real thing, but doesn't matter) VPN IP Range: 10.99.0.0
So when I connect through OpenVPN, my tunnel adaptor is given an ip like 10.99.0.5 (basically like a LAN, or your eth2).
What I did in IPTABLES is the following (eth0 is the LAN connection for the VPN server)
iptables -t nat -A POSTROUTING -s 10.99.0.0/255.255.255.0 -o eth0 -j MASQUERADE
After that it worked. All connections to anything on the LAN appear as if I am coming from 192.168.1.20. Just make sure that forwarding is enabled (I believe it is required for masquerade):
cat /proc/sys/net/ipv4/ip_forward
If it equals 0, change it to 1.
You may want to remove all the other entries you tried to get LAN->Internet going to ensure there is nothing conflicting.
Hi,
On Thu, Nov 26, 2009 at 1:17 AM, Tait Clarridge tait@clarridge.ca wrote:
peter.peltonen@gmail.com wrote:
Hi,
I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
I have the following setup:
eth0: connects to internet with static public IP 1.2.3.1 (obscured here for privacy) eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy) eth2: connects to LAN with static private IP 192.168.0.1
Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
I had to get the VPN address range masqueraded on the LAN as the gateway address.. so for example:
VPN Server LAN IP: 192.168.1.20 (not the real thing, but doesn't matter) VPN IP Range: 10.99.0.0
So when I connect through OpenVPN, my tunnel adaptor is given an ip like 10.99.0.5 (basically like a LAN, or your eth2).
What I did in IPTABLES is the following (eth0 is the LAN connection for the VPN server)
iptables -t nat -A POSTROUTING -s 10.99.0.0/255.255.255.0 -o eth0 -j MASQUERADE
After that it worked. All connections to anything on the LAN appear as if I am coming from 192.168.1.20. Just make sure that forwarding is enabled (I believe it is required for masquerade):
cat /proc/sys/net/ipv4/ip_forward
If it equals 0, change it to 1.
You may want to remove all the other entries you tried to get LAN->Internet going to ensure there is nothing conflicting.
It appears my problems were somehow DNS related: I can't access my ISPs DNS from LAN when masquerading is on (I can't understand why). Using a nameserver in the DMZ solved my issues and everything seems to work now ok.
Thanks for your help, Peter
-
Giovanni Tirloni -
Peter Peltonen -
Tait Clarridge