iptables, still

Steve Fri, 15 Apr 2005 01:24:55 -0700

Hi all!

After the firmware upgrade of my modem/router, I have strange behaviour
with my lan: I can ping the internet from my clients but not from the
gateway machine !


Here is the setup:

internet ---- modem ------- eth0  (gateway) ath0 -------- eth0 (client)

with :

modem LAN : 192.168.1.1
modem WAN : dhcp
eth0 gateway : dhcp
ath0 : 192.168.20.1 (fixe)
eth0 client : 192.168.20.3 (fixe)

both running Debian Sarge kernel 2.6

I enabled the NAT mode on the modem so that all trafic goes on eth0 on
which I have the following iptables ruleset: 

gateway# iptables-save

# Generated by iptables-save v1.2.11 on Fri Apr 15 10:10:33 2005
*filter
:INPUT DROP [10:878]
:FORWARD DROP [9:360]
:OUTPUT DROP [82:15508]
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 192.168.20.0/255.255.255.0 -d 192.168.20.1 -i ath0 -j ACCEPT
-A INPUT -s 192.168.20.255 -d 192.168.20.1 -i ath0 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -j ULOG --ulog-prefix "Netfilter" 

-A FORWARD -s 192.168.20.0/255.255.255.0 -i ath0 -o eth0 -m state
--state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -A FORWARD -d
192.168.20.0/255.255.255.0 -i eth0 -o ath0 -m state --state
RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT 

-A OUTPUT -s 192.168.20.1 -d 192.168.20.0/255.255.255.0 -o ath0 -j
ACCEPT -A OUTPUT -s 192.168.20.1 -d 192.168.20.255 -o ath0 -j ACCEPT 
-A OUTPUT -j ULOG --ulog-prefix "Netfilter" 
COMMIT
# Completed on Fri Apr 15 10:10:33 2005
# Generated by iptables-save v1.2.11 on Fri Apr 15 10:10:33 2005
*nat
:PREROUTING ACCEPT [227:28353]
:POSTROUTING ACCEPT [9:743]
:OUTPUT ACCEPT [80:4951]
-A POSTROUTING -s 192.168.20.0/255.255.255.0 -o eth0 -j MASQUERADE 
COMMIT
# Completed on Fri Apr 15 10:10:33 2005


gateway# ping 192.168.1.1

PING 192.168.1.1 (192.168.1.1): 56 data bytes
ping: sendto: Operation not permitted
ping: wrote 192.168.1.1 64 chars, ret=-1

but as I said, from the client it's ok.. and :

gateway # route

Table de routage IP du noyau
Destination     Passerelle   Genmask    Indic Metric Ref    Use Iface
192.168.20.0    *          255.255.255.0   U     0      0   0 ath0
192.168.2.0     *               255.255.255.0   U     0      0 0 eth1
192.168.1.0     *               255.255.255.0   U     0     0    0 eth0
default         192.168.1.1     0.0.0.0         UG   0      0   0 eth0

 ok no?


So what's wrong? I haven't changed anything in my setup, so I don't
really understand what's going on (learning ..) What have I missed?

Any help is welcomed ;-)


Greetings
Thanks

steve


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

iptables, still

Reply via email to