Re: Firewall POSTROUTING problem

Thu, 12 Aug 2021 10:24:48 -0700 


On 8/11/21 7:01 PM, Alain D D Williams wrote:

On Wed, Aug 11, 2021 at 11:50:30PM +0200, deloptes wrote:

Alain D D Williams wrote:


iptables -A FORWARD -j ACCEPT


and the OUTPUT?

OUTOUT is also ACCEPT, however this is not, I think, important as the packets
come from 10.239.239.23 (via br0) and go to the Internet - thus FORWARD is what
is important. Anyway: I see (on the modem) the packets with source 10.239.239.23


and this is not a problem ... evidence is outgoing packets with source
address 10.239.239.23

ah, ok, I misinterpreted it.

The important stuff from ifconfig is:

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 10.239.239.254  netmask 255.255.255.0  broadcast 10.239.239.255
         inet6 fe80::7ca1:36ff:fe12:7402  prefixlen 64  scopeid 0x20<link>
         ether ee:3c:27:eb:c0:4f  txqueuelen 1000  (Ethernet)
         RX packets 31632  bytes 2596968 (2.4 MiB)
         RX errors 0  dropped 0  overruns 0  frame 0
         TX packets 2065  bytes 374487 (365.7 KiB)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 192.168.108.2  netmask 255.255.255.0  broadcast 192.168.108.255
         inet6 2001:4d48:ad51:2f00::2:2  prefixlen 112  scopeid 0x0<global>
         inet6 fe80::922b:34ff:fe12:6470  prefixlen 64  scopeid 0x20<link>
         ether 90:2b:34:12:64:70  txqueuelen 1000  (Ethernet)
         RX packets 922014  bytes 240006341 (228.8 MiB)
         RX errors 0  dropped 0  overruns 0  frame 0
         TX packets 562616  bytes 80027668 (76.3 MiB)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


The steps to get routing working on GNU/Linux


check ip_forward is enabled

cat /proc/sys/net/ipv4/ip_forward - it must be 1


In your case, your outgoing is 192.168.108.2 on enp3s0

and your lan network is 10.239.239.254

so the forwarding nat rule should be


iptables -t nat -A POSTROUTING  -s 10.239.239.0/24 -o enp3s0 -j SNAT 
--to  192.168.108.2


No need for INPUT/OUTPUT rules to forward packts, only FORWARD rules



iptables -A FORWARD -s 10.239.239.0/24 -i br0 -o  enp3s0 -m state 
--state NEW -j ACCEPT


To accept the incoming packts for related connections.

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT



you need to be sure there is default route on the router, or trick the 
route using 'ip rule'


but check if the router is set any default route

'ip route list' or 'ip route list table default'

---
Lucas Castro























					Reply via email to