HPE Community
Operating System - Linux
1819928 Members
3289 Online
109607 Solutions
New Discussion юеВ

nat iptables rules

 
SOLVED
Go to solution
linuxtolinux
Frequent Advisor

тАО08-02-2006 02:19 AM

тАО08-02-2006 02:19 AM

nat iptables rules

hi all,
I am trying to test iptables nat chains by matching ping command with LOG target.I am not getting any LOG matching the echo-reply; only i detect the echo-request packet in /var/log/messages.

Does anyone have any idea ?
thanks
0 Kudos
Reply
10 REPLIES 10
George Liu_4
Trusted Contributor

тАО08-02-2006 04:18 AM

тАО08-02-2006 04:18 AM

Re: nat iptables rules

What's the output of iptables -L?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО08-02-2006 04:46 AM

тАО08-02-2006 04:46 AM

Solution

Re: nat iptables rules

Shalom,

Quick fix:

http://www.fs-security.com/

This handy little product sets up iptables with logging. You can steal iptables code from it and I've used it as a firewall router for my supposedly sold business in the US and found it is unbreachable. It is much better than I am at writing iptables code.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
linuxtolinux
Frequent Advisor

тАО08-02-2006 07:26 PM

тАО08-02-2006 07:26 PM

Re: nat iptables rules

hi
This is the output of the nat listing:
# /sbin/iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning prefix `nat PREROUTING:'
LOG icmp -- anywhere anywhere icmp echo-reply LOG level warning prefix `nat PREROUTING:'

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning prefix `nat POSTROUTING:'
LOG icmp -- anywhere anywhere icmp echo-reply LOG level warning prefix `nat POSTROUTING:'

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning prefix `nat OUTPUT:'
LOG icmp -- anywhere anywhere


Regards
0 Kudos
Reply
g33k
Valued Contributor

тАО08-02-2006 07:30 PM

тАО08-02-2006 07:30 PM

Re: nat iptables rules

are you sure that icmp is not drop in any rule before?
afaik NAT rules on the bottom, and iptables are first match wins(so if there is any rule before regarding icmp it's aplaid.)
Reply
linuxtolinux
Frequent Advisor

тАО08-02-2006 08:03 PM

тАО08-02-2006 08:03 PM

Re: nat iptables rules

hi
I applied only the above nat rules only.
and all the other default policies are ACCEPT.

0 Kudos
Reply
g33k
Valued Contributor

тАО08-02-2006 10:04 PM

тАО08-02-2006 10:04 PM

Re: nat iptables rules

I supose you'll answer yes but just to be sure that it's problem with iptables...
syslog is running?
packet forwarding is enabled?
ping is OK you are ping form system behind NAT some other system and getting answers?
Reply
George Georgiev
Occasional Advisor

тАО08-03-2006 12:24 AM

тАО08-03-2006 12:24 AM

Re: nat iptables rules

Hi,

echo-reply packets are not supposed to go into the nat table. I guess you will be able to see them in the INPUT, FORWARD and OUTPUT chains of the main table.


cheers!
George
Reply
George Liu_4
Trusted Contributor

тАО08-04-2006 06:45 AM

тАО08-04-2006 06:45 AM

Re: nat iptables rules

I would like you to post

iptable -L
not
iptables -L -t nat

reason: the icmp traffic could be in the earlier rules
0 Kudos
Reply
linuxtolinux
Frequent Advisor

тАО08-06-2006 07:47 PM

тАО08-06-2006 07:47 PM

Re: nat iptables rules

THanks a lot
0 Kudos
Reply
Alexander Samad
Frequent Advisor

тАО08-13-2006 03:32 PM

тАО08-13-2006 03:32 PM

Re: nat iptables rules

If you have you log rule in the -t nat you will only see the initial packet as the reply is considered related and doesn hit the nat table

have a look at
http://l7-filter.sourceforge.net/PacketFlow.png

place your log rule in the input or foward chain of the filter table (the detault one)

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.