> ----- Original Message -----
> From: jwlargent <jwlargent vlsmaps.com>
> To: "k bah" <kbahlinuxmail.org>
> Subject: Re: UDP packets are not being forwarded to pc
on the local net.
> Date: Thu, 17 May 2007 09:48:11 -0500
>
> I would suggest you start with just a basic NAT setup
and then once
> that is working add the additional rules you need.
>
> Minimal NAT setup
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The initial setup was like this.
Everything was allowed, since it didn't work I started to
explicitly allow some traffic.
>
> iptables -A INPUT -i eth0 -m state --state NEW,INVALID
-j DROP
> iptables -A FORWARD -i eth0 -m state --state
NEW,INVALID -j DROP
>
> and don't forget to turn on forwarding in the kernel
> echo 1 > /proc/sys/net/ipv4/ip_forward
Ok, I read some more and this is my setup a little more
clear:
(eth0 - router netcard to internet; eth1 router netcard to
internal net)
----------
*raw
:PREROUTING ACCEPT
:OUTPUT ACCEPT
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -i eth1 -p udp -m udp -j ACCEPT # *so the p2p
client can send udp out? *
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state RELATED -j ACCEPT
-A INPUT -p udp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 41001 -m state
--state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 41002 -m state
--state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 41002 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 41004 -j ACCEPT
-A FORWARD -p udp -m udp --sport 41002 -j LOG --log-prefix
"H015 -t fwd udp41002 sport"
-A FORWARD -p udp -m udp --dport 41002 -j LOG --log-prefix
"H015 -t fwd udp41002 dport"
-A FORWARD -p udp -m udp --sport 41004 -j LOG --log-prefix
"H015 -t fwd udp41004 sport"
-A FORWARD -p udp -m udp --dport 41004 -j LOG --log-prefix
"H015 -t fwd udp41004 dport"
-A FORWARD -p tcp -m tcp --dport 41001 -j LOG --log-prefix
"H015 -t fwd tcp41001 dport"
-A FORWARD -p tcp -m tcp --sport 41001 -j LOG --log-prefix
"H015 -t fwd tcp41001 sport"
-A OUTPUT -p udp -m udp --sport 41002 -j LOG --log-prefix
" H015 -t out udp41002 sport"
-A OUTPUT -p udp -m udp --dport 41002 -j LOG --log-prefix
" H015 -t out udp41002 dport"
-A OUTPUT -p udp -m udp --sport 41004 -j LOG --log-prefix
" H015 -t out udp41004 sport"
-A OUTPUT -p udp -m udp --dport 41004 -j LOG --log-prefix
" H015 -t out udp41004 dport"
-A OUTPUT -o eth0 -p udp -m udp -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp -j ACCEPT
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 41001 -j LOG
--log-prefix "H015 -t:nat:prerouting 01dpt"
-A PREROUTING -i eth0 -p udp -m udp --dport 41002 -j LOG
--log-prefix "H015 -t:nat:prerouting 02dpt"
-A PREROUTING -i eth0 -p udp -m udp --dport 41004 -j LOG
--log-prefix "H015 -t:nat:prerouting 04dpt"
-A PREROUTING -i eth0 -p tcp -m tcp --dport 41001 -j DNAT
--to-destination 10.1.1.15:41001
-A PREROUTING -i eth0 -p udp -m udp --dport 41002 -j DNAT
--to-destination 10.1.1.15:41002
-A PREROUTING -i eth0 -p udp -m udp --dport 41004 -j DNAT
--to-destination 10.1.1.15:41004
-A POSTROUTING -s 10.1.1.0/255.255.255.0 -o eth0 -j
MASQUERADE
----------
I sent packets from a shell outside my network on the
internet (to my router ip address on the internet, 201.x,
not 10.1.1.1, of course):
----- tcp port 41001 -----
PACKET GOT TO MY NETWORK ROUTER
H015 -t:nat:prerouting 01 dpt IN=eth0 OUT=
MAC=ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:=)
SRC=87.227.31.20 DST=201.OK.OK.=) LEN=60 TOS=0x00 PREC=0x20
TTL=42 ID=20327 DF PROTO=TCP SPT=38631 DPT=41001 WINDOW=5840
RES=0x00 SYN URGP=0
PACKET INSIDE MY NETWORK BEING FORWARDED TO MACHINE INSIDE
THE NET
H015 -t fwd tcp41001 dport IN=eth0 OUT=eth1 SRC=87.227.31.20
DST=10.1.1.15 LEN=60 TOS=0x00 PREC=0x20 TTL=41 ID=20327 DF
PROTO=TCP SPT=38631 DPT=41001 WINDOW=5840 RES=0x00 SYN
URGP=0
MACHINE INSIDE MY NETWORK SENDING REPLY TO INTERNET MACHINE
WHERE THE PACKET ORIGINATED
H015 -t fwd tcp41001 sport IN=eth1 OUT=eth0 SRC=10.1.1.15
DST=87.227.31.20 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=20293
PROTO=TCP SPT=41001 DPT=38631 WINDOW=0 RES=0x00 ACK RST
URGP=0
----- tcp port 41001 -----
----- udp port 41002 -----
PACKET GOT TO NETWORK ROUTER
H015 -t:nat:prerouting 02 dpt IN=eth0 OUT=
MAC=ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:=)
SRC=87.227.31.20 DST=201.OK.OK.=) LEN=54 TOS=0x00 PREC=0x20
TTL=42 ID=55587 DF PROTO=UDP SPT=53050 DPT=41002 LEN=34
PACKET INSIDE MY NETWORK BEING FORWARDED TO MACHINE INSIDE
THE NET
H015 -t fwd udp41002 dport IN=eth0 OUT=eth1 SRC=87.227.31.20
DST=10.1.1.15 LEN=54 TOS=0x00 PREC=0x20 TTL=41 ID=55587 DF
PROTO=UDP SPT=53050 DPT=41002 LEN=34
----- udp port 41002 -----
----- udp port 41004 -----
PACKET GOT TO NETWORK ROUTER
H015 -t:nat:prerouting 04 dpt IN=eth0 OUT=
MAC=ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:=)
SRC=87.227.31.20 DST=201.OK.OK.=) LEN=54 TOS=0x00 PREC=0x20
TTL=42 ID=61379 DF PROTO=UDP SPT=53050 DPT=41004 LEN=34
PACKET INSIDE MY NETWORK BEING FORWARDED TO MACHINE INSIDE
THE NET
H015 -t fwd udp41004 dport IN=eth0 OUT=eth1 SRC=87.227.31.20
DST=10.1.1.15 LEN=54 TOS=0x00 PREC=0x20 TTL=41 ID=61379 DF
PROTO=UDP SPT=53050 DPT=41004 LEN=34
----- udp port 41004 -----
now check item 3.2 from http://www.stearns.org/iptables/netfilter-hacking-HOW
TO.txt if it shows weird here (the ascii illustration
showing packet flow):
----ascii----
--->PRE------>[ROUTE]--->FWD---------->POST-----
->
Conntrack | Filter ^ NAT (Src)
Mangle | | Conntrack
NAT (Dst) | [ROUTE]
(QDisc) v |
IN Filter OUT Conntrack
| Conntrack ^ Mangle
| | NAT (Dst)
v | Filter
----ascii----
I disabled WinXP firewall on the machine inside the
network, and checked it again after reboot.
Now I think the problem is not with packet forwarding, I
think it's with the p2p client OR
maybe the p2p client is not able to send out stuff?
Anyone agrees with me?
thanks for your time
=
--
Powered by Outblaze
|
