IPtables and NAT

[john99]

Hello,

I would like to use BT for a test as NAT-router.

- from BT its possible to ping the AP and the internal machine
- but the internal machine cannot ping to outside world


AP/Router: 192.168.0.1

BT/WLAN0: 192.168.0.100
BT/eht0: 192.168.1.5

internal machine: 192.168.1.99


Settings on BT:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o wlan0 -j SNAT --to-source 192.168.0.100


Question:
What am I doing wrong?


Thank's a lot in advance for any help :-)


John

[espreto]

I do not understand your topology!
Are you using real or virtualized machines?
Loaded the module iptable_nat?
Be more specific please!


Regards,

[neriberto]

I think that he is trying to use BT as a firewall and using iptables to do it, AP/router is the router of internet for BT

try it :

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

[john99]

Thank's a lot espreto for the feedback!

I do not understand your topology!
Are you using real or virtualized machines?
Regards,

I am unsing real machines.

I do not understand your topology!
Regards,

BT should be the router for the internal machines.

Loaded the module iptable_nat?
Regards,

NO!! That I forgot. What a shame...


After loading the module iptable_nat it's working :-) Except the machine behind the BT router needs to define the AP(AP/Router: 192.168.0.1) as their name server.
If the IP of the internal network(BT/eth0: 192.168.1.5) is defined, name resolution does not work :-)


Thank's a lot for your help,

John

[john99]

I think that he is trying to use BT as a firewall and using iptables to do it, AP/router is the router of internet for BT

Yes neriberto :-)

try it :
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

Im am going to try that too!

Does your iptables command make a difference when i comes to firewalling compared to my command?

John

[john99]

try it :
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

Surprisingly that "new" iptables command dows not make any difference... BT works as NAT-router, but there is a very special thing
I can't understand at all :

Name resolution(DNS) (e.g. google.com) does not work on the internal machine (192.168.1.99) if the NAT-router(BT) is defined as
nameserver (the IP address has to be defined).
But erverything (DNS-resolution) works perfectly it the WLAN AP (192.168.0.1) is defined as the nameserver!!

Does somebody understand that?


Thank you very much for any feedback!

John

[Dudeman02379]

Surprisingly that "new" iptables command dows not make any difference... BT works as NAT-router, but there is a very special thing
I can't understand at all :

Name resolution(DNS) (e.g. google.com) does not work on the internal machine (192.168.1.99) if the NAT-router(BT) is defined as
nameserver (the IP address has to be defined).
But erverything (DNS-resolution) works perfectly it the WLAN AP (192.168.0.1) is defined as the nameserver!!

Does somebody understand that?


Thank you very much for any feedback!

John

Just because your backtrack machine is setup as a NAT router does not mean it will act as a DNS server. If you want to be able to set the clients to use it you would need to run a DNS server on the backtrack machine. As far as I know there isn't a DNS server built into backtrack but I would not be surprised at all if I was wrong.

[john99]

Just because your backtrack machine is setup as a NAT router does not mean it will act as a DNS server. If you want to be able to set the clients to use it you would need to run a DNS server on the backtrack machine. As far as I know there isn't a DNS server built into backtrack but I would not be surprised at all if I was wrong.

Thank's a lot Dudeman02379 for the interesting feedback! As I understand you, there is now other way than to set up a DNS server on the NAT router in order to have the DNS resolution working for the clients in the 192.168.1.0 net.

I hoped that this could be achieved as well with the iptables command :-(



Thank's !

John

[Dudeman02379]

Thank's a lot Dudeman02379 for the interesting feedback! As I understand you, there is now other way than to set up a DNS server on the NAT router in order to have the DNS resolution working for the clients in the 192.168.1.0 net.

I hoped that this could be achieved as well with the iptables command :-(



Thank's !

John

If the clients on the 192.168.1.0 subnet used an internet DNS server that would also work. Maybe there is a way to forward all DNS requests to an internet DNS server using iptables but you would need to do a little research. Here are some public DNS servers they could use http://theos.in/windows-xp/free-fast...s-server-list/

EDIT: Maybe something like this? Untested
iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to 4.2.2.2

[john99]

EDIT: Maybe something like this? Untested
iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to 4.2.2.2

Thank's a lot for the help! Unfortunately the command # iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to 192.168.0.100
does not solve the DNS problem, instead the the clients in the 192.168.1.0 net are not even able to to ping the WLAN AP at 192.168.0.1
anymore :-(

I am probably going to try Dnsmasq as well...

John