[Aurora-sparc-user] Grey hairs!

Hans Witvliet hwit at a-domani.nl
Mon Apr 2 18:08:53 EDT 2007 

Hi list,

I guess i've been blundering somewhere while experimenting with IPv6.
(on that perhaps later ::)
Result is that my IPv4 is screwed up.

Probably a fresh reboot might (or not) resolve things, but there is a
fair chance that it wont (it's not M$), and i dont like to miss my
1K-uptime...
(11:30pm  up 932 days, 22:09,  4 users,  load average: 0.10, 0.08, 0.07)

So perhaps someone can help me out:
My netra-T1 (firewall/DNS/IMAP) is with eth0 connected to my dsl-modem,
and eth1 to my lan.

1) on my Netra, i can do a ping to 82.161.98.1, which is the gw of my
provider, so this part of the connection to the outside world is OK

2) on any of my meachines on my lan, i can ping both 192.168.0.1 and
82.161.99.204, the internal and external interface of netra
So all internal machines have there gw corrrectly setup.

# netstat -rn --inet
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
192.168.0.0     0.0.0.0         255.255.255.0   U        40 0          0
eth1
82.161.98.0     0.0.0.0         255.255.254.0   U        40 0          0
eth0
127.0.0.0       0.0.0.0         255.0.0.0       U        40 0          0
lo
0.0.0.0         82.161.98.1     0.0.0.0         UG       40 0          0
eth0


3) None of the machines can ping 82.161.98.1 (or any other foreign
address) even more, it does not even show up in a tracedump running on
netra's eth0 (external interface)
They do arrive on my netra (tracing on eth1) but are not
"natted-outside"

So my first conclusion was that there was something wrong with my
iptable-rule-set, so i put it wide open:

#!/bin/sh +x
#
#######################################################################
# ON/OFF switches
DEBUG="y"
if [ $DEBUG = "y" ] ; then
IPT="/sbin/iptables -v "
else
IPT="/sbin/iptables "
fi
######################################################################
EXT_INT="eth0"
EXT_ADR=`ifconfig $EXT_INT|grep inet |awk '{print $2}' |awk -F : '{print
$2}'`

/sbin/iptables -P INPUT   ACCEPT
/sbin/iptables -P OUTPUT  ACCEPT
/sbin/iptables -P FORWARD ACCEPT
#
/sbin/iptables -F
/sbin/iptables -X
##########################################################################
$IPT -t nat -A PREROUTING  -i $EXT_INT  -p tcp --dport 25 -j DNAT
--to-destination 192.168.0.2
$IPT -t nat -A POSTROUTING -o $EXT_INT -j SNAT --to-source $EXT_ADR
exit

It produces:
#  ./fw_open
DNAT  tcp opt -- in eth0 out *  0.0.0.0/0  -> 0.0.0.0/0  tcp dpt:25
to:192.168.0.2
SNAT  all opt -- in * out eth0  0.0.0.0/0  -> 0.0.0.0/0
to:82.161.99.204
(looks ok to me)

And i verified the result with:
# iptables -t filter -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25
to:192.168.0.2

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  0.0.0.0/0            0.0.0.0/0
to:82.161.99.204

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Normally I have a different ruleset (not so wide open), but it worked
for years, and now even this won't work!!


Any suggestions?

HtH, Hans

More information about the Aurora-sparc-user mailing list