This discussion is archived
6 Replies Latest reply: Jun 15, 2011 6:22 PM by 868934 RSS

oracle linux 6 iptables SNAT error!

868934 Newbie
Currently Being Moderated
hello every one

I use oracle linux 6.1,and use iptables do snat, but the POSTROUTING CHAIN can't receive packets (i see it use 'iptables-save')

echo 1 > /proc/sys/net/ipv4/ip_forward

'iptables-save' like this:

**************
# Generated by iptables-save v1.4.7 on Tue Jun 14 22:44:05 2011
*nat
:PREROUTING ACCEPT [268:25801]
:POSTROUTING ACCEPT [1:108]
:OUTPUT ACCEPT [1:108]
-A POSTROUTING -j LOG --log-prefix "POSTROUTING:"
-A POSTROUTING -s 10.0.0.0/8 -o eth0 -j SNAT --to-source x.x.x.x
COMMIT
# Completed on Tue Jun 14 22:44:05 2011
# Generated by iptables-save v1.4.7 on Tue Jun 14 22:44:05 2011
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [537:176247]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -p tcp -m state state NEW -m tcp dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j LOG --log-prefix "FORWARD:"
-A FORWARD -j REJECT --reject-with icmp-host-prohibited


thanks!
  • 1. Re: oracle linux 6 iptables SNAT error!
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    Best to ask this type of question on a firewall list - iptables can be pretty complex.

    I have my own version of DNAT rules - unsure how similar that would be to SNAT.

    This was done primarily via hacking and testing as I'm not a firewall guy. So there could be a better way to configure it. However, none of the examples I found at that time on the net worked for me across interfaces - so I had to roll my own despite my networking experience being largely limited to networking programming.

    The need was to NAT incoming Oracle client traffic 1521/tcp across interfaces. The core of the NAT script I wrote (that has been doing the intended job for a number of years now) look as follows:
    ..snipped..
    CreateNATroute()
    # usage:        PORT-IN PORT-OUT IN-NETWORK NAT-OUT INF-IN INF-OUT
    {
            SRCPORT=$1
            DSTPORT=$2
            SRCIP=$3
            DSTIP=$4
            INFIN=$5
            INFOUT=$6
    
            # NAT TCP traffic:
            #       from SRCIP and DSTPORT on INTERFACE IN
            #       to DSTIP and DSTPORT
            iptables        --table nat                             \
                            --append PREROUTING                     \
                            --protocol tcp                          \
                            --source $SRCIP                         \
                            --dport $DSTPORT                        \
                            --in-interface $INFIN                   \
                            --jump DNAT                             \
                            --to-destination $DSTIP:$DSTPORT 
    
            # MASQUERADE TCP traffic:
            #       from SRCIP 
            #       to interface INTERFACE OUT for DSTIP
            iptables        --table nat                             \
                            --append POSTROUTING                    \
                            --out-interface $INFOUT                 \
                            --source $SRCIP                         \
                            --destination $DSTIP                    \
                            --jump MASQUERADE
    
            # FORWARD CHAIN (punching holes for NAT port proxy)
            iptables        --table filter                          \
                            --append FORWARD                        \
                            --protocol tcp                          \
                            --in-interface $INFIN                   \
                            --out-interface $INFOUT                 \
                            --destination $DSTIP                    \
                            --dport $DSTPORT --sport 1024:65535     \
                            -m state --state NEW                    \
                            --jump ACCEPT
    
            # Firewall Forwarding Filter for $INFOUT
            iptables        --table filter                          \
                            --append FORWARD                        \
                            --out-interface $INFIN                  \
                            -m state --state NEW,ESTABLISHED,RELATED\
                            --jump ACCEPT
    
            # Firewall Forwarding Filter for $INFIN
            iptables        --table filter --append FORWARD         \
                            --in-interface $INFIN                   \
                            -m state --state ESTABLISHED,RELATED    \
                            --jump ACCEPT
    
            # Firewall Input Filter for $INFIN
            iptables        --table filter --append INPUT --in-interface $INFIN             \
                            --protocol tcp --dport $DSTPORT                                 \
                            --jump ACCEPT
    
    
    }
  • 2. Re: oracle linux 6 iptables SNAT error!
    868934 Newbie
    Currently Being Moderated
    thanks Billy Verreynne, your scripts is very good.

    In this question, the same configuration, it worked very well in centos 5, but it can't work in oracle linux 6
  • 3. Re: oracle linux 6 iptables SNAT error!
    Dude! Guru
    Currently Being Moderated
    I found the following links, which seem to be related including an example. Perhaps you will find it helpful:

    http://www.linuxtopia.org/Linux_Firewall_iptables/x4658.html
    http://www.linuxtopia.org/Linux_Firewall_iptables/x1226.html

    https://www.linuxquestions.org/questions/linux-networking-3/iptables-dnat-snat-re-addressing-399169/

    ip-forwarding activated?

    Edited by: Dude on Jun 15, 2011 1:41 AM
  • 4. Re: oracle linux 6 iptables SNAT error!
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    865931 wrote:

    In this question, the same configuration, it worked very well in centos 5, but it can't work in oracle linux 6
    Do not use OL6 - we have RHEL 3 and 4 and OEL 5.

    If behaviour is different on OL6 then I suggest you look at the iptables change log - perhaps there has been changes to iptables features and behaviour? You can also use CentOS 6 to test - to confirm is this is specific to OL6 only, or to all Linux 6 kernels.

    Also, as iptables are pretty technical networking stuff, you may likely find faster and better answers on a Linux firewall lists. Netadmins using Linux 6 would be able to tell you what the underlying problem is and how to address.
  • 5. Re: oracle linux 6 iptables SNAT error!
    Dude! Guru
    Currently Being Moderated
    If the same configuration worked in EL 5 you might want to check /etc/sysctl.conf of your old system to compare Kernel parameters that affect networking. For instance, net.ipv4.ip_forward = 0 and net.ipv4.conf.default.accept_source_route = 0 are default. From what I understand, EL 6 does no longer provide a firewall GUI, which requires more research and manual configuration.

    Edited by: Dude on Jun 15, 2011 4:08 AM
  • 6. Re: oracle linux 6 iptables SNAT error!
    868934 Newbie
    Currently Being Moderated
    May be.

    At first, I want to recompile kernel, but then , I reinstall Centos 5.

    Now, SNAT is ok~~

    thanks every one!!

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points