Suse 11.2 as NAT-Router

Hello guys,

I have the following very frustrating problem.

I have 1 internet connection (DSL-MODEM) and I want to share it with my LAN via NAT-Router.

(INTERNET- DSL-MODEM (80.109.145.1) - NAT-SUSE11.2ROUTER (80.109.145.85 <-> 10.10.5.1) - SWITCH - LAN)

Output of ‘ifconfig’:


000d88cd4cb5:/home/king/Desktop # ifconfig
eth1      Link encap:Ethernet  HWaddr 00:0D:88:CD:4C:B4  
          **inet addr:10.10.5.1  Bcast:10.255.255.255  Mask:255.0.0.0**
          inet6 addr: fe80::20d:88ff:fecd:4cb4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12565 errors:0 dropped:0 overruns:0 frame:0
          TX packets:682 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:830235 (810.7 Kb)  TX bytes:88383 (86.3 Kb)
          Interrupt:18 Base address:0xc000 

eth2      Link encap:Ethernet  HWaddr 00:0D:88:CD:4C:B5  
          **inet addr:80.109.145.85  Bcast:80.109.145.255  Mask:255.255.255.0**
          inet6 addr: fe80::20d:88ff:fecd:4cb5/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:119989 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57697 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:124384614 (118.6 Mb)  TX bytes:4686368 (4.4 Mb)
          Interrupt:19 Base address:0xc100 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:639 errors:0 dropped:0 overruns:0 frame:0
          TX packets:639 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:150547 (147.0 Kb)  TX bytes:150547 (147.0 Kb)



eth1 is connected to DSL-MODEM
eth2 is connected to SWITCH (Network)

I have a DHCP server running that guarantees that my LAN gets -IPv4’s from 10.10.5.10-100 (LAN)
-Subnet: 255.0.0.0 (Class A)
-Gateway: 10.10.5.1 (Suse NAT-Router)


Following options are running:
IP-Forwarding Enabled
Masquerading Enabled (From Private (10.10.5.) to Public (80.109.145.)

What am I doing wrong? I also tried manipulating IP-Tables and make routing commands, but nothing works…

Output of ‘route’:


000d88cd4cb5:/home/king/Desktop # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
80.109.145.0    *               255.255.255.0   U     0      0        0 eth2
link-local      *               255.255.0.0     U     0      0        0 eth1
10.0.0.0        *               255.0.0.0       U     0      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
default         chello080109145 0.0.0.0         UG    0      0        0 eth2

I hope I described the problem detailed enough, if you need more information please just post. Is it possible to route from class A subnet to class C subnet?

thanks for your help, I’m really frustrated this doesn’t work, and I’m randomly typing route-commands, so I’m so glad for help :wink:

How are you “manipulating” the firewall rules? You should be doing it via YaST or by editing /etc/sysconfig/SuSEfirewall2, where there are lots of comments, not manually. Show us the NAT rules of your machine. Run:

iptables -t nat -L -n

If you don’t have a MASQUERADE rule under POSTROUTING, then you don’t really have masquerading. Also show us the normal rules:

iptables -L -n

I’m manipulating the Firewall-rules via Yast, by just checking the checkbox “Masquerade Networks”.

Output of ‘iptables -t nat -L -n’:


000d88cd4cb5:/home/king/Desktop # iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         


Output of ‘iptables -L -n’:


000d88cd4cb5:/home/king/Desktop # iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED 
input_int  all  --  0.0.0.0/0            0.0.0.0/0           
input_ext  all  --  0.0.0.0/0            0.0.0.0/0           
input_ext  all  --  0.0.0.0/0            0.0.0.0/0           
input_ext  all  --  0.0.0.0/0            0.0.0.0/0           
input_ext  all  --  0.0.0.0/0            0.0.0.0/0           
input_ext  all  --  0.0.0.0/0            0.0.0.0/0           
input_ext  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
forward_int  all  --  0.0.0.0/0            0.0.0.0/0           
forward_ext  all  --  0.0.0.0/0            0.0.0.0/0           
forward_ext  all  --  0.0.0.0/0            0.0.0.0/0           
forward_ext  all  --  0.0.0.0/0            0.0.0.0/0           
forward_ext  all  --  0.0.0.0/0            0.0.0.0/0           
forward_ext  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ' 

Chain forward_ext (5 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 0 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 3 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 11 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 12 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 14 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 18 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 3 code 2 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 5 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain forward_int (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 0 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 3 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 11 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 12 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 14 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 18 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 3 code 2 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 5 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain input_ext (6 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 4 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp dpt:53 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain input_int (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain reject_func (0 references)
target     prot opt source               destination         
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-proto-unreachable 


Thanks for the fast reply!

btw these are my Firewall settings as they are displayed by Yast as a ‘detailed summary’:


Firewall Starting
• Enable firewall automatic starting
• Firewall starts after the configuration gets written

Internal Zone
Interfaces
• DL10050 Sundance Ethernet / eth1
Open Services, Ports, and Protocols
• Internal zone is unprotected. All ports are open.
 
Demilitarized Zone
• No interfaces assigned to this zone.
External Zone
Interfaces
• DL10050 Sundance Ethernet / eth2
• 'bond0' Unknown network interface.
• 'br0' Unknown network interface.
Open Services, Ports, and Protocols
• HTTP Server:
• TCP Ports: http (80)
• bind DNS server:
• TCP Ports: domain (53)
• UDP Ports: domain (53)

You don’t have masquerading active. You need to turn this on under firewall rules in YaST.

BTW, the fact you don’t have eth0 but have eth1 and eth2 suggests that you had fights with the network configuration. You may find it easier to go into YaST network device configuration and rename them to eth0 and eth1 first. Also delete bond0 and br0, they don’t appear to do anything.

yes, that’s true, I somehow just managed it about half an hour ago to have real eth devices, before i had (i don’t know why) to use a bridge in order to connect to the internet…

Nevermind, I’ll fix that right now, but what you said about the Firewall in Yast:

I start ‘Yast’, then I go to the tap ‘Security and Users’, and then I go to the Typ ‘Masquerading’ and Check ‘Masquerade networks’.

When checking it a listbox is enabled that allows to add ‘Masquerade rules…’. This listbox is empty.

But, however, I enable Masquerading in Yast, as you said, it is not really running…

Did you follow this page, and also Swerdna’s page linked from it?

ICS - openSUSE

Perhaps you should clean up your network interface names first.

ok, I’ll try to clean my network devices, somehow they appear just in the Firewall, when typing ‘ifconfig’ none of them appear, and when looking in the Network-Device section of Yast then br0 or bond0 don’t appear as well…

Should I try to delete them using the terminal? (but i wouldn’t have any idea how to do that)

and btw eth0 is displayed, because i have so many network cards, i just don’t use eth0 because the eth0 network card is a little slower, but i think it’s a minor problem if eth0 is unused then if br0 and bond0 are in the firewall.

The link you posted is very good, thank you, it describes ICS really easy as a combination of
-ipforwarding
-masquerading
so, i think i have just a very little problem, and this makes everything not working. hopefully the problem is my weird ethernet-setup.