[SLL] Masquerading mystery
Robert Woodcock
rcw at blarg.net
Wed Sep 26 15:31:05 PDT 2007
On Wed, Sep 26, 2007 at 08:23:23AM -0700, Brad Willson wrote:
> After much gnashing of teeth I come to the list for help with this...the
> problem is hosts in the subnet cannot resolve names. Of course the
> subnet is all non-linux machines...
>
> tcpdump -i eth0 output:
>
> 07:49:49.312033 IP 192.168.10.229.1823 > kron.seanet.com.domain: 60694
> PTR? 1.0.0.127.in-addr.arpa. (40)
> 07:49:49.312129 IP 192.168.10.1 > 192.168.10.229: ICMP host
> kron.seanet.com unreachable - admin prohibited, length 76
This means that packets are going out *without* NAT translation and are
being rejected by your ISP (rightfully so). Also, because you do see the
packets going out, they *are* being forwarded.
> *nat
> -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
> *mangle
> -A PREROUTING -i eth1 -j MARK --set-mark 0x9
You're overcomplicating this - there shouldn't be a need to do packet
mangling for a simple NAT setup. Just do:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
--
Robert Woodcock - rcw at blarg.net
"When you can measure what you are speaking about, and express it in numbers,
you know something about it; but when you cannot measure it, when you cannot
express it in numbers, your knowledge is of a meager and unsatisfactory
kind: it may be the beginning of knowledge, but you have scarcely, in your
thoughts, advanced to the stage of science."
-- William Thomson, Lord Kelvin
More information about the linux-list
mailing list