Ubuntu as NAT Gateway with iptables

Question

I'm trying to configure Ubuntu 14.04 to act as a NAT gateway between a private and public network.

Public Interface -> eth0 (178.x.x.x)
Private Interface -> eth0:0 (192.168.206.190/17)

I've tried many combinations of iptables rules, but I can't get traffic to route out. I have confirmed that the gateway can see the internet, and the hosts on the private network can see the gateway, and the default gateway is set correctly.

net.ipv4.ip_forward=1 is set in sysctl.

My iptables rules are below. My iptables experience is minimal, so it's quite possible I've missed something.

# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*security
:INPUT ACCEPT [215:14912]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [133:16208]
COMMIT
# Completed on Thu Apr 21 12:38:44 2016
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*raw
:PREROUTING ACCEPT [215:14912]
:OUTPUT ACCEPT [133:16208]
COMMIT
# Completed on Thu Apr 21 12:38:44 2016
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*nat
:PREROUTING ACCEPT [3:132]
:INPUT ACCEPT [3:132]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Apr 21 12:38:44 2016
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*mangle
:PREROUTING ACCEPT [215:14912]
:INPUT ACCEPT [215:14912]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [133:16208]
:POSTROUTING ACCEPT [133:16208]
COMMIT
# Completed on Thu Apr 21 12:38:44 2016
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*filter
:INPUT ACCEPT [46:3296]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28:3484]
-A FORWARD -i eth0:0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0:0 -j ACCEPT
COMMIT
# Completed on Thu Apr 21 12:38:44 2016

iptables -L -v

Chain INPUT (policy ACCEPT 15 packets, 1044 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0:0 eth0    anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0:0  anywhere             anywhere

Chain OUTPUT (policy ACCEPT 10 packets, 1016 bytes)
 pkts bytes target     prot opt in     out     source               destination

Here is configuration of a host on the private network:

netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         nat             0.0.0.0         UG        0 0          0 eth0
192.168.128.0   *               255.255.128.0   U         0 0          0 eth0

ping of 'nat' confirms host can see 'nat':

ping nat
PING nat (192.168.206.190) 56(84) bytes of data.
64 bytes from nat (192.168.206.190): icmp_seq=1 ttl=64 time=0.359 ms

ping of 8.8.8.8 shows no traffic routing:

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

You should only need to `MASQUERADE` in one direction, specifically for packets leaving the LAN and heading towards the WAN. There's no need for packets coming back from the WAN to be NATed to the gateway's IP. So try again without the `MASQUERADE` rule for `-o eth0:0`. — Cosmic Ossifrage, Apr 21 '16 at 13:03
Thanks. I have removed suggested line and applied, but still nothing is routing. I have updated the iptables rules to reflect the current ruleset, added the output of the current iptables -L -v if this helps. — epea, Apr 21 '16 at 13:13
How are you testing? At the outset, I would use simple `ping` tests to a host you know is up, rather than attempting to use higher level protocols (e.g. don't open a web browser yet). Try `ping ` i.e. `ping 4.2.2.2` or similar. Your `iptables -L -v` dump shows no packets are being accepted in the `FORWARD` chain at all, which suggests nothing is reaching the box. Is the default gateway of your clients on the private LAN set to the IP of the Ubuntu box LAN interface? — Cosmic Ossifrage, Apr 21 '16 at 13:16
I've added edits to show routing on private host, as well as testing. As a side note, these hosts are on Linode, i don't know if their network routing / mac filtering is causing issues, i have a ticket in with them. — epea, Apr 21 '16 at 13:20
I've used tcpdump and concluded that no ICMP packages are making it to the 'nat' host when pinging 8.8.8.8. So this looks to be either a routing issue on the private host, or a hypervisor/network level filter. — epea, Apr 21 '16 at 13:47

score 1 · Answer 1 · answered Apr 21 '16 at 15:12

1

I think the problem is in this rule

-A FORWARD -i eth0:0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

You have to change the position of the interfaces

-A FORWARD -i eth0 -o eth0:0 -m state --state RELATED,ESTABLISHED -j ACCEPT

answered Apr 21 '16 at 15:12

stambata

1,668
3
14
18

Thanks, but that has not resolved the issue. but it may do once i fix the network level issue. I'm waiting on Linode to confirm what sort of filtering is in place to stop the packets transversing the private network. – epea Apr 21 '16 at 15:44

score 1 · Accepted Answer · answered Apr 23 '16 at 07:16

1

The provider (Linode) filters traffic by IP address at the hypervisor/network level, so traffic with public IP addresses will not transverse the private network at all. I've changed provider now and NAT it working just fine.

answered Apr 23 '16 at 07:16

epea

406
1
9
19

Ubuntu as NAT Gateway with iptables

2 Answers2