Bug 458511

Summary: masquerading not working, missing rule in mangle table
Product: [Fedora] Fedora Reporter: Tim Taiwanese Liim <tim.liim>
Component: system-config-firewallAssignee: Thomas Woerner <twoerner>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-14 20:40:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tim Taiwanese Liim 2008-08-09 03:51:00 UTC 
Description of problem:
    system-config-firewall used to allow user to configure
    Masquerading (NAT) easily in system-config-firewall-1.0.8-3.fc8.
    But this function is broken in F9, probably because
    1. missing rule in mangle table.
    2. rule in nat table "-A POSTROUTING -o eth1 -j MASQUERADE"
       does not do NAT.  This is probably a newer, supposedly
       better, way to do NAT, but I couldn't get it to work.

Version-Release number of selected component (if applicable):
    broken in these version:
        system-config-firewall-1.2.10-1.fc9 
        system-config-firewall-1.2.7-1.fc9
        system-config-firewall-1.0.12-4.fc8
    worked fine in this version:
        system-config-firewall-1.0.8-3.fc8
          ^^ comes with F8 installation CD.

How reproducible:
    always.

Steps to Reproduce:
    1. start system-config-firewall.
    2. Select "Masquerading".
    3. select an interface, eg. "eth1".
    4. click "Apply", and "yes".
    5. connect another host (h2) to eth1.
    6. configure h2 to use this host ("h1") as gateway.
    7. on h2, ping an outside address, eg. fapa.org.

                 +-----h1-----+
       world --- |eth0    eth1| ---  h2
                 +------------+      192.168.98.51
                           ^^192.168.98.1
       - eth1 has ip 192.168.98.1
       - eth1 is configured with Masquerading.
       - h2   has ip 192.168.98.51, and uses
                     192.168.98.1 as default gw.

Actual results:
    - NAT not working.
    - traffic from eth1 is dropped; 
    - h2 unable to ping outside world.

Expected results:
    - NAT should be working.
    - h2 can ping outside world via eth1 (the one configured
      with masquerading).

Additional info:
    - on the good version (system-config-firewall-1.0.8-3.fc8),
      after configuring masquerading, the file
          /etc/sysconfig/iptables
      has these lines:
          *mangle
          :PREROUTING ACCEPT [0:0]
          :INPUT ACCEPT [0:0]
          :FORWARD ACCEPT [0:0]
          :OUTPUT ACCEPT [0:0]
          :POSTROUTING ACCEPT [0:0]
          -A PREROUTING -i eth1 -j MARK --set-mark 0x9
          COMMIT
          *nat
          :PREROUTING ACCEPT [0:0]
          :OUTPUT ACCEPT [0:0]
          :POSTROUTING ACCEPT [0:0]
          -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
          COMMIT
          ...

    - on the bad versions (system-config-firewall-1.0.12-4.fc8 etc.),
      after configuring masquerading, the file
          /etc/sysconfig/iptables
      has these lines:
          *nat
          :PREROUTING ACCEPT [0:0]
          :OUTPUT ACCEPT [0:0]
          :POSTROUTING ACCEPT [0:0]
          -A POSTROUTING -o eth1 -j MASQUERADE
          COMMIT
          ...

    - on an F9 system, do this manually:
          iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 0x9
          iptables -t nat    -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
      and NAT works, as it did with system-config-firewall-1.0.8-3.fc8 (the
      one on F8 DVD).

    - this bug
          Bug 426720 Masquerading doesn't allow packets to be forwarded by default
      is somewhat related to this bug, but is a different issue.
Comment 1 Thomas Woerner 2008-08-11 10:34:19 UTC 
The new version is using the MASQUERADE target on the external interface. The old version has had problems with dynamic and dialup connections and also in combination with port forwarding. 

Please mark the external interface to be masqueraded. For your setup: eth0
Comment 2 Tim Taiwanese Liim 2008-08-14 20:40:10 UTC 
Thomas,
Thanks!  That worked well.  So in F9 I need to mark the external
interface as masqueraded, while in F8 I need to mark the private
interface as masqueraded.  Is there a place I can find this info?  I
tried s-c-firewall -> Help, man s-c-firewal, didn't see related info.

I'll attempt to close this bug.