Bug 458511 - masquerading not working, missing rule in mangle table
masquerading not working, missing rule in mangle table
Product: Fedora
Classification: Fedora
Component: system-config-firewall (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-08-08 23:51 EDT by Tim Taiwanese Liim
Modified: 2008-08-14 16:40 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-08-14 16:40:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tim Taiwanese Liim 2008-08-08 23:51:00 EDT
Description of problem:
    system-config-firewall used to allow user to configure
    Masquerading (NAT) easily in system-config-firewall-1.0.8-3.fc8.
    But this function is broken in F9, probably because
    1. missing rule in mangle table.
    2. rule in nat table "-A POSTROUTING -o eth1 -j MASQUERADE"
       does not do NAT.  This is probably a newer, supposedly
       better, way to do NAT, but I couldn't get it to work.

Version-Release number of selected component (if applicable):
    broken in these version:
    worked fine in this version:
          ^^ comes with F8 installation CD.

How reproducible:

Steps to Reproduce:
    1. start system-config-firewall.
    2. Select "Masquerading".
    3. select an interface, eg. "eth1".
    4. click "Apply", and "yes".
    5. connect another host (h2) to eth1.
    6. configure h2 to use this host ("h1") as gateway.
    7. on h2, ping an outside address, eg. fapa.org.

       world --- |eth0    eth1| ---  h2
       - eth1 has ip
       - eth1 is configured with Masquerading.
       - h2   has ip, and uses
            as default gw.

Actual results:
    - NAT not working.
    - traffic from eth1 is dropped; 
    - h2 unable to ping outside world.

Expected results:
    - NAT should be working.
    - h2 can ping outside world via eth1 (the one configured
      with masquerading).

Additional info:
    - on the good version (system-config-firewall-1.0.8-3.fc8),
      after configuring masquerading, the file
      has these lines:
          :PREROUTING ACCEPT [0:0]
          :INPUT ACCEPT [0:0]
          :FORWARD ACCEPT [0:0]
          :OUTPUT ACCEPT [0:0]
          :POSTROUTING ACCEPT [0:0]
          -A PREROUTING -i eth1 -j MARK --set-mark 0x9
          :PREROUTING ACCEPT [0:0]
          :OUTPUT ACCEPT [0:0]
          :POSTROUTING ACCEPT [0:0]
          -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE

    - on the bad versions (system-config-firewall-1.0.12-4.fc8 etc.),
      after configuring masquerading, the file
      has these lines:
          :PREROUTING ACCEPT [0:0]
          :OUTPUT ACCEPT [0:0]
          :POSTROUTING ACCEPT [0:0]
          -A POSTROUTING -o eth1 -j MASQUERADE

    - on an F9 system, do this manually:
          iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 0x9
          iptables -t nat    -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
      and NAT works, as it did with system-config-firewall-1.0.8-3.fc8 (the
      one on F8 DVD).

    - this bug
          Bug 426720 Masquerading doesn't allow packets to be forwarded by default
      is somewhat related to this bug, but is a different issue.
Comment 1 Thomas Woerner 2008-08-11 06:34:19 EDT
The new version is using the MASQUERADE target on the external interface. The old version has had problems with dynamic and dialup connections and also in combination with port forwarding. 

Please mark the external interface to be masqueraded. For your setup: eth0
Comment 2 Tim Taiwanese Liim 2008-08-14 16:40:10 EDT
Thanks!  That worked well.  So in F9 I need to mark the external
interface as masqueraded, while in F8 I need to mark the private
interface as masqueraded.  Is there a place I can find this info?  I
tried s-c-firewall -> Help, man s-c-firewal, didn't see related info.

I'll attempt to close this bug.

Note You need to log in before you can comment on or make changes to this bug.