Description of problem: system-config-firewall used to allow user to configure Masquerading (NAT) easily in system-config-firewall-1.0.8-3.fc8. But this function is broken in F9, probably because 1. missing rule in mangle table. 2. rule in nat table "-A POSTROUTING -o eth1 -j MASQUERADE" does not do NAT. This is probably a newer, supposedly better, way to do NAT, but I couldn't get it to work. Version-Release number of selected component (if applicable): broken in these version: system-config-firewall-1.2.10-1.fc9 system-config-firewall-1.2.7-1.fc9 system-config-firewall-1.0.12-4.fc8 worked fine in this version: system-config-firewall-1.0.8-3.fc8 ^^ comes with F8 installation CD. How reproducible: always. Steps to Reproduce: 1. start system-config-firewall. 2. Select "Masquerading". 3. select an interface, eg. "eth1". 4. click "Apply", and "yes". 5. connect another host (h2) to eth1. 6. configure h2 to use this host ("h1") as gateway. 7. on h2, ping an outside address, eg. fapa.org. +-----h1-----+ world --- |eth0 eth1| --- h2 +------------+ 192.168.98.51 ^^192.168.98.1 - eth1 has ip 192.168.98.1 - eth1 is configured with Masquerading. - h2 has ip 192.168.98.51, and uses 192.168.98.1 as default gw. Actual results: - NAT not working. - traffic from eth1 is dropped; - h2 unable to ping outside world. Expected results: - NAT should be working. - h2 can ping outside world via eth1 (the one configured with masquerading). Additional info: - on the good version (system-config-firewall-1.0.8-3.fc8), after configuring masquerading, the file /etc/sysconfig/iptables has these lines: *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth1 -j MARK --set-mark 0x9 COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE COMMIT ... - on the bad versions (system-config-firewall-1.0.12-4.fc8 etc.), after configuring masquerading, the file /etc/sysconfig/iptables has these lines: *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth1 -j MASQUERADE COMMIT ... - on an F9 system, do this manually: iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 0x9 iptables -t nat -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE and NAT works, as it did with system-config-firewall-1.0.8-3.fc8 (the one on F8 DVD). - this bug Bug 426720 Masquerading doesn't allow packets to be forwarded by default is somewhat related to this bug, but is a different issue.
The new version is using the MASQUERADE target on the external interface. The old version has had problems with dynamic and dialup connections and also in combination with port forwarding. Please mark the external interface to be masqueraded. For your setup: eth0
Thomas, Thanks! That worked well. So in F9 I need to mark the external interface as masqueraded, while in F8 I need to mark the private interface as masqueraded. Is there a place I can find this info? I tried s-c-firewall -> Help, man s-c-firewal, didn't see related info. I'll attempt to close this bug.