Masquerade problem

Posted on 2002-04-12
Last Modified: 2010-04-20
I would like to connect my Windows ( to the  Internet thru Linux (eth1: I use the following commands:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_tables iptable_nat iptable_nat_ftp
/sbin/modprobe ip_conntrack ip_conntrack_ftp
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE

However it won't work.

I can connect to the Internet in Linux;
I can ping from Windows to Linux;
When I try to browse a site in Windows, the send and recieve lights are blinking but the page cannot be displayed;

Question by:andersy
  • 5
  • 4
  • 3
  • +1
LVL 51

Expert Comment

ID: 6938527
souds like a routing problem on Windows, what does following on windows tell you:

   netstat -rn
   ipconfig -all

Author Comment

ID: 6938805
Hi ahoffmann,

netsta -rn:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
       1       1       1       1       1       1       1
Default Gateway:
Persistent Routes:

Active Connections
  Proto  Local Address          Foreign Address        State

ipconfig -all:

0 Ethernet adapter :

        Description . . . . . . . . : NDIS 5.0 driver
        Physical Address. . . . . . : 00-C1-26-01-B4-73
        DHCP Enabled. . . . . . . . : Yes
        IP Address. . . . . . . . . :
        Subnet Mask . . . . . . . . :
        Default Gateway . . . . . . :
        DHCP Server . . . . . . . . :
        Primary WINS Server . . . . :
        Secondary WINS Server . . . :
        Lease Obtained. . . . . . . : 04 13 02 PM 10:26:59
        Lease Expires . . . . . . . : 04 14 02 AM 04:26:59
LVL 51

Expert Comment

ID: 6939032
looks good, and what does

     iptables -L -n

on Linux report?
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.


Author Comment

ID: 6939759
# /sbin/iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Expert Comment

ID: 6940027
Your problem is most likely a windows problem. Have you told windows about the router. Under TCP/IP properties,
click Advanced. Then click on the button under default gateways. Add metric 1.

Give that a go

Expert Comment

ID: 6940366
This is not a windows problem.  First have to define that value in the PREROUTING table, not POST.

2nd - You are mixing IPchains and IPTables commands, you have to stick with one or the other.

oh.....and it's not called masquerading anymore's now referred to NAT (Network Address Translation)  (:

anyhow, d/l this dude's firewall/NAT script.  You have some very minor changes to make to the script, and you'll be up and running with a fairly secure firewall to boot.

LVL 51

Accepted Solution

ahoffmann earned 100 total points
ID: 6941305
> ... not POST
it must be the POSTROUTING in iptables, the iptables command provided in the question is correct (I'm not shure about the modprobes, 'cause I never use modules for security:)

> 2nd ..
do not see any reference to ipchains here

> .. not called masquerading anymore
It's right that the correct term is NAT, but since the early days of netfilter (ipfw, ipchains) the special n-to-1 NAT is called masquerading. And people tend to use this term, masquerading, if they refere to n-to-1 NAT.

think that the interface is specified wrong in your iptables command. Are you shure that your internet traffic is going through eth0? As you specified the iptables command, the interface for the -o option must be that which is connected to your ISP, not that to the LAN.

Expert Comment

ID: 6942503
well on my firewall, the command I use to get NAT working is PRE-ROUTING.

I find that most references to masquerading are made using a 2.2 kernel and ipchains.  On the other hand when I see references to 2.4 and IPTables, then NAT is big deal, maybe something I just noticed.....


Author Comment

ID: 6943632
Hello Ahoffmann,

I've checked many times that eth0 is connect to the Internet, it is not with IP I think the HTTP request can be sent out from Windows, however, the response cannot be routed back to Windows...

Anyway, many thanks to both of you.

Author Comment

ID: 6943639
Thanks ahoffmann.

Expert Comment

ID: 6943880
It doesn't sound like your problem was solved, was it?

LVL 51

Expert Comment

ID: 6943953
> ..that eth0 is connect to the Internet, it is not with IP

Sounds like we're all missunderstanding something.
Either eth0 is connected to internet, then it definitely cannot have, and you can no longer ping your other mashines on the same LAN.
Or your internet connections goes through another interface, for example ppp0 or ippp0, which cannot have either. In this case your iptables command is wrong (interface to - o option), as I said in a previous comment.

Author Comment

ID: 6944162
Maybe I didn't describe my system clearly...

My Linux has 2 NICs: eth0 is connect to Internet thru a cable modem and the IP is got from dhcp of my ISP; eth1 is set to and my Windows ( is connected to Linux thru this NIC.

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Weird Samba Connectivity Issue... 7 40
shell script or linux command to upload a directory to artifactory? 2 131
Can't ping New Linux Servers 40 67
number in printf 13 27
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question