[SOLVED] NAT Puzzle: What's going on here?

I recently ran into some very unexpected behavior involving package dependencies, iptables, and NAT.  Just in case this is an issue, here is my network topology:
   {Internet} --- Netgear WNDR3700  ------ (eno1)
                            router w/ NAT                      |
                                                               |  Arch Server |
                                                                       |
                                                                 (enp2s0) ----------- Netgear GS105 ------------------ [Test machine]
                                                                                                     Switch
and here are the profiles for the ethernet ports on the Arch server:
Description='A basic static ethernet connection'
Interface=eno1
Connection=ethernet
IP=static
Address=('192.168.1.5/24')
#Routes=('192.168.0.0/24 via 192.168.1.2')
Gateway='192.168.1.1'
DNS=('192.168.1.1')
Description='A basic static ethernet connection'
Interface=enp2s0
Connection=ethernet
IP=static
Address=('172.18.90.1/24')
I activated both interfaces, intending to start testing nftables, and set up the Test machine with a static address of 172.18.90.2/24 and gateway 172.18.90.1.  I was only expecting to be able to ping 172.18.90.1 from the Test machine with this setup, but was  extremely surprised to learn that I could not only ping any host, but further was able to run a web browser on the test machine with no problems connecting to anywhere.  Somehow the Arch server was doing forwarding and address translation even though I hadn't installed iptables or nftables (yet).
So, it turns out that iptables is a dependency of netctl?
ibis:~iptables$ pactree -r iptables
iptables
..iproute2
..netctl
ibis:~iptables$ pacman -Q iptables
iptables 1.4.21-1
The first question is
Why does  netctl need iptables?
I was quite shocked to see NAT happening without my having done anything to set it up.
But beyond this, the default firewall rules installed with the package  look like this:
ibis:~iptables$ cat /etc/iptables/simple_firewall.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
There's no mention of the NAT table, so presumably there is some kind of default NAT behavior that is being invoked?  This is my second question:
When you install iptables, NAT works by default somehow?
The final mystery is I never started the iptables service; in particular didn't even know that iptables had been installed as a dependency until NAT was magically working.  When I check
systemctl | grep iptables
Nothing comes up.  Third question:
Who/what/why is the iptables service being automatically activated, if indeed this is what is happening?
Edit: I'm an idiot.  See my last comment on this thread for an explanation of why I thought ip forwarding was being enabled without my explicit permission.
Last edited by pgoetz (2014-06-12 10:07:43)

*filter
All the following commands are to be applied to the 'filter' table.
:INPUT DROP [0:0]
The default policy for the INPUT chain is DROP
:FORWARD DROP [0:0]
The default policy for the FORWARD chain is DROP
:OUTPUT ACCEPT [0:0]
The default policy for the OUTPUT chain is DROP
-A INPUT -p icmp -j ACCEPT
ACCEPT all incoming packets of protocol ICMP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ACCEPT all incoming packets that belong to a RELATED or ESTABLISHED connection in the state tracking table.
-A INPUT -i lo -j ACCEPT
ACCEPT any packets that come "in" the loopback interface (lo).
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
REJECT any incoming TCP packets by sending a TCP RST packet.
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
REJECT any incoming UDP packets by sending an ICMP port-unreachable packet.
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
REJECT any other packets by sending an ICMP protocol-unreachable packet.
COMMIT
COMMIT all these rules (above) into the kernel (atomically unloading any existing rules first).
Remember that rules process in order, so TCP packets will get REJECT'ed by the third-last rule, and never get to the second last and last rules.
You've checked ip_forward now, but is the host still forwarding packets? The kernel will NEVER forward packets without ip_forward being != 0.

Similar Messages

  • I have 2 iphones on one itunes account. I just upgraded both to ios 8 and now the messages i receive come through to both phones when they used to be seperated. What is going on here?

    I have 2 iphones on one itunes account. I just upgraded both to ios 8 and now the messages i receive come through to both phones when they used to be separated. What is going on here?

    I noticed the same problem after upgrading a few iPhones to IOS 8, all use the same Apple ID.  However, I now notice when I go into Message and instead of selecting a person from my contact list, I start typing their name which brings up a list of people, some of which are not in my contact list and are on one of the other iPhones. There's a circle/exclamation point next to the name which I click on, and one of the options is to "Remove from Recent". How did these names get from one phone to another and how do I remove all "recents"? They do not appear in my contact list. Anyone see this?

  • In attempt to burn blu-ray, I get QuickTime error 0.  Takes hours to export a 7 minute movie from timeline, then get notice it fails.  What's going on here?

    New problem just started 24 hours ago.  When I try to export from the time line to create a QuickTime file, a 7 minute movie on time line takes 3 hours to export and then the export fails, where as a few days ago, that export would take about 10 minutes at most.  I get the same failure notice when I try to share to blu-ray, DVD, or Vimeo.  Tried to use compressor, no such luck as compressor failed to make a .mov file.  I get QuickTime error 0 message about 5 minutes into trying to share to Blu-Ray now.   Does anyone know what is going on here?  I'm running latest update of Snow Leopard on an intel Mac Pro and the latest update to Final Cut Pro X.  I've also installed QT 7.6.6 to use in creating time lapse movie files.

    Same problem here, too. Final Cut Pro X 10.0.3 on OS 10.6.8. However, it is only doing it on ONE of my projects. A 4-second test project burned successfully.
    I'm  actually going to use iDVD to burn copies for a few people, so I only need the movie file from FCPX.
    Would someone please post best export settings for use on a DVD? In FCPX, the project is  in HD (1080p) with all media optimized to ProRes 442. I know it will have to be down-sampled to DVD resolution, but I've always been curious to know what settings will result produce the best possible quality in DVD resolution.
    Thank you!
    Bart

  • All of a sudden, new tabs have started opening up (in Firefox) advertising games and other stuff. Any idea's of what is going on here?

    All of a sudden, new tabs have started opening up (in Firefox) advertising games and other stuff. Any idea's of what is going on here?

    Try scanning for malware using the removal tools listed near the bottom of the [[Troubleshoot Firefox issues caused by malware]] article.
    It might also help if you could copy and paste troubleshooting information into your reply. See [[Use the Troubleshooting Information page to help fix Firefox issues]] for details.

  • I have a dual 1.8 ghz pwer pc g5 and sometimes i put it in sleep mode and come home on my lunch break and the fan is running at full speed and the computer has frozen up...what is going on here?

    and sometimes i put it in sleep mode and come home on my lunch break and the fan is running at full speed and the computer has frozen up...what is going on here? is it a virus or has my computer been hijacked? it cant be good for the computer...anyone ever had this problem..?

    Your problem has been reported many times, but causes are as varied as individuals.
    Can we assume that a hard shutdown allows a normal restart?
    Can I assume that you have used Disk Utility from your OS X install disc to repair the hard drive directory? The freezes and hard shutdowns require that the drive be repaired (not permissions) or soon the machine won't boot at all.
    If the root issue is software related, in Console (the application) under Logs, there should be loggings around the time of sleep and logs that tell you what process went wild and froze the machine.
    Network activity is also a common casue.
    Other info:
    http://support.apple.com/kb/ht1776
    If hardware related, such as an external drive, other USB device (Wacom tablet) or USB PCI card, ejecting, disconnecting, removing, or in the case of the Wacom, updating drivers, are all potential remedies.

  • I had paid for service to sign pdf, write text on pdfs and convert to word and back etc. Its now asking me to pay for a new service to be able to convert pdf to word, what is going on here?

    I had paid for service to sign pdf, write text on pdfs and convert to word and back etc. Its now asking me to pay for a new service to be able to convert pdf to word, what is going on here?

    Hi,
    I checked your account, your Export PDF service has been expired on Sep 24, 2014.
    Kindly contact our chat support: http://helpx.adobe.com/x-productkb/global/service-b.html
    Regards,
    Florence

  • Went to watch a video on You Tube that I have watched before on my iMac and got the prompt that I had to upload Adobe Flash Player.  Did that, and am still getting the same prompt and can't watch any videos at all.  What is going on here, Apple??

    Went to watch a video on You Tube that I have watched before on my iMac and got the prompt that I had to upload Adobe Flash Player.  Did that, and am still getting the same prompt and can't watch any videos at all.  What is going on here, Apple??

    I do not know how to do this with an Apple TV (I don't have one), but as far as I know Apple TV only does mirroring.
    If you have an HDMI cable long enough to reach your TV from where you sit, then it's easy. The TV could be set up in Extended Desktop mode (mirroring off) as if it was simply another computer monitor, and then you could just drag windows to it. If you have the Displays icon in your menu bar, that's where the setting is, or if the icon is not there, then the setting is in the Displays system preference. But again, that's for conventionally connected monitors, not Apple TV. If you don't have an HDMI cable and wanted a long one that's affordable you can get those at monoprice.com.
    The answer we are still waiting for is if anyone knows if Apple TV can be used in extended desktop (non-mirroring) mode.

  • What's going on here? Terminal screen pops up after installing Mountain lion.

    I installed mountain lion yesterday! all looked like it was working well. Just now I rebooted my iMac. The first thing I see on my computer is that it booted up in terminal mode! I have white lettering on black background with a lot of lines of text. At the end of many lines of text there is a copyright Regentss of the university of California."? Than it goes on with " MAC Franework successfully initialized."
    The text goes on until " Root device is mounted read-only." than it ask if i want to boot system enter exit & hit return.
    Anybody know what's going on here. I have never experienced this in my many years as a Apple enthusiasts!
    I need some clarification

    You're in single-user mode. Type the word "exit" and press return to get out of it. If it happens again, reset the PRAM.
    Resetting your Mac's PRAM and NVRAM

  • When I rip a cd, then use another program, then come back to itunes, the cd stops ripping and the cd doesn't show up in the side bar anymore. What's going on here?

    When I rip a cd in itunes, then go to use another program, then come back to itunes, the cd stops ripping and the cd doesn't show up in the side bar anymore. What's going on here?  I am running the x64 version of itunes in Windows 7.

    Just wanted to say that you're not the only one with the problem: http://discussions.apple.com/thread.jspa?messageID=13009436

  • I try to open an Excel document in email sent to me, it only tries to open in IPhoto.  Message "file unrecognized."  What is going on here?

    When I try to open an Excel document in email sent to me, it only tries to open in IPhoto.  Message "file unrecognized."  What is going on here? I have the latest version of Office for Mac.

    launch Excel and under the file menu ==> open oand pen the file
    Or right click on the file and in the menu set to opens with to Excel
    LN

  • TS3297 can't connect to itunes store. getting code "11222". done all the trouble shooting i can think of. been on fone w/ "helpline", but no success. anyone got an idea what is going on here ?

    Can't connect to Itunes store. Keep getting message code"11222". Done all the troubleshooting I can think of . Have researched my network settings and firewall settings. Have followed all the diagnostic routines.  Been on the fone w/ HELP , no success. This code appears to apply to windows . but I can't get past this code. Anyone out there got a clue as to what is going on here ?  thanks
    sambodine

    4 months and 80 views later, not a single response...
    nice to know this support forum works....
    Thanks (for nothing) apple....
    and BTW, please continue ignoring this topic, cause i really dont give a **** about "genius" any more...

  • TS3991 I am working on an article of over 7000 words... suddenly, Page, says that document cannot be updated and opened... I lost valuable time and text in the process! What is going on here?

    I am working on an article of over 7000 words... suddenly, Page, says that document cannot be updated and opened... I lost valuable time and text in the process! What is going on here?

    Pages used to make backups... It does no longer... I cannot even revert to a previous version not being able to open the document that I was still working on half an hour ago. Thank heavens, I made a copy by selecting all text and copying it into an email when the problem first occurred yesterday evening. I am now working on it as an email. I can't risk loosing text this way anymore thru Pages. This is very bad. I am truly disappointed by this... particularly having moved from MS Office to iWorks!

  • I just got my new Macbok 15" Retina with Superdrive. It is taken over 4 hours to install Logic Pro and I still have 5 discs to go. What is going on here!?!?

    Anyone know what is going on here? Why does a brand new product work so slow, even slower than my year old Macbook Pro 15" ?
    It's a faster Ghz and more Ram with SSD...is there something wrong with the Superdrive?

    wow I just inserted the 3rd disc, 77 hours estimated!
    Does that thing work on hardturm? I was trying it but didn't get it to work, I will have to try some more
    is it safe for the computer?
    anyone else know of a fix?

  • PowerBook G4 boots to unfamiliar login. List of known user accounts does not appear and original admin user name and password is rejected. What is going on here?

    PowerBook G4 boots to unfamiliar login. List of known user accounts does not appear and original admin user name and password is rejected. What is going on here?

    There are no children, nor other suspicious characters that have "played" with my computer. One moment I'm in, the next time I turn on/restart the powerbook I'm at a screen with the name of the hard drive and two fields: username and password. Not a list with pictures and names ie 'Katie Jo' with an orange icon and 'Guest' with a silhouette of a head.
    In an attempt to remedy this problem, I backed up files using target disk mode and firewire cable. I then, rebooted in single user mode, typed in the correct script and essentially made the computer appear virgin again. Original start up welcome screen display with multiple languages, and then set up prompts such as language, network, and registration. After completing the cues and the "just a few more questions" page, I press continue and am left at a grey standstill, with the continue button greyed out, and no other actions. I'm only able to "go back" by clicking the go back button, all the way to the beginning of the set up, and as I proceed through the steps a second time, I'm greeted with the same halt. What is this?

  • TS3276 As an email is being send the mail activity indicator is showing that more than one email is being send....what is going on here? Thanks

    Question: As I send an email, the mail activity indicator is showing that more than one email is being sent! Last time it was 5 even though I was only sending one and there were no other emails in the out box! What's going on here I ponder?

    Several time in the past, similar question was asked in the forum, for example check the link and reference OSS notes mentioned in it. You can also search the forum, if you need further info on this topic.
    http://scn.sap.com/thread/3230103
    Regards,

Maybe you are looking for

  • Accounting document not showing in G/L -fbl3n

    Dear All, We are facing a problem n accounting document not showing in G/L FBL3N. when i saw in FB03 then it showing with all details including GL account. but when i go in FBL3N it was not showing. The document posted from payroll hra component. fb0

  • Can't edit .mov artwork

    I have imported some movie (.mov) files into iTunes 7.1.1 and can't change the artwork field. The Add and Delete buttons are greyed out. Mp4 files work fine, and I know that at least in past, it's been possible to do this on .movs as well. It's uncle

  • TechTool Pro finds a corrupted file

    The latest version of TechTool Pro (v. 4.0.6) found a problem with a file and displayed the following message: "Type List Offset is invalid: Prop-Object.bmp." (Spotlight doesn't locate this file.) The file is probably an image according to Apple Care

  • Transferring info from old Mac?

    How do I get to the Setup Assistant?  I declined transferring info from my old Mac when I first set up my new MacBookAir because I didn't have access to my previous computer at the time.  Now I need to do it and can't find the Setup Assistant screen

  • Issue while populating a Transient VO based on three VO's

    Hi, I have transient VO which is being populated based on Three SQL based VO. Each VO returns a Column and all these three columns needs to be shown as a table in UI. I populated a TransientVO by iterating the the Three VO's since the number of Rows