Re: iptables question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Filipe Brandenburger wrote:
> Hi Ward,
> 
> On Thu, Feb 19, 2009 at 20:27,  <Ward.P.Fontenot@xxxxxxxxxxxxxx> wrote:
>> I add that and telnet to the port on BOX A and get
>> Trying 192.168.0.1...
>> telnet: connect to address 192.168.0.1: Connection refused
>> I can telnet to that port on BOX B and get a successful connection.
> 
> The problem is that when BOX B responds, it will respond with a
> 192.168.0.2 source IP, and that will only work if it goes through BOX
> A again (for the DNAT to do the address translation back to
> 192.168.0.1).
> 
> In short, this will only work if traffic goes back to the source through BOX A.
> 
> For instance, this will NOT happen if the host that is connecting to
> the forwarded port is in the same subnet as hosts BOX A and BOX B.
> 
> This will also NOT happen if BOX A is not the default gateway of BOX
> B, or there is somehow another configuration that routes the return
> packets through BOX A (like using an SNAT combined with the DNAT to
> make the connections look like they are coming from BOX A).

A "Connection refused" response indicates that the reply path is
working.  If there is no response, telnet will just sit and wait,
eventually displaying a "Connection timed out" message when the
connection times out from the SYN_SENT state (typically about 3
minutes).

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux