I have all the rules needed to accept packets in the FORWARD chain. DNAT on eth1 works very well, I see the packets in the PREROUTING chain, DNATed, in the FORWARD chain and then going out via the intranet interface eth0 (traced with tcpdump). But I don't manage to have DNAT work on ppp0.
I set as the *first* rule of my FORWARD chain a LOG target to log all the packets. While I can see DNATed packets from eth1, DNATed packets from ppp0 are lost. So I suppose it's a routing problem: packets are lost at the routing level, not the iptables one.
I also use logging in my PREROUTING chain to ensure packets are DNATed:
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j LOG --log-prefix 'before DNAT rule'
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j DNAT --to-destination 172.16.1.4
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j LOG --log-prefix 'after DNAT rule'
And the packets are DNATed since I never see the second log line in my logs.
I think it's a routing problem, but I don't understand why with a table like this:
215.136.169.1 dev ppp0 proto kernel scope link src 215.136.169.15 135.165.199.128/25 dev eth1 proto kernel scope link src 135.165.199.139 172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.1.1 default via 135.165.199.129 dev eth1
packets coming in via eth1 to 172.16.1.4 are correctly routed (go out via eth0) but packets coming in via ppp0 are lost. This is driving me nuts!
Best Regards,
Raph
Razvan Stranschi wrote:
If you have default policy in forward chain to DROP you must permit those packets to pass.
Razvan Stranschi razvan@xxxxxxx
Raphael Benedet wrote:
Hi,--------------------------------------- This e-mail was scanned for viruses by ARVO.
I have a problem with incoming connections on my Linux gateway.
I have 2 providers, cable modem on eth1 and dsl on eth2 <-> ppp0 (pppoe). The lan network is connected to eth0. At the moment, I have a very simple configuration where the default route is via eth1 (cable modem). I set up DNAT on ppp0 to forward incoming traffic for certain ports to a computer behind the gateway/firewall:
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j DNAT --to-destination 172.16.1.4
Packets get lost and never reach the FORWARD chain (I logged all packets to be sure)
Here are my routes:
# ip route ls
215.136.169.1 dev ppp0 proto kernel scope link src 215.136.169.15
135.165.199.128/25 dev eth1 proto kernel scope link src 135.165.199.139
172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.1.1
default via 135.165.199.129 dev eth1
So, I understand traffic by default goes via eth1, but why don't incoming packets redirected (DNATed) to an intranet IP address go out via eth0?
If I change my default route in table main to go via ppp0, then, it works. And DNATing on eth1 works with the current configuration.
I don't have any other routing tables nor complex routing rules: # ip rule ls 0: from all lookup local 32766: from all lookup main 32767: from all lookup default
I am running kernel 2.4.23 with Julian's patches.
Any help would be greatly appreciated. Thank you.
Raph
_______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
