Hi all! I'm new to the list :-)
I'm having a weird problem in which I'm a little bit lost right now.
I've got a machine (Debian) connected to 2 different networks (A and B,
with 2 different net cards), and a web server that is listening on the
second one (B). I think I've configured correctly the rules and routes,
but I'm not being able to see the returning connection comming from the
same machine, but using the A network to reach the service in the B
network.
Being more precise,
* A network: 192.168.1.2 connected to a switch (default gw)
* B network: 192.168.2.2 connected to a router with 2 interfaces
(192.168.2.1 and 192.168.1.30)
* Clients can only connect to the service through
192.168.1.30:80 (the router), where the dst IP is masked to
192.168.2.2:10080
* If I connect from any host but 192.168.1.2, everything runs ok
(tcpdump shows me both ways of tcp packets)
Now, if I connect from that machine (that has the web server) through
the router (192.168.1.30:80),
1. I see a SYN_SENT to 192.168.1.30 when I execute "netstat".
2. If I put tcpdump on eth0 (192.168.1.2), I see the tcp packets
going to 192.168.1.30 (I don't see any packets comming back)
3. If I put tcpdump on eth1 (192.168.2.2), I see the tcp packets
going to 192.168.2.2:10080 (from 192.168.1.2), but I don't see
any packets comming back.
4. I've replaced the web server with a tiny tcp listener that
shows the client IP, and I don't see the connection from
192.168.1.2 (I mean, any other clients connect correctly, but
this one does not. Please remember that I can see tcpdump logs
that say "192.168.1.2.32759 > 192.168.2.2.10080", etc.
5. I've also put tcpdump on "lo" but I can't see anything either
:-S
6. I've tried "iptables --sport 10080 -j LOG"'s rules for OUTPUT
chain, and nothing is shown.
The routes and rules I've configured are,
# A network
ip route add 192.168.1.0/24 dev eth0 src 192.168.1.2 table main
ip route add default via 192.168.1.1 table main
ip rule add from 192.168.1.2 table main
# B network
ip route add 192.168.2.0/24 dev eth1 src 192.168.2.2 table router
ip route add default via 192.168.2.1 dev eth1 onlink table router
ip rule add from 192.168.2.2 table router
And last, I've also tried to "-j MARK" those packets going to "--dport
10080" and add a rule like:
ip rule add fwmark <number> table router
But it didn't work either.
Why the connection is not arriving to the application that is listening?
(But it is arriving to the machine)
Why I can't see any kind of returning connection or ICMP packet telling
that something is unreachable? (Maybe that will be solved after the
first question)
Thank you very much in advance for any light on this ;-)
Best regards,
Alvaro Uría
PS1: Direct connection from 192.168.1.2 to 192.168.2.2 (or using
127.0.0.1) is not a solution (I've kind of simplified the
infrastructure).
PS2: BTW, LARTC-HOWTO is great :-))
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
