Hi all, I am having a problem with port forwarding. From what I can gather the packet is dropped just after the DNAT rule. My config is such that I have 3 interfaces: eth0 - external internet connection eth1 - internal LAN dot - GRE Tunnel All SMTP, DNS, HTTP etc traffic comes in on the dot interface (and hence should also go out it). All LAN traffic is NAT'ed out the eth0 interface. Only routing and related/established traffic is allowed in on the external interface. In trying to diagnose this problem I made the first line in each built-in rule (including mangle table rules) a LOG rule. As this would generate substantial traffic I restricted this to HTTP traffic in general. >From what I can see once the packet has been DNAT'ed it disappears but all internal traffic which is MASQ'ed does NAT PREROUTE -> MANGLE PREROUTE -> MANGLE FORWARD -> FILTER FORWARD -> MANGLE POSTROUTE -> NAT POSTROUTE -> NAT OUTPUT but internal HTTP on the dot (tunnel) interface does: MANGLE PRE-HTTP: IN=dot OUT= PROTO=TCP SPT=45576 DPT=80 NAT PRE-HTTP: IN=dot OUT= PROTO=TCP SPT=45576 DPT=80 NAT DNAT-HTTP: IN=dot OUT= PROTO=TCP SPT=45576 DPT=80 then silence (well actually repeat) Running `netstat -tupan` on the internal box (where the packet should be forwarded) show no new connections on port 80. However, I am not sure if a full handshake is required for a connection to be "established" or not. If this is the case then all I can think of is that the response is not travelling back properly. tcpdump shows no SYN packets to port 80 hitting the internal box. I would be greatly appreciative of any thoughts that people may have on how to fix this. Thanks in advance. PJ -- Adding manpower to a late software project makes it later.
