Maybe you have a PREROUTING rule that is rewriting the source ip to the internal ip instead of the external ip. On Fri, 2003-05-09 at 13:45, enjoy.the.silence@xxxxxx wrote: > hi, > i've been an user of netfilter/iptables for a short time, and it's always > worked great for me, doing NAT and packet filtering exactly as it should > (thanx a lot to who wrote the NAT-HOWTO although :D). anyway, i'm > experiencing some strange behaviour: > > i have a DNATting rule as the following: > iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP > > where EXTIF (ppp0 - yeah, dialup) and EXTIP (dynamically assigned but > correctly detected) are properly set. recently i have set up a DNS server, > and i wish it was accessible from the outside. i have used djbdns, and set > it up correctly. actually the requests are received and processed, but the > outgoing packets with the replies are blocked by my packet filter. i have > the following log from dmesg: > IN= OUT=ppp0 SRC=10.0.6.5 DST=80.116.131.210 LEN=68 TOS=0x00 PREC=0x00 > TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=4538 LEN=48 > > 10.0.6.5 is the ip which djbdns is running on, and 80... is the ip who made > the request. what is strange is that the packet was trying to go out with > the internal ip! is this normal? it's been blocked because i have a rule: > iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it > > shouldn't the packet's source address have already been changed at this > time? what am i doing wrong? may it be because it's using the UDP protocol? > my natting rule should work with all protocols though... > > help me! > thanks in advance! > Giorgio > >
Attachment:
signature.asc
Description: This is a digitally signed message part
