128.83.147.87 is indeed the external IP. I can ping, ssh and telnet 80 to this address from an offsite machine, and since -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG --log-prefix "prerouting" --log-level 7 catches it, it seems that -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2:80 would also catch it. Also, since I have: -A INPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix "input" --log-level 7 -A FORWARD -j LOG --log-prefix "forward" --log-level 7 then I should have a log entry no matter what with a prefix of either "input" or "forward". However, with the PREROUTING -j DNAT line in place, neither INPUT nor FORWARD logs the packet traversing through their chains. Isn't this behavior quite impossible since a packet that traverses PREROUTING (which I do successfully log in that chain), should definitely go to either INPUT or FORWARD? BTW, my iptables version is iptables-1.2.6a-2. Could there be some sort of patch I need? I'm not really using a special case since people do simple port 80 forwarding all the time. Kent Wang > Verify that 128.83.147.87 is the external IP address for this box. > Also how did you test this? If you are inside the internal network (on > 192.168.0.5 for example) you can't access the web site by going to > 128.83.147.87. So in other words you will have to be outside of your > network to test it. > From: kwang@xxxxxxxxx [mailto:kwang@xxxxxxxxx] > Sent: Friday, June 13, 2003 12:58 PM > To: chris.hoeschen@xxxxxxxxxxxxx > Cc: kwang@xxxxxxxxx > Subject: RE: IP forwarding on port 80 > > > This is the iptables-save dump: > > *nat > :PREROUTING ACCEPT [37311:5054668] > :POSTROUTING ACCEPT [72:4540] > :OUTPUT ACCEPT [72:4540] > -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG > --log-prefix "prerouting" --log-level 7 -A PREROUTING -d 128.83.147.87 > -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2:80 COMMIT > # Completed on Fri Jun 13 03:09:25 2003 # Generated by iptables-save > v1.2.6a on Fri Jun 13 03:09:25 2003 *filter :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [17013:3920003] -A INPUT -d > 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG --log-prefix "input" > --log-level 7 -A INPUT -s 127.0.0.1 -p tcp -j ACCEPT -A INPUT -m state > --state > RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p > tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j > ACCEPT -A INPUT -p tcp -m tcp --dport 115 -j ACCEPT -A INPUT -j DROP -A > FORWARD -j LOG --log-prefix "forward" --log-level 7 COMMIT > > This is the same as above, but with iptables -L and then -L -nat: > > Chain INPUT (policy ACCEPT) > target prot opt source destination > LOG tcp -- anywhere dscp.nur.utexas.edutcp > dpt:http LOG > level debug prefix `input' > ACCEPT tcp -- localhost.localdomain anywhere > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere tcp > dpt:http ACCEPT tcp -- anywhere anywhere > tcp dpt:ssh ACCEPT tcp -- anywhere anywhere > tcp dpt:sftp DROP all -- anywhere anywhere > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > LOG all -- anywhere anywhere LOG level > debug > prefix `forward' > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > > Anyway, I really appreciate you and everybody on the mailing list > helping me out. > > Kent Wang > >> Could you send me your entire firewall rules >> >> >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> >> | Chris Hoeschen - Distributed System Analysts | >> >> | PrimeVest Financial Services | >> >> | (320) 656-4035 E-Mail: chris.hoeschen@xxxxxxxxxxxxx | >> >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> >> >> >> "Only two things are infinite, the universe and human stupidity, and >> I'm not sure about the former." >> >> -- Albert Einstein >> Hippopotomonstrosesquippedaliophobia is the fear of long words >> >> -----Original Message----- >> From: Kent Wang [mailto:kwang@xxxxxxxxx] >> Sent: Friday, June 13, 2003 11:45 AM >> To: 'Chris Hoeschen' >> Subject: RE: IP forwarding on port 80 >> >> >> --> >> >> HereR17;s the contents of PREROUTING: >> >> >> >> -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG >> --log-prefix "prerouting" --log-level 7 >> >> -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j DNAT >> --to-destination 192.168.0.2:80 >> >> >> >> Apparently -m tcp is implied since my original command didn't include >> it but this is what the iptables-save dump says. But since these two >> are identical other than the action part, if something gets LOG'd, it >> should be DNAT'd and therefore passed to FORWARD right? >> >> >> >> This is what I have in FORWARD: >> >> >> >> -A FORWARD -j LOG --log-prefix "forward" --log-level 7 >> >> >> >> So this means everything that passes through FORWARD gets logged, >> right? But my log has entries from PREROUTING (cause it has log-prefix >> 'prerouting) but none from FORWARD. >> >> >> >> The situation with tcpdump is still the same. Nothing incoming, except > >> when I manually do telnet 192.168.0.2 80. >> >> >> >> I think the fault is somewhere at the actual DNAT target or the >> FORWARDing mechanism. Could there have been a module that I didn't >> load properly? I don't know how to check that (and I would think that >> iptables would've told me about it already). This is a standard RedHat > >> 7 install with the latest iptables RPM. >> >> >> >> Kent Wang >> >> >> >> -----Original Message----- >> From: Chris Hoeschen [mailto:chris.hoeschen@xxxxxxxxxxxxx] >> Sent: Friday, June 13, 2003 8:03 AM >> To: 'Kent Wang' >> Subject: RE: IP forwarding on port 80 >> >> >> >> A packet coming into your firewall will first travel through the >> prerouting table. Depending on where that packet is destined will >> determine what other table it will be traveling through. If that >> packet is going to your firewall itself then it will travel through >> the input table. If it is going to be routed through your firewall to > >> another box then it will travel through the forward table. The output > >> table only handles packets that originated from your firewall and is >> going out, it does not handle any packets that are getting routed >> through it. >> >> >> >> I didn't see you DNAT rule so make sure that is set correctly, an >> example for routing web would be as follows: >> >> iptables -t nat -A PREROUTING -p tcp -d {EXT_IP} --dport 80 -j DNAT >> --to-destination {WWW_IP}:80 >> >> >> >> when you web server receives the packet the source address (the one it > >> will be sending the ACK back to) will still be set to the original >> source and not the firewall. So it is important that the web server's > >> gateway is set to be your firewall. If this will not work in your >> environment then you can put a rule into the postrouting table to SNAT > >> the packet, this way the web server will see the packet as coming from > >> your firewall and (granted that they are on the same subnet) will >> return the packet to the firewall. This is not recommended as all >> connections to the web server will appear as if it was coming from the > >> firewall. >> >> >> >> Sorry for all the routing mojo but helps to get a understanding of the > >> tables for troubleshooting. >> >> >> >> >> >> -A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "test" >> --log-level 7 >> >> I don't know what the -m tcp module is and this might be your problem, > >> try removing it and see if it works. >> >> >> >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> | Chris Hoeschen - Distributed System Analysts | >> | PrimeVest Financial Services | >> | (320) 656-4035 E-Mail: chris.hoeschen@xxxxxxxxxxxxx | >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> >> "Only two things are infinite, the universe and human stupidity, and >> I'm not sure about the former." >> -- Albert Einstein >> Hippopotomonstrosesquippedaliophobia is the fear of long words >> >> -----Original Message----- >> From: netfilter-admin@xxxxxxxxxxxxxxxxxxx >> [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Kent Wang >> Sent: Friday, June 13, 2003 2:25 AM >> To: 'George Vieira'; netfilter@xxxxxxxxxxxxxxxxxxx >> Subject: RE: IP forwarding on port 80 >> >> --> >> >> OK, more info. My belief is that the packets are not being DNAT'd >> properly. I added this to that chain: >> >> >> >> -A PREROUTING -j LOG --log-prefix "test" --log-level 7 >> >> >> >> And was able to log all the incoming HTTP packets. I then added these >> two: >> >> >> >> -A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "test" >> --log-level 7 >> >> -A OUTPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix "test" >> --log-level 7 >> >> >> >> A properly DNAT'd packet should pass through FORWARD and then OUTPUT, >> but I found nothing in the log. Is it possible that the DNAT module >> isn't loaded? >> >> >> >> IR17;ve done tcpdump and the firewall definitely always receives the >> internet-incoming message and the web server never receives it. >> >> >> >> Any clues? >> >> >> >> -----Original Message----- >> From: netfilter-admin@xxxxxxxxxxxxxxxxxxx >> [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of George >> Vieira >> Sent: Thursday, June 12, 2003 5:18 PM >> To: Kent Wang; netfilter@xxxxxxxxxxxxxxxxxxx >> Subject: RE: IP forwarding on port 80 >> >> >> >> What debugging have you done? tcpdump, iptables logging, anything? >> >> >> >> Does your web server have a default gateway of the firewall? >> >> Thanks, >> >> >> >> ____________________________________________ >> >> >> >> George Vieira >> Citadel Computer Systems Pty Ltd Systems Manager georgev AT >> citadelcomputer DOT com DOT au >> >> >> >> Citadel Computer Systems Pty Ltd >> >> Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 >> <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au > >> <http://www.citadelcomputer.com.au/>
