RE: Problem iptables DNAT.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If your firewall drops packets by default, you will have to add:

 

iptables –A FORWARD –destination 192.168.0.5 –p tcp –dport 80 –j ACCEPT

 

-----Original Message-----
From: zufeng huang [mailto:zufeng@xxxxxxxxxx]
Sent: Tuesday, June 17, 2003 9:13 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Problem iptables DNAT.

 

Hi, all

 I have a Linux box with RedHat 9.0 installed(eth0:218.xxx.xxx,eth1:192.168.0.1), this box is a firewall&proxy. Now I want external user can access my internal web server via the firewall box.

According to RedHat 9.0's manual and the posts in internet, I used the following command.

#iptables -t nat -A PREROUTING -p TCP -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.0.5:80

But I can't access the internal web server from outside.

Use tcpdump to get the following packets:

21:57:18.274817 192.168.0.85.1331 > 218.77.120.200.25460: udp 49
21:57:18.450579 218.77.120.200 > 192.168.0.85: icmp: 218.77.120.200 udp port 25460 unreachable [tos 0xc0]
21:57:18.968829 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:18.969963 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455: ipx-netbios 50
21:57:19.057680 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1452,nop,nop,sackOK> (DF)
21:57:19.718043 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:19.749255 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455: ipx-netbios 50
21:57:20.468067 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:20.528584 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455: ipx-netbios 50
21:57:22.020715 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
21:57:23.444576 arp who-has 192.168.0.85 tell 192.168.0.1
21:57:23.444815 arp reply 192.168.0.85 is-at 0:e0:4c:ef:55:f8
21:57:23.533007 218.17.247.6.http > 192.168.0.85.1383: R 562882410:562882410(0) ack 2793007952 win 0
21:57:24.054574 arp who-has 192.168.0.5 tell 192.168.0.1
21:57:24.054674 arp reply 192.168.0.5 is-at 0:30:48:23:4:33
21:57:27.919595 0.00:30:48:23:04:33.4010 > 0.ff:ff:ff:ff:ff:ff.452:ipx-sap-resp[|ipx 64]
21:57:28.024632 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
21:57:29.248044 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:29.248486 192.168.0.100.netbios-dgm > 192.168.0.255.netbios-dgm: NBT UDP PACKET(138)
21:57:33.839985 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:34.581878 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:35.332929 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:40.026871 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
21:57:43.191397 arp who-has 192.168.0.5 tell 192.168.0.4
21:58:18.987637 arp who-has 192.168.0.5 tell 192.168.0.222

As I said, this box is a proxy too, so the above packets maybe contain un-useful messages to analysis where the problem is.

Anybody can help me?

thanks,

 

zufeng


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux