RE: Problem iptables DNAT.

"Daniel Chemko" <dchemko@xxxxxxxxxx> · Tue, 17 Jun 2003 10:00:24 -0700

If your firewall drops packets by default,
you will have to add:

iptables –A FORWARD –destination 192.168.0.5
–p tcp –dport 80 –j ACCEPT

-----Original Message-----

From: zufeng huang
[mailto:zufeng@xxxxxxxxxx] 

Sent: Tuesday, June 17, 2003 9:13
AM

To: netfilter@xxxxxxxxxxxxxxxxxxx

Subject: Problem iptables DNAT.

Hi, all

 I have a
Linux box with RedHat 9.0 installed(eth0:218.xxx.xxx,eth1:192.168.0.1), this
box is a firewall&proxy. Now I want external user can access my internal
web server via the firewall box.

According to RedHat 9.0's manual and the posts in internet, I used the
following command.

#iptables -t nat -A PREROUTING -p TCP -d xxx.xxx.xxx.xxx --dport 80 -j DNAT
--to 192.168.0.5:80

But I can't access the internal web server from outside.

Use tcpdump to get the following packets:

21:57:18.274817 192.168.0.85.1331 > 218.77.120.200.25460: udp 49

21:57:18.450579 218.77.120.200 > 192.168.0.85: icmp: 218.77.120.200 udp port
25460 unreachable [tos 0xc0]

21:57:18.968829 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST

21:57:18.969963 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455:
ipx-netbios 50

21:57:19.057680 61.144.148.161.50660 > 192.168.0.5.http: S
5685372:5685372(0) win 8192 <mss 1452,nop,nop,sackOK> (DF)

21:57:19.718043 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST

21:57:19.749255 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455:
ipx-netbios 50

21:57:20.468067 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST

21:57:20.528584 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455:
ipx-netbios 50

21:57:22.020715 61.144.148.161.50660 > 192.168.0.5.http: S
5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)

21:57:23.444576 arp who-has 192.168.0.85 tell 192.168.0.1

21:57:23.444815 arp reply 192.168.0.85 is-at 0:e0:4c:ef:55:f8

21:57:23.533007 218.17.247.6.http > 192.168.0.85.1383: R
562882410:562882410(0) ack 2793007952 win 0

21:57:24.054574 arp who-has 192.168.0.5 tell 192.168.0.1

21:57:24.054674 arp reply 192.168.0.5 is-at 0:30:48:23:4:33

21:57:27.919595 0.00:30:48:23:04:33.4010 >
0.ff:ff:ff:ff:ff:ff.452:ipx-sap-resp[|ipx 64]

21:57:28.024632 61.144.148.161.50660 > 192.168.0.5.http: S
5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)

21:57:29.248044 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST

21:57:29.248486 192.168.0.100.netbios-dgm > 192.168.0.255.netbios-dgm: NBT UDP
PACKET(138)

21:57:33.839985 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST

21:57:34.581878 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST

21:57:35.332929 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST

21:57:40.026871 61.144.148.161.50660 > 192.168.0.5.http: S
5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)

21:57:43.191397 arp who-has 192.168.0.5 tell 192.168.0.4

21:58:18.987637 arp who-has 192.168.0.5 tell 192.168.0.222 

As I said, this box is a proxy too, so the above packets maybe contain
un-useful messages to analysis where the problem is.

Anybody can help me? 

thanks,

zufeng