Am Die, 2003-06-17 um 18.12 schrieb zufeng huang: > Hi, all > > I have a Linux box with RedHat 9.0 installed(eth0:218.xxx.xxx,eth1:192.168.0.1), this box is a firewall&proxy. Now I want external user can access my internal web server via the firewall box. > > According to RedHat 9.0's manual and the posts in internet, I used the following command. > > #iptables -t nat -A PREROUTING -p TCP -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.0.5:80 This just accomplishes DNAT. You still have to allow the packets through, like: iptables -A FORWARD -p tcp -d 192.168.0.5 --dport 80 -m state --state NEW -j ACCEPT By the way, when adding a tcpdump, please make sure you already know what you are talking about. Only include it if you know it will help to resolve the issue. If you just want to capture http traffic using tcpdump, do: tcpdump tcp port 80 This would get rid of the dns, icmp and netbios packets. Cheers, Ralf > > But I can't access the internal web server from outside. > > Use tcpdump to get the following packets: > > 21:57:18.274817 192.168.0.85.1331 > 218.77.120.200.25460: udp 49 > 21:57:18.450579 218.77.120.200 > 192.168.0.85: icmp: 218.77.120.200 udp port 25460 unreachable [tos 0xc0] > 21:57:18.968829 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST > 21:57:18.969963 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455: ipx-netbios 50 > 21:57:19.057680 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1452,nop,nop,sackOK> (DF) > 21:57:19.718043 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST > 21:57:19.749255 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455: ipx-netbios 50 > 21:57:20.468067 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST > 21:57:20.528584 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455: ipx-netbios 50 > 21:57:22.020715 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) > 21:57:23.444576 arp who-has 192.168.0.85 tell 192.168.0.1 > 21:57:23.444815 arp reply 192.168.0.85 is-at 0:e0:4c:ef:55:f8 > 21:57:23.533007 218.17.247.6.http > 192.168.0.85.1383: R 562882410:562882410(0) ack 2793007952 win 0 > 21:57:24.054574 arp who-has 192.168.0.5 tell 192.168.0.1 > 21:57:24.054674 arp reply 192.168.0.5 is-at 0:30:48:23:4:33 > 21:57:27.919595 0.00:30:48:23:04:33.4010 > 0.ff:ff:ff:ff:ff:ff.452:ipx-sap-resp[|ipx 64] > 21:57:28.024632 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) > 21:57:29.248044 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST > 21:57:29.248486 192.168.0.100.netbios-dgm > 192.168.0.255.netbios-dgm: NBT UDP PACKET(138) > 21:57:33.839985 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST > 21:57:34.581878 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST > 21:57:35.332929 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST > 21:57:40.026871 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) > 21:57:43.191397 arp who-has 192.168.0.5 tell 192.168.0.4 > 21:58:18.987637 arp who-has 192.168.0.5 tell 192.168.0.222 > > As I said, this box is a proxy too, so the above packets maybe contain un-useful messages to analysis where the problem is. > > Anybody can help me? > > thanks, > > zufeng -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org
