On Fri, 2003-12-12 at 08:14, Ian Hunter wrote: > > > > Dec 11 22:58:52 lucy kernel: Fwd DMZ->Internet DROP: IN=eth1 OUT=ppp0 > > > > SRC=192.168.254.242 DST=204.157.6.223 LEN=60 TOS=0x00 PREC=0x00 TTL=63 > > > > ID=56169 DF PROTO=TCP SPT=80 DPT=56319 WINDOW=32476 RES=0x00 ACK SYN > URGP=0 > > > > > Is there any chance that port 80 traffic is being allowed in under a > > rule that does not enter the connection in conntrack? > > In other words, if you have a rule such as: > > > > iptables -A FORWARD -d 192.168.254.242 -p tcp --dport 80 -j ACCEPT > > > > The SYN packet will be sent to your web server and the web server will > > respond with a SYN, ACK packet but it will not be related to anything in > > the conntrack table. The connection may be being allowed by a more > > general rule than one to the web services. > > > > So, I suppose we should ask what your ACCEPT rules look like - John > > I'm absolutely doing that -- here are the relevant ACCEPTs: > > iptables -A FORWARD -i ppp0 -o eth1 -p tcp --dport 80 -d 192.168.254.242 -j > ACCEPT > iptables -t nat -A PREROUTING -i ppp0 -d <my.public.ip.here> -p tcp --dport > 80 -j DNAT --to-destination 192.168.254.242 > > If I want to forward port 80 to that box, isn't that the way to do it? How > would a connection escape conntrack? > > Thanks MUCH! > > Ian You never told it to make an entry in conntrack. Try this: iptables -A FORWARD -i ppp0 -o eth1 -p tcp --dport 80 -d 192.168.254.242 -m state --state NEW -j ACCEPT -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@xxxxxxxxxxxxx --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net
