> On Monday 12 July 2004 4:12 pm, Nicolas Ross wrote: > > > DNAT to 172.16.190.5, port 80 works fine. > > DNAT to 172.16.190.143, port 5003 is not. > > > > In /proc/net/ip_conntrack, I see : > > > > tcp 6 118 SYN_SENT src=x.x.x.x dst=x.x.x.x sport=49502 dport=5003 > > [UNREPLIED] src=172.16.190.143 dst=x.x.x.x sport=5003 dport=49502 use=1 > > Okay, so that means the firewall passed the SYN packet through from the client > to the mac, but hasn't seen the SYN-ACK back from the mac to the client. > > > With iptables -nvL, I see packet counter rising for the 2 rules concerning > > port 5003 > > That means packets are going through the firewall (one way, at least). > > > On the 172.16.190.143 box, wich is a mac os x box, with netstat -an | grep > > 5003, I see : > > > > tcp4 0 0 172.16.190.143.5003 x.x.x.x.62382 SYN_RCVD > > Okay, so it's received the SYN (and presumably tried to return the SYN-ACK) > > > tcp4 0 0 172.16.190.143.5003 172.16.190.153.49342 > > ESTABLISHED > > tcp4 0 0 127.0.0.1.5003 127.0.0.1.49184 > > ESTABLISHED > > tcp4 0 0 127.0.0.1.49184 127.0.0.1.5003 > > ESTABLISHED > > tcp4 0 0 *.5003 *.* LISTEN > > Yup, it's listening on TCP port 5003 alright :) > > Does the mac have a default route to send reply packets back to the remote > client through the firewall? > > Try a packet sniffer (ethereal is good) on the link between the firewall and > the mac, and see if you can see packets both ways (and look at the source & > destination addresses). Between the time I wrote my message, and now, I finally got my hand on it. The probleme was that the default route on that host was not the RH firewall, but another box wich connects with a vpn to another network at another location, so the route back to the source host doesn't pass trough the firewall, thus the problem... Thanks anyway ! Nicolas
