On Sun, May 22, 2005 at 06:28:55AM -0700, Brian Atkins wrote:
> Now, even more strange is that I stripped everything out right down to
> just the natting piece and I still can't traverse the fw:
>
> # Generated by iptables-save v1.3.1 on Fri May 20 06:23:40 2005
> *raw
> :PREROUTING ACCEPT [185327:123272626]
> :OUTPUT ACCEPT [71616:17819696]
> COMMIT
> # Completed on Fri May 20 06:23:40 2005
> # Generated by iptables-save v1.3.1 on Fri May 20 06:23:40 2005
> *nat
> :PREROUTING ACCEPT [20964:3942558]
> :POSTROUTING ACCEPT [54:3564]
> :OUTPUT ACCEPT [53:3480]
> -A PREROUTING -d [PUBLIC_IP] -i eth0 -j DNAT --to-destination [PRIVATE_IP]
> -A PREROUTING -d [PUBLIC_IP] -i eth0 -j DNAT --to-destination [PRIVATE_IP]
> -A POSTROUTING -s [PRIVATE_IP] -o eth0 -j SNAT --to-source [PUBLIC_IP]
> -A POSTROUTING -s [PRIVATE_IP] -o eth0 -j SNAT --to-source [PUBLIC_IP]
> COMMIT
> # Completed on Fri May 20 06:23:40 2005
> # Generated by iptables-save v1.3.1 on Fri May 20 06:23:40 2005
> *filter
> :INPUT ACCEPT [955:375232]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1219:191838]
> :POSTROUTING - [0:0]
> :PREROUTING - [0:0]
> -A FORWARD -i eth1 -j POSTROUTING
um--wtf is this?
looking at the hit-count numbers of INPUT and OUTPUT vs. the fact that
FORWARD is sitting steady at zero...i'm going take a swipe at the low
hanging fruit and say you forgot to enable IP forwarding:
sysctl -w net.ipv4.ip_forward=1
> COMMIT
> # Completed on Fri May 20 06:23:40 2005
>
> By all intents I should be vulnerable to the world. From the outside, I
> can hit the external facing NIC, but I can't get to the public IP of one
> of my webservers. From the inside, I can hit both NICs (inside/outside)
> on the firewall, but not the internal facing NIC on the ex-router. From
> the firewall, I can see both WWW and my internal network.
>
> Is there a tool to debug iptables to see if any of the rules are being
> used by incoming traffic?
iptables -vnxL will show you the hit-counts on your rules. in a
controlled environment and with specific rules, you should be able to
determine rather easily if the rule you think should be matching is
actually matching.
-j
--
"Brian: I've been to New York. It's like Prague sans the whimsy."
--Family Guy
