Ok, found out what the problem was... and i am trlly sorry to have wasted your time. Problem was simple host C did not have the gateway set to the ip of the NAT... so basically no return path for packets IIRC. again, thank you very much for your help Charles. On Wed, Jul 9, 2008 at 3:24 PM, Charles Romestant <cromestant@xxxxxxxxx> wrote: > Ok here are 2 consecutives saves while trying to access the web server. > > > root@charz-server:/home/charz# iptables-save -c > # Generated by iptables-save v1.3.6 on Tue Jul 8 15:23:36 2008 > *nat > :PREROUTING ACCEPT [1287:172779] > :POSTROUTING ACCEPT [39:5989] > :OUTPUT ACCEPT [41:6213] > [2:128] -A PREROUTING -d 10.0.1.192 -i eth0 -p tcp -m tcp --dport 80 > -j DNAT --to-destination 10.0.10.1 > [0:0] -A POSTROUTING -s 10.0.10.1 -o eth0 -p tcp -m tcp --sport 80 -j > SNAT --to-source 10.0.1.192 > COMMIT > # Completed on Tue Jul 8 15:23:36 2008 > # Generated by iptables-save v1.3.6 on Tue Jul 8 15:23:36 2008 > *filter > :INPUT ACCEPT [7829:710453] > :FORWARD ACCEPT [1:48] > :OUTPUT ACCEPT [3244:550936] > :fail2ban-ssh - [0:0] > :spa - [0:0] > [19:1008] -A FORWARD -d 10.0.10.1 -i eth0 -o eth1 -p tcp -m tcp > --dport 80 -j ACCEPT > [0:0] -A FORWARD -s 10.0.10.1 -i eth1 -o eth0 -p tcp -m tcp --sport 80 > -j ACCEPT > COMMIT > # Completed on Tue Jul 8 15:23:36 2008 > > ------------------------------------------------------------------------------------------------------------------------------------------ > > root@charz-server:/home/charz# iptables-save -c > # Generated by iptables-save v1.3.6 on Tue Jul 8 15:23:38 2008 > *nat > :PREROUTING ACCEPT [1288:172897] > :POSTROUTING ACCEPT [39:5989] > :OUTPUT ACCEPT [41:6213] > [2:128] -A PREROUTING -d 10.0.1.192 -i eth0 -p tcp -m tcp --dport 80 > -j DNAT --to-destination 10.0.10.1 > [0:0] -A POSTROUTING -s 10.0.10.1 -o eth0 -p tcp -m tcp --sport 80 -j > SNAT --to-source 10.0.1.192 > COMMIT > # Completed on Tue Jul 8 15:23:38 2008 > # Generated by iptables-save v1.3.6 on Tue Jul 8 15:23:38 2008 > *filter > :INPUT ACCEPT [7844:711502] > :FORWARD ACCEPT [1:48] > :OUTPUT ACCEPT [3254:553344] > :fail2ban-ssh - [0:0] > :spa - [0:0] > [19:1008] -A FORWARD -d 10.0.10.1 -i eth0 -o eth1 -p tcp -m tcp > --dport 80 -j ACCEPT > [0:0] -A FORWARD -s 10.0.10.1 -i eth1 -o eth0 -p tcp -m tcp --sport 80 > -j ACCEPT > COMMIT > # Completed on Tue Jul 8 15:23:38 2008 > > > On Wed, Jul 9, 2008 at 3:20 PM, Grant Taylor <gtaylor@xxxxxxxxxxxxxxxxx> wrote: >> On 07/08/08 14:40, Charles Romestant wrote: >>> >>> ok it was set to 0, but changing it did not do anything, here is the >>> iptables-save output >> >> *nod* >> >> Uh, can I (re)ask for an iptables-save, but this time with a "-c" added to >> the end of it so that it will include packet counters? (I forgot that >> iptables-save does not show packet counts like iptables -L. Sorry.) >> >>> Again , thank you for your help >> >> *nod* >> >> You are welcome. >> >> >> >> Grant. . . . >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > > > > -- > Charz > -- Charz -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
