>>you say traffic on port 80 is redirected. how? [A] [Pc] (80) => (80) [Router] (80) => (80) [Server] The router does NAT. I repeat: if i quit iptables, all works fine, then I assume router NAT works >> also if the destination address is changed by nat, the packets get routed over the other >> interface. >> that is why you need to allow the traffic in the FORWARD chain. >> i do not see any of those in your rules above. I added (without success) the following rule: -A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT ------------------------------------------ The trouble continues: from inside a proxy, I can't access to the Apache server (I can access, for instance, via ssh). If I quit iptables, all works fine Thanks for your interest. Javier On 17/12/2008, Mart Frauenlob <mart.frauenlob@xxxxxxxxx> wrote: > Javi Legido wrote: >> Hi. >> >> I have the following schema: >> >> [A] >> >> [Pc] (80) => (80) [Router] (80) => (80) [Server] >> >> [B] >> >> [Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server] >> >> More data: >> >> -The server has iptables and Apache >> -The router has port 80 tcp redirected to the server >> >> Troubleshooting: >> >> -When I 'switch on' iptables, schema [B] fails (schema [A] always works >> fine) >> -When I 'switch off' iptables, schema [B] works fine >> >> The output: >> >> ************************ iptables -S *************************** >> >> -P INPUT ACCEPT >> -P FORWARD ACCEPT >> -P OUTPUT ACCEPT >> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT >> -A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >> -A INPUT -s 192.168.1.30/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT >> -A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT >> -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT >> -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> -A INPUT -j LOG --log-prefix "INPUT_" >> -A INPUT -j REJECT --reject-with icmp-port-unreachable >> -A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT >> -A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT >> -A FORWARD -p udp -m udp --dport 5865 -j ACCEPT >> -A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT >> -A FORWARD -p udp -m udp --dport 8443 -j ACCEPT >> -A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT >> -A FORWARD -p udp -m udp --dport 4666 -j ACCEPT >> -A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT >> -A FORWARD -j LOG --log-prefix "FORWARD" >> -A FORWARD -j REJECT --reject-with icmp-port-unreachable >> -A OUTPUT -o lo -j ACCEPT >> >> ******************** /var/log/messages **************************** >> >> Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 >> TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4 >> [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 >> ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 >> Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=1 >> Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=2 >> Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=3 >> Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=4 >> Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=5 >> Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=6 >> Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=7 >> Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=8 >> Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=9 >> Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=10 >> >> **************************************** end >> *******************************************+ >> >> Notice there are 2 different ip's: public_ip_2 and public_ip_1. Maybe >> there is the key... >> >> Can anybody helps me to make iptables let pass the traffic to the schema >> [B]? >> >> PD: I tested two simillar schemas [b]: two machines from inside a >> proxy, and the two machines failed to connect to server. >> >> Thanks in advice. >> >> Javier >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> >> > hello, > > you say traffic on port 80 is redirected. how? > i do not see any DNAT rules. > also if the destination address is changed by nat, the packets get > routed over the other interface. > that is why you need to allow the traffic in the FORWARD chain. > i do not see any of those in your rules above. > if i understand it correctly and you have two external interfaces on the > router, there are no rules either. > and with two external interfaces your routing could come into account. > but you did not provide any > information about that. > > greets > > mart > > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
