В Птн, 26/06/2009 в 16:09 +0300, Ramunas Vabolis пишет: > Hello again, > > > If I've got it right you are trying to do DNAT. The problem was that > > everything was not being traced by conntrack, this is what you've > > already fixed. > Yes, I'm trying to do some DNAT, but still got a long way to go. > > > Next, as you've told in further message nothing block that traffic in -t > > filter, that's good. > > > > Next, show as the actual DNAT rules and check the counters encrease as > > you trying to connect. > > > > You can also check whether the connection is actually being tracked by > > analizing output of "conntrack -L" or "conntrack -E" > > The problem is that I'm stuck at step.1 - excluding items from > NOTRACK. As soon as I add rules with RETURN in raw table, packets are > dropped somewhere. To reproduce: > > I've got a host, which connects with lynx to any website. > > In router there no DROP rules in FORWARD and single line in raw table: > /sbin/iptables -t raw -A PREROUTING -j NOTRACK > > Host connects to any remote host port 80. > > As soon as I add two lines with -j RETURN in raw table (so the entries > are tracked) I experience the same effect as I've added -j DROP: > > /sbin/iptables -t raw -I PREROUTING -p tcp -s host.ip --dport 80 -j RETURN > /sbin/iptables -t raw -I PREROUTING -p tcp -d host.ip --sport 80 -j RETURN > > are acting as I've made these rules: > > /sbin/iptables -t raw -I PREROUTING -p tcp -s host.ip --dport 80 -j DROP > /sbin/iptables -t raw -I PREROUTING -p tcp -d host.ip --sport 80 -j DROP > > I've tried replacing RETURN with ACCEPT with same results. As soon as I > remove those 2 rules, host.ip can connect to remote 80 port. Is host.ip the host from which you are trying to run lynx? This is strange behaviour, but it seems that problems occur when you are trying to use conntack. Maybe conntrack modules are not loaded or some rules in -t nat are acting like this. Does the nat table have rules? Can you show it (iptables-save -t nat)? Show output of "lsmod | grep conn". -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
