Re: Rules PREROUTING doesn't work

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks for your answers

The explanation of the rule is:

 $IPT -t nat -A PREROUTING  -i $IF_EXT -d $TESTVPN -p udp --dport
5000:6000 -j DNAT --to-destination $IP_DMZ_SERVERVPN

Where:
IP=/sbin/iptables
IF_EXT= external iface
TEST_VPN= Public IP/255.255.255.0 ---> I have noticed this mask is
incorrect, this may be a cause of problems???
IP_DMZ_SERVERVPN

When I apply this rule i did iptable-save and I see that NAT and I
also see my rule with itpables -t nat -L, but the clients vpn still
are conected to the Firewall with that public IP.

If I stop openvpnserver in Firewall, the clients vpn can ping the
public IP and still trying conect to the openvpn in Firewall. I can
see that with the tcpdump the clientsvpn never try to connect to the
openvpn server behind the firewall, the PREROUTING doesn't work.

Thanks for your assistance.
--
Angel

2010/3/17 Jan Engelhardt <jengelh@xxxxxxxxxx>:
> On Wednesday 2010-03-17 14:14, Robert Nichols wrote:
>> On 03/16/2010 10:27 PM, Angel Motta wrote:
>>> Hi List
>>> This is my first time the I write to this list. I have a problem case
>>> with rules PREROUTING.
>>> I am creating a rule PREROUTING from a range of port which request
>>> openvpn client and the problem is that when I apply this rules and
>>> only rules NATs are runing (PREROUTING and POSTROUTING the output of
>>> #>  iptables -L is blank) the clients openvpn still conect to the
>>> Firewall and not to the SERVERVPN, all requests are processed for
>>> firewall.
>>>
>>> this is the rule:
>>> $IPT -t nat -A PREROUTING  -i $IF_EXT -d $TESTVPN -p udp --dport
>>> 5000:6000 -j DNAT --to-destination $IP_DMZ_SERVERVPN
>>
>> That listing command needs to be "iptables -t nat -L".  The default is
>> to display only the filter table, which doesn't include the above rule.
>
> The listing command should preferably be iptables-save so people get the
> whole picture, unabridged, and preferably, unobscured.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Atte
Angel Motta Paz
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux