I have a server, which has a proxy server running on the xx.xxx.xxx.198
address
and 2 openvpns (1 tcp, 1 udp), which are meant to be running on the
xx.xxx.xxx.199 address. However, on checking wan IPs from the clients while
connected to the VPN, one of them shows up on the 198 address instead.
Is there anything obvious in the iptables script below that shows a bug in
the routing
# Generated by iptables-save v1.3.5 on Sun Dec 26 15:45:31 2010
*filter
:INPUT DROP [21:1092]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [15:780]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state
NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state
NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p udp -m udp --dport 1194 -m state --state
NEW -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport
8080 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport
1935 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j
ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m state --state NEW -m tcp --dport 443 -j
ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.199 -p tcp -m tcp --dport 1194 -m state --state
NEW -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.199 -p udp -m udp --dport 1194 -m state --state
NEW -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -m state --state
NEW -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Dec 26 15:45:31 2010
# Generated by iptables-save v1.3.5 on Sun Dec 26 15:45:31 2010
*nat
:PREROUTING ACCEPT [17:2842]
:POSTROUTING ACCEPT [5:321]
:OUTPUT ACCEPT [5:321]
-A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j
DNAT --to-destination xx.xxx.xxx.199:1194
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT --to-source
xx.xxx.xxx.199
-A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j
TCPMSS --set-mss 1460
-A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Dec 26 15:45:31 2010
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html