I didn't get the help so maybe I should ask someone for simple NAT configuration for iptables v.1.4.10? best regards On Wed, Oct 19, 2011 at 6:29 PM, Pawel Karpowicz <mafeuser@xxxxxxxxx> wrote: > Hallo Marek. > >> sudo iptables-save > # Generated by iptables-save v1.4.10 on Wed Oct 19 17:38:46 2011 > *nat > :PREROUTING ACCEPT [13:2491] > :INPUT ACCEPT [9:1123] > :OUTPUT ACCEPT [165:10279] > :POSTROUTING ACCEPT [12:856] > -A POSTROUTING -o eth0 -j MASQUERADE > COMMIT > # Completed on Wed Oct 19 17:38:46 2011 > # Generated by iptables-save v1.4.10 on Wed Oct 19 17:38:46 2011 > *filter > :INPUT ACCEPT [6527:2777093] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [4648:340419] > -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth1 -o eth0 -j ACCEPT > COMMIT > # Completed on Wed Oct 19 17:38:46 2011 > >> ... and describe your test scenario (interfaces, hosts). > > my ubuntu plays role of simple router. It has 2 interfaces > eth0(public), eth1(private): > > eth0 Link encap:Ethernet HWaddr 00:18:8b:04:8a:13 > inet addr:89.73.128.70 Bcast:255.255.255.255 Mask:255.255.252.0 > UP BROADCAST RUNNING MULTICAST MTU:576 Metric:1 > RX packets:8535 errors:0 dropped:0 overruns:0 frame:0 > TX packets:4873 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:3044029 (3.0 MB) TX bytes:448928 (448.9 KB) > Interrupt:16 > > > eth1 Link encap:Ethernet HWaddr 00:02:b3:8c:dc:e7 > inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0 > UP BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) > > behind the NAT, there is one machine. > > My test traffic is following command: > $ wget http://www.bmw.com/index.html > a) issued first from router ubuntu box - works fine. > b) issued from machine behind firewall - > I use wireshark/tcpdump to listen to the traffic on public (eth0) interface. > > Problem: > wget from a) works fine > wget from b) does not work - packets starting from server response are > not noticed by tcpdump/wireshark. Looks like wget tries to re-init > retrieval. > > prompt# date; tcpdump -n -s 1500 -i eth0 tcp port 80; date > > Wed Oct 19 18:17:50 CEST 2011 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes > 18:17:53.946254 IP 89.73.128.70.51172 > 92.122.50.33.80: Flags [S], > seq 2077949812, win 5840, options [mss 1460,sackOK,TS val 101837 ecr > 0,nop,wscale 6], length 0 > 18:17:53.982730 IP 92.122.50.33.80 > 89.73.128.70.51172: Flags [S.], > seq 1195734941, ack 2077949813, win 5792, options [mss 1460,sackOK,TS > val 2525069182 ecr 101837,nop,wscale 5], length 0 > 18:17:53.982916 IP 89.73.128.70.51172 > 92.122.50.33.80: Flags [.], > ack 1, win 92, options [nop,nop,TS val 101847 ecr 2525069182], length > 0 > 18:17:53.983035 IP 89.73.128.70.51172 > 92.122.50.33.80: Flags [P.], > seq 1:120, ack 1, win 92, options [nop,nop,TS val 101847 ecr > 2525069182], length 119 > 18:17:54.018370 IP 92.122.50.33.80 > 89.73.128.70.51172: Flags [.], > ack 120, win 181, options [nop,nop,TS val 2525069217 ecr 101847], > length 0 > 18:19:35.590503 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [S], > seq 1640370690, win 5360, options [mss 536,sackOK,TS val 639285 ecr > 0,nop,wscale 4], length 0 > 18:19:35.643811 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [S.], > seq 2165280073, ack 1640370691, win 5672, options [mss 1430,sackOK,TS > val 1751780339 ecr 639285,nop,wscale 6], length 0 > 18:19:35.643879 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.], > ack 1, win 335, options [nop,nop,TS val 639298 ecr 1751780339], length > 0 > 18:19:35.644320 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [P.], > seq 1:503, ack 1, win 335, options [nop,nop,TS val 639298 ecr > 1751780339], length 502 > 18:19:35.699378 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.], > ack 503, win 105, options [nop,nop,TS val 1751780395 ecr 639298], > length 0 > 18:19:35.706906 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.], > seq 1:525, ack 503, win 105, options [nop,nop,TS val 1751780402 ecr > 639298], length 524 > 18:19:35.706944 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.], > ack 525, win 401, options [nop,nop,TS val 639314 ecr 1751780402], > length 0 > 18:19:35.706960 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [P.], > seq 525:587, ack 503, win 105, options [nop,nop,TS val 1751780402 ecr > 639298], length 62 > 18:19:35.706983 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.], > ack 587, win 401, options [nop,nop,TS val 639314 ecr 1751780402], > length 0 > 18:19:35.771173 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [S], > seq 287381426, win 5360, options [mss 536,sackOK,TS val 639330 ecr > 0,nop,wscale 4], length 0 > 18:19:35.924358 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [S.], > seq 1848400106, ack 287381427, win 5792, options [mss 1460,sackOK,TS > val 2257618069 ecr 639330,nop,wscale 9], length 0 > 18:19:35.924434 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.], > ack 1, win 335, options [nop,nop,TS val 639368 ecr 2257618069], length > 0 > 18:19:35.924761 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [P.], > seq 1:441, ack 1, win 335, options [nop,nop,TS val 639368 ecr > 2257618069], length 440 > 18:19:36.079514 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [.], > ack 441, win 14, options [nop,nop,TS val 2257618108 ecr 639368], > length 0 > 18:19:36.080648 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [P.], > seq 1:462, ack 441, win 14, options [nop,nop,TS val 2257618108 ecr > 639368], length 461 > 18:19:36.080680 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.], > ack 462, win 401, options [nop,nop,TS val 639407 ecr 2257618108], > length 0 > 18:19:36.080708 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [P.], > seq 462:695, ack 441, win 14, options [nop,nop,TS val 2257618108 ecr > 639368], length 233 > 18:19:36.080729 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.], > ack 695, win 466, options [nop,nop,TS val 639407 ecr 2257618108], > length 0 > 18:19:50.825213 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [F.], > seq 695, ack 441, win 14, options [nop,nop,TS val 2257621795 ecr > 639407], length 0 > 18:19:50.861633 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.], > ack 696, win 466, options [nop,nop,TS val 643103 ecr 2257621795], > length 0 > 18:19:55.536728 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [F.], > seq 441, ack 696, win 466, options [nop,nop,TS val 644271 ecr > 2257621795], length 0 > 18:19:55.692496 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [.], > ack 442, win 14, options [nop,nop,TS val 2257623011 ecr 644271], > length 0 > 18:20:20.705622 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.], > ack 587, win 401, options [nop,nop,TS val 650564 ecr 1751780402], > length 0 > 18:20:20.772481 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.], > ack 503, win 105, options [nop,nop,TS val 1751825467 ecr 639314], > length 0 > 18:21:05.769622 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.], > ack 587, win 401, options [nop,nop,TS val 661830 ecr 1751825467], > length 0 > 18:21:05.818528 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.], > ack 503, win 105, options [nop,nop,TS val 1751870511 ecr 639314], > length 0 > 18:21:50.817628 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.], > ack 587, win 401, options [nop,nop,TS val 673092 ecr 1751870511], > length 0 > 18:21:50.871390 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.], > ack 503, win 105, options [nop,nop,TS val 1751915564 ecr 639314], > length 0 > ^C > 33 packets captured > 33 packets received by filter > 0 packets dropped by kernel > Wed Oct 19 18:21:56 CEST 2011 > > best regards, > Pawel > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html