-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 31 Oct 2002 11:35:09 -0600, Alejandro González Hernández - Imoq wrote: > > You cannot try it from inside your network. Try it from an external > > host with e.g. "wget YOUR_EXT_IP". > > > > For debugging, add this rule on your Linux router > > > > iptables -I FORWARD -p tcp --dport 80 -j LOG > > It's starting to show something! > > When I try from an EXTERNAL host (with telnet my.real.ip 80), telnet > still hangs in "Trying..." and timeouts after few minutes. > > With LOG directive, /var/log/messages shows me that: > > Oct 31 11:31:06 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237 > DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=19142 DF > PROTO=TCP SPT=33987 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Which means that is TRYING (?) to do something, but even then isn't > able to make the connection. > > Just to make sure, if I (from Linux router) do a > > [root@imoqland root]# telnet 192.168.105.220 80 > Trying 192.168.105.220... > Connected to 192.168.105.220. > Escape character is '^]'. > > it answers immediatly. > > I can't add a LOG rule in the web server, since it's running IIS and > not apache (that's one of the reasons to have the webserver in the > internal network and not exposed to the world). > > I'm getting there with your help, do you have any mean to decipher the > log message above? Yes, it's a TCP connection request (packet with SYN flag set) coming in via interface eth0, leaving via interface eth1, having a source IP addr of 200.33.79.237 and a destination addr of 192.168.105.220 and port http, which means port redirection (the DNAT rule) is working fine on your Linux box. If your set of rules has not changed, that means the default policy for the FORWARD chain is still ACCEPT, the packet is forwarded to host 192.168.105.220. Is your routing complete? Do you have a default gateway configured on the Microsoft machine so it can answer to traffic from 200.33.79.237? You could try more logging and see whether you get any reply packets from your Windoze box when accessing it from the outside: iptables -I FORWARD -i eth1 -p tcp -s 192.168.105.220 -j LOG --log-prefix "FORWARD: " - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE9wXdf0iMVcrivHFQRAs1bAJ4/w4QvEXOVBdxjWEe/zJgjXr+BrgCfUqTn qxf/Yiy901IetC4a6/Un/Wg= =jiqm -----END PGP SIGNATURE----- -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
