Re: Where to add own rules in /etc/sysconfig/iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 31 Oct 2002 14:42:28 -0600, Alejandro González Hernández - Imoq
wrote:

> (Sorry for the long message, but the whole thread is important without
> erasing messages)
>
> On Thu, 2002-10-31 at 12:33, Michael Schwendt wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On 31 Oct 2002 11:35:09 -0600, Alejandro González Hernández - Imoq
> > wrote:
> > 
> > > > You cannot try it from inside your network. Try it from an
> > > > external host with e.g. "wget YOUR_EXT_IP".
> > > > 
> > > > For debugging, add this rule on your Linux router
> > > > 
> > > >   iptables -I FORWARD -p tcp --dport 80 -j LOG
> > > 
> > > It's starting to show something!
> > > 
> > > When I try from an EXTERNAL host (with telnet my.real.ip 80),
> > > telnet still hangs in "Trying..." and timeouts after few minutes.
> > > 
> > > With LOG directive, /var/log/messages shows me that:
> > > 
> > > Oct 31 11:31:06 imoqland kernel: IN=eth0 OUT=eth1
> > > SRC=200.33.79.237 DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00
> > > TTL=63 ID=19142 DF PROTO=TCP SPT=33987 DPT=80 WINDOW=5840 RES=0x00
> > > SYN URGP=0
> > > 
> > > Which means that is TRYING (?) to do something, but even then
> > > isn't able to make the connection.
> > > 
> > > Just to make sure, if I (from Linux router) do a 
> > > 
> > > [root@imoqland root]# telnet 192.168.105.220 80
> > > Trying 192.168.105.220...
> > > Connected to 192.168.105.220.
> > > Escape character is '^]'.
> > > 
> > > it answers immediatly.
> > > 
> > > I can't add a LOG rule in the web server, since it's running IIS
> > > and not apache (that's one of the reasons to have the webserver in
> > > the internal network and not exposed to the world).
> > > 
> > > I'm getting there with your help, do you have any mean to decipher
> > > the log message above?
> > 
> > Yes, it's a TCP connection request (packet with SYN flag set) coming
> > in via interface eth0, leaving via interface eth1, having a source
> > IP addr of 200.33.79.237 and a destination addr of 192.168.105.220
> > and port http, which means port redirection (the DNAT rule) is
> > working fine on your Linux box. If your set of rules has not
> > changed, that means the default policy for the FORWARD chain is
> > still ACCEPT, the packet is forwarded to host 192.168.105.220. Is
> > your routing complete? Do you have a default gateway configured on
> > the Microsoft machine so it can answer to traffic from
> > 200.33.79.237?
> 
> This is getting even more interesting. My stupid logic told me that,
> if I had traffic forward configured in my box, the windowze box would
> see it like if it were coming from my private network interfase, like
> this:
> 
> 
> REAL WORLD             MY COMPUTER               WINDOWZE BOX
> 
> 200.33.79.237   ->     200.33.79.250
>                             |
>                             v
>                        192.168.1.169      ->      192.168.105.220
> 
> So, the windowze box would see the traffic coming from "192.168.1.169"
> and then answer it, since I can access port 80 from 192.168.1.169 to
> 192.168.105.220
> 
> Isn't this right? Is there a way to achieve this with iptables?

No. It sees the traffic coming from 200.33.79.237, because that is
the source address of the packets. DNAT changes just the destination
address. Hence the name Destination Network Address Translation. If
your router changed the source address from 200.33.79.237 to
192.168.1.169, the Windows box could not reply to the actual source
host, which is 200.33.79.237.

> I feel that I'm getting there, thanks to Michael Schwendt :)
> 
> > You could try more logging and see whether you get any reply packets
> > from your Windoze box when accessing it from the outside:
> > 
> >   iptables -I FORWARD -i eth1 -p tcp -s 192.168.105.220
> 
> That command didn't seem to really affect anything else in the logs,
> but I'll copy/paste them here, just in case:
> 
> Oct 31 14:38:25 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
> DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37782 DF
> PROTO=TCP SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> Oct 31 14:38:28 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
> DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37783 DF
> PROTO=TCP SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> Oct 31 14:38:34 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
> DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37784 DF
> PROTO=TCP SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> Oct 31 14:38:46 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
> DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37785 DF
> PROTO=TCP SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> Oct 31 14:39:10 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
> DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37786 DF
> PROTO=TCP SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> Oct 31 14:39:58 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
> DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37787 DF
> PROTO=TCP SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> 
> *sigh* that's chinese to me :P

These are not created by the new logging rule. Since nothing seems
to come back from your Windows box, it smells even more like your
Windows box cannot access the Internet, i.e. it doesn't have a route
via your router into the Internet (= usually the default route). Can
you check that? Do you have a Gateway configured on your Windows
box?

- -- 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE9waC70iMVcrivHFQRArXMAJ97p84KKiYQ2L1xSuwvxhowKyiNogCeKSAJ
hdcN4UA7e6JGy3wlXLnMY8o=
=5Uw/
-----END PGP SIGNATURE-----



-- 
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list

[Index of Archives]     [Fedora General Discussion]     [Red Hat General Discussion]     [Centos]     [Kernel]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat 9]     [Gimp]     [Yosemite News]

  Powered by Linux