(Sorry for the long message, but the whole thread is important without
erasing messages)
On Thu, 2002-10-31 at 12:33, Michael Schwendt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 31 Oct 2002 11:35:09 -0600, Alejandro González Hernández - Imoq
> wrote:
>
> > > You cannot try it from inside your network. Try it from an external
> > > host with e.g. "wget YOUR_EXT_IP".
> > >
> > > For debugging, add this rule on your Linux router
> > >
> > > iptables -I FORWARD -p tcp --dport 80 -j LOG
> >
> > It's starting to show something!
> >
> > When I try from an EXTERNAL host (with telnet my.real.ip 80), telnet
> > still hangs in "Trying..." and timeouts after few minutes.
> >
> > With LOG directive, /var/log/messages shows me that:
> >
> > Oct 31 11:31:06 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
> > DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=19142 DF
> > PROTO=TCP SPT=33987 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> >
> > Which means that is TRYING (?) to do something, but even then isn't
> > able to make the connection.
> >
> > Just to make sure, if I (from Linux router) do a
> >
> > [root@imoqland root]# telnet 192.168.105.220 80
> > Trying 192.168.105.220...
> > Connected to 192.168.105.220.
> > Escape character is '^]'.
> >
> > it answers immediatly.
> >
> > I can't add a LOG rule in the web server, since it's running IIS and
> > not apache (that's one of the reasons to have the webserver in the
> > internal network and not exposed to the world).
> >
> > I'm getting there with your help, do you have any mean to decipher the
> > log message above?
>
> Yes, it's a TCP connection request (packet with SYN flag set) coming
> in via interface eth0, leaving via interface eth1, having a source
> IP addr of 200.33.79.237 and a destination addr of 192.168.105.220
> and port http, which means port redirection (the DNAT rule) is
> working fine on your Linux box. If your set of rules has not
> changed, that means the default policy for the FORWARD chain is
> still ACCEPT, the packet is forwarded to host 192.168.105.220. Is
> your routing complete? Do you have a default gateway configured on
> the Microsoft machine so it can answer to traffic from 200.33.79.237?
This is getting even more interesting. My stupid logic told me that, if
I had traffic forward configured in my box, the windowze box would see
it like if it were coming from my private network interfase, like this:
REAL WORLD MY COMPUTER WINDOWZE BOX
200.33.79.237 -> 200.33.79.250
|
v
192.168.1.169 -> 192.168.105.220
So, the windowze box would see the traffic coming from "192.168.1.169"
and then answer it, since I can access port 80 from 192.168.1.169 to
192.168.105.220
Isn't this right? Is there a way to achieve this with iptables?
I feel that I'm getting there, thanks to Michael Schwendt :)
> You could try more logging and see whether you get any reply packets
> from your Windoze box when accessing it from the outside:
>
> iptables -I FORWARD -i eth1 -p tcp -s 192.168.105.220
That command didn't seem to really affect anything else in the logs, but
I'll copy/paste them here, just in case:
Oct 31 14:38:25 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37782 DF
PROTO=TCP SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 31 14:38:28 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37783 DF
PROTO=TCP SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 31 14:38:34 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37784 DF
PROTO=TCP SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 31 14:38:46 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37785 DF
PROTO=TCP SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 31 14:39:10 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37786 DF
PROTO=TCP SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 31 14:39:58 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237
DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=37787 DF
PROTO=TCP SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
*sigh* that's chinese to me :P
--
ˇSé libre, usa software libre!
Be free, use free software!
http://www.imoqland.com/
--
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list
