On Thu, 2002-10-31 at 15:29, Michael Schwendt wrote: > > This is getting even more interesting. My stupid logic told me that, > > if I had traffic forward configured in my box, the windowze box would > > see it like if it were coming from my private network interfase, like > > this: > > > > > > REAL WORLD MY COMPUTER WINDOWZE BOX > > > > 200.33.79.237 -> 200.33.79.250 > > | > > v > > 192.168.1.169 -> 192.168.105.220 > > > > So, the windowze box would see the traffic coming from "192.168.1.169" > > and then answer it, since I can access port 80 from 192.168.1.169 to > > 192.168.105.220 > > > > Isn't this right? Is there a way to achieve this with iptables? > > No. It sees the traffic coming from 200.33.79.237, because that is > the source address of the packets. DNAT changes just the destination > address. Hence the name Destination Network Address Translation. If > your router changed the source address from 200.33.79.237 to > 192.168.1.169, the Windows box could not reply to the actual source > host, which is 200.33.79.237. OK, understood. Then, the windows box should see the traffic coming from the original address. > These are not created by the new logging rule. Since nothing seems > to come back from your Windows box, it smells even more like your > Windows box cannot access the Internet, i.e. it doesn't have a route > via your router into the Internet (= usually the default route). Can > you check that? Do you have a Gateway configured on your Windows > box? The windows box did have a different gateway to internet. The people who manage it changed the default gateway to 192.168.1.169 (the linux router who is trying to do the translation from internet to it) and now if they do a "tracert www.yahoo.com" they get the right route through my Linux box. Unfortunatelly, the problem persists and the logfiles show the same message: Oct 31 17:16:26 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237 DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=4867 DF PROTO=TCP SPT=36833 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 31 17:16:29 imoqland kernel: IN=eth0 OUT=eth1 SRC=200.33.79.237 DST=192.168.105.220 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=4868 DF PROTO=TCP SPT=36833 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 No reply from telnet port 80, and then it dies with connection timeout :( [imoq@mail imoq]$ telnet 200.33.79.250 80 Trying 200.33.79.250... telnet: connect to address 200.33.79.250: Connection timed out But still, from the linux router computer with two network interfases, telnet to 192.168.105.220 80 connects immediatly. The IPTABLES rules are still: :OUTPUT ACCEPT [20131:1656818] [42:2532] -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.105.220:80 COMMIT [0:0] -A FORWARD -s 192.168.105.220 -i eth1 -p tcp -j LOG --log-prefix "FORWARD: " [35:3440] -A FORWARD -p tcp -m tcp --dport 80 -j LOG :( -- ˇSé libre, usa software libre! Be free, use free software! http://www.imoqland.com/ -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
