-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01 Nov 2002 14:46:41 -0600, Alejandro González Hernández - Imoq wrote: > > I'd like to see the full output of "iptables-save". > > Here is it: Earlier you've written: > I did put the default deny policies; I don't see those in your output. All default policies are ACCEPT. > [root@imoqland root]# cat /etc/sysconfig/iptables > # Generated by iptables-save v1.2.6a on Thu Oct 31 14:25:30 2002 > *mangle > :PREROUTING ACCEPT [560108:108371236] > :INPUT ACCEPT [434537:90320860] > :FORWARD ACCEPT [163:9484] > :OUTPUT ACCEPT [169065:19276317] > :POSTROUTING ACCEPT [175473:20023241] > COMMIT > # Completed on Thu Oct 31 14:25:30 2002 > # Generated by iptables-save v1.2.6a on Thu Oct 31 14:25:30 2002 > *nat > :PREROUTING ACCEPT [255232:37397118] > :POSTROUTING ACCEPT [20187:1660015] > :OUTPUT ACCEPT [20131:1656818] > [42:2532] -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT > --to-destination 192.168.105.220:80 Earlier we've seen that this rule works fine. With the default policy in the FORWARD chain being ACCEPT, the traffic is sent to your Windows box. > COMMIT > # Completed on Thu Oct 31 14:25:30 2002 > # Generated by iptables-save v1.2.6a on Thu Oct 31 14:25:30 2002 > *filter > :INPUT ACCEPT [48719:35011105] > :FORWARD ACCEPT [163:9484] Here, above default policy is ACCEPT. > :OUTPUT ACCEPT [169033:19272646] > :RH-Lokkit-0-50-INPUT - [0:0] > [434536:90320795] -A INPUT -j RH-Lokkit-0-50-INPUT > [0:0] -A FORWARD -s 192.168.105.220 -i eth1 -p tcp -j LOG --log-prefix > "FORWARD: " So far, this rule has not logged anything. That means, no TCP reply packets for you connection attempts from the outside. However, that rule should also log traffic when you connect from the Windows box to some Internet host. > [35:3440] -A FORWARD -p tcp -m tcp --dport 80 -j LOG This rule has logged the outgoing TCP connection requests to your Windows box. Since no later rule drops/rejects packets in the FORWARD chain, I don't see why it shouldn't reach your Windows box. > [83643:8738141] -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 53 -j > ACCEPT > [5:300] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --tcp-flags > SYN,RST,ACK SYN -j ACCEPT > [4753:627208] -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT > [272361:43190457] -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT > [0:0] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 -j ACCEPT Erhm, you do have a web server running on your router? You should decide whether you want to redirect port 80 to your Windows box or run a web server on the router. Both doesn't make sense unless you modify your rules to evaluate the destination address. > [0:0] -A RH-Lokkit-0-50-INPUT -s 192.168.1.169 -p udp -m udp --sport > 53-j ACCEPT A DNS server on your Windows box accessed by your Linux box? > [255:18712] -A RH-Lokkit-0-50-INPUT -s 200.33.79.237 -p udp -m udp > --sport 53 -j ACCEPT > [223:14812] -A RH-Lokkit-0-50-INPUT -s 200.33.79.239 -p udp -m udp > --sport 53 -j ACCEPT > [2378:125812] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags > SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable > [22199:2594248] -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT > --reject-with icmp-port-unreachable > COMMIT > # Completed on Thu Oct 31 14:25:30 2002 So, no rule that would drop/reject the forwarded outgoing traffic to your Windows box. It looks like a Windows problem. Maybe your IIS does not like connections with an external source IP address? Do you have any means of watching incoming traffic on the Windows box? > Notice the line where it says: > > [272361:43190457] -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT > > So, it is accepting all traffic coming from private network, isn't it? With netfilter/iptables, the INPUT chain is only for incoming connections to the local host. Above rule ensures that you can connect to your Linux box from your LAN. It has nothing to do with the DNAT and forwarding. - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE9wvHe0iMVcrivHFQRAvdeAJ44x8ysvLOnn1xWzEOicqqd42gK8QCcDIP9 fogLDVUIsjvOetxZ1N7Nkjo= =zX9+ -----END PGP SIGNATURE----- -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
