On Fri, 2002-11-01 at 15:27, Michael Schwendt wrote: > Earlier you've written: > > > I did put the default deny policies; > > I don't see those in your output. All default policies are ACCEPT. My mistake. I misunderstood. > > [42:2532] -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT > > --to-destination 192.168.105.220:80 > > Earlier we've seen that this rule works fine. With the default > policy in the FORWARD chain being ACCEPT, the traffic is sent to > your Windows box. Or at least the logs say so, no? ;) > > [0:0] -A FORWARD -s 192.168.105.220 -i eth1 -p tcp -j LOG --log-prefix > > "FORWARD: " > > So far, this rule has not logged anything. That means, no TCP reply > packets for you connection attempts from the outside. > > However, that rule should also log traffic when you connect from the > Windows box to some Internet host. Which was really strange, since it was possible to surf the net from the windows box. > > [35:3440] -A FORWARD -p tcp -m tcp --dport 80 -j LOG > > This rule has logged the outgoing TCP connection requests to your > Windows box. Since no later rule drops/rejects packets in the > FORWARD chain, I don't see why it shouldn't reach your Windows box. Yes, it should have worked, but it seems that it wasn't reaching windows box, I am not sure since there was no method to test it from windows, anyway. > > [0:0] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 -j ACCEPT > > Erhm, you do have a web server running on your router? You should > decide whether you want to redirect port 80 to your Windows box or > run a web server on the router. Both doesn't make sense unless you > modify your rules to evaluate the destination address. I erased that line, retested and no luck. I put it again then for a reason that I will explain in a moment. > > [0:0] -A RH-Lokkit-0-50-INPUT -s 192.168.1.169 -p udp -m udp --sport > > 53-j ACCEPT > > A DNS server on your Windows box accessed by your Linux box? No, actually is a DNS running in the same Linux box. Lokkit took the address from /etc/resolv.conf I think. > So, no rule that would drop/reject the forwarded outgoing traffic to > your Windows box. It looks like a Windows problem. Maybe your IIS > does not like connections with an external source IP address? Do you > have any means of watching incoming traffic on the Windows box? Unfortunatelly not, since it is in a remote location (altough it is in the private network) but we do have a very big private network, hehe. > > [272361:43190457] -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT > > > > So, it is accepting all traffic coming from private network, isn't it? > > With netfilter/iptables, the INPUT chain is only for incoming > connections to the local host. Above rule ensures that you can > connect to your Linux box from your LAN. It has nothing to do with > the DNAT and forwarding. Understood. Finally, since I couldn't achieve it with pure iptables, and asking google, I found a post in a mailing list were a user suggested "why don't you use redir"? And found out that redir is a very small program that "just works" (TM)?. Of course, I am using it combined with iptables, I just let port 80 open with INPUT and voilà! It is working. I will continue researching on iptables, since I do prefer to use only one, supported program, but at least I kind-of-solved it before the deadline, that was tomorrow. Sincerelly, thank you for all your help, Michael. I hope this thread can help any other iptables-newbies around. Alex. -- ¡Sé libre, usa software libre! Be free, use free software! http://www.imoqland.com/ -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
