RE: Failing to get forwarding to work fully.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Rob Sterenborg" <rob@sterenborg.info>
To: netfilter@vger.kernel.org
Subject: RE: Failing to get forwarding to work fully.
Date: Sun, 3 Feb 2008 18:19:06 +0100	[thread overview]
Message-ID: <000c01c86688$e22637c0$a672a740$@info> (raw)
In-Reply-To: <47A5F1A7.4030308@roamware.co.uk>

> I have tried to get this iptables script on my Centos 4.4 machine
> working, with some help, but still have not succeeded in forwarding
> port 722 to a machine on the LAN attached to the machine running
> iptables attached to the internet. The logging of the FORWARD
> packets just before drop tells me they are being forwarded. I also
> made sure the the LAN attached machine on eth0 does accept ssh -D
> 722 once I logged into the public facing machine via ssh. So I kinda
> assume it is the return packet that is the problem, but cannot see
> why. Ideas? 333.333.333.333 is substituted for the public IP addr,
> 111.111.111.111 222.222.222.222 are machines I want to be the only
> ones that can access. eth0 is the LAN NIC and eth1 is the public
> facing NIC.
> 
> # Generated by iptables-save v1.2.11 on Thu Dec 15 17:00:25 2005
> *filter

[...]

> -A FORWARD -j LOG --log-level debug
> -A FORWARD -d 192.168.0.0/255.255.255.0 -i eth1 -o eth0 \
>     -p tcp -m multiport --dports 22,3306 -m state --state NEW \
>     -j ACCEPT

So NEW packets forwarded to port 22 will be allowed.

> -A FORWARD -i eth1 -o eth0 -m state \
>     --state RELATED,ESTABLISHED -j ACCEPT

Here you are only accepting packets from eth1 -> eth0 in a RELATED or
ESTABLISHED connection. What about the return packets that will go from
eth0 -> eth1? I really don't think you can setup a connection this way.
Try:

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Grts,
Rob

next prev parent reply	other threads:[~2008-02-03 17:19 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-03 16:53 Failing to get forwarding to work fully David at roamware
2008-02-03 17:19 ` Rob Sterenborg [this message]
2008-02-03 22:40   ` David at roamware
2008-02-04  6:29     ` Rob Sterenborg
  -- strict thread matches above, loose matches on Subject: below --
2008-02-03 16:52 David Wynter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='000c01c86688$e22637c0$a672a740$@info' \
    --to=rob@sterenborg.info \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.