From: Joel Newkirk <netfilter@newkirk.us>
To: "james.Q.L" <shijialeeee@yahoo.ca>
Cc: netfilter@lists.netfilter.org
Subject: Re: problem reach the internal.
Date: Sat, 30 Nov 2002 10:27:22 -0500 [thread overview]
Message-ID: <200211301027.23099.netfilter@newkirk.us> (raw)
In-Reply-To: <20021130083402.3274.qmail@web14506.mail.yahoo.com>
On Saturday 30 November 2002 03:34 am, james.Q.L wrote:
> the iptables counter is very neat to debug problem. i never thought of
> that.
>
> found a problem that in the following ruleset i shouldn't have '-i eth1'.
> it blocks the internal DNAT.
>
> > > iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 8888 \
> > > -j DNAT --to-destination 192.168.0.3:80
>
> i also change the order of the rule in FORWARD chain in Filter table.
>
> the rule for filter table is:
> [root@cozy166 Qiang]#iptables -L -n --line-numbers
>
> Chain FORWARD (policy DROP)
> num target prot opt source destination
> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED 2 ACCEPT tcp -- 0.0.0.0/0
> 192.168.0.3 tcp dpt:80 3 ACCEPT all -- 0.0.0.0/0
> 0.0.0.0/0
> 4 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags
> 0 level 4
>
> the line num 3 and num 2 are swapped.
>
> i tried reset the counter of ruleset and make connection test to it. i
> found something that i don't understand. when i am testing from an internal
> machine to INET_IP:8888 the ruleset for filter table is (counter has reset
> to zero)
>
> [root@cozy166 Qiang]#iptables -L -v -n --line-numbers
>
> Chain FORWARD (policy DROP 5 packets, 224 bytes)
> num pkts bytes target prot opt in out source destination
> 1 11806 15M ACCEPT all -- eth1 eth0 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 2 3 144 ACCEPT tcp -- * * 0.0.0.0/0
> 192.168.0.3 tcp dpt:80
> 3 8000 341K ACCEPT all -- eth0 eth1 0.0.0.0/0
> 0.0.0.0/0
> 4 5 224 LOG all -- * * 0.0.0.0/0
> 0.0.0.0/0 LOG flags 0 level 4
>
> Chain OUTPUT (policy ACCEPT 13143 packets, 996K bytes)
> num pkts bytes target prot opt in out source
> destination
>
> Chain drop-and-log-it (0 references)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> ####
> noticed that the Forward chain has (policy DROP 5 packets, 224 bytes) and
> the line num 2 has 3 counter and 144bytes hits. it's gotta be a problem
> here.
Well, what were those 5 packets? They were logged by line 4. You can add
--log-prefix "IPT:forward drop:" to the rule, and then use:
tail -n 100 /var/log/messages | grep IPT:for
later to list them. (or any other useful prefix for the log lines)
> one thing i am unsure is if the counter and packet get hit means the packet
> get passed or attempted to pass? taking a look at the line num 2 ruleset,
> it shouldn't block proper packet tho.
> 2 ACCEPT tcp -- 0.0.0.0/0 192.168.0.3 tcp dpt:80
The counter in the first listing indicates that three packets matched this
rule, and were accepted.
> another thing i'm unsure is the POSTROUTING and PREROUTING both have two
> hits and packet records. so this seems to say the packet got back from the
> webserver. but if the FORWARD chain drops the packet there, the POSTROUTING
> shouldn't have anything..
>
> [root@cozy166 Qiang]#iptables -L -v -n -t nat --line-numbers
> Chain PREROUTING (policy ACCEPT 146 packets, 10341 bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 4 192 DNAT tcp -- * * 0.0.0.0/0
> 65.48.28.33 tcp dpt:8888 to:192.168.0.3:80
>
> Chain POSTROUTING (policy ACCEPT 1 packets, 249 bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 4 192 SNAT tcp -- * * 192.168.0.0/24
> 192.168.0.3 tcp dpt:80 to:192.168.0.1
This tells us that 4 packets, total 192 bytes, matched this rule in
POSTROUTING. 4 packets from somewhere on the LAN, going to the server. The
rule above this shows 4 packets, total 192 bytes, matching the rule in
PREROUTING that performs the DNAT.
Unfortunately this doesn't tell us anything about return packets. The only
places those would be matched (at least with the listed rules) are in the PRE
and POST policies, and in the ESTABLISHED rule in FORWARD. However,
PREROUTING policy accepted 146 packets, POSTROUTING policy only 1, and the
listed rules match 4 and 4, so the remaining 145 packets are unaccounted for
in the data here.
> 2 51 2866 MASQUERADE all -- * eth1 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 79573 packets, 5705K bytes)
> num pkts bytes target prot opt in out source
> destination
j
next prev parent reply other threads:[~2002-11-30 15:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-29 19:32 problem reach the internal james.Q.L
2002-11-30 1:03 ` james.Q.L
2002-11-30 1:35 ` Anders Fugmann
2002-11-30 2:20 ` Joel Newkirk
2002-11-30 8:34 ` james.Q.L
2002-11-30 15:27 ` Joel Newkirk [this message]
2002-12-01 22:35 ` james.Q.L
2002-11-30 11:44 ` Anders Fugmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200211301027.23099.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=netfilter@lists.netfilter.org \
--cc=shijialeeee@yahoo.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.