From: Joel Newkirk <netfilter@newkirk.us>
To: Frank Wallingford <frank.wallingford@technologist.com>,
netfilter@lists.netfilter.org
Subject: Re: problem with UN-DNAT, source is same machine
Date: Mon, 16 Dec 2002 16:22:46 -0500 [thread overview]
Message-ID: <200212161622.46685.netfilter@newkirk.us> (raw)
In-Reply-To: <3DF2E9D3.6010006@technologist.com>
On Sunday 08 December 2002 01:42 am, Frank Wallingford wrote:
> Here's one I can't quite wrap my head around.
> iptables -t nat -A OUTPUT -d 192.168.0.100 --dport 22 \
> -j DNAT --to 192.168.0.200
>
> Now, I'm only trying to get this one case working:
>
> (from machine 192.168.0.100:) ssh 192.168.0.100
>
> and I'd like it to connect to 192.168.0.200. I'm not sure why it
> isn't.
> From what I understand, this should be the case:
> (1) The packet starts as
> SOURCE: 192.168.0.100:port_a (some random port)
> DEST: 192.168.0.100:22
> (2) While traversing the OUTPUT chain in the NAT table, it's changed:
> SOURCE: 192.168.0.100:port_a
> DEST: 192.168.0.200:22
> (3) The packet is sent out
> (4) Host 192.168.0.200 sees it and sends the reply
> SOURCE: 192.168.0.200:22
> DEST: 192.168.0.100:port_a
> (5) The packet arrives, and is un-snat'd:
> SOURCE: 192.168.0.100:22
> DEST: 192.168.0.100:port_a
> (6) The local process sees a reply from the local machine, and accepts
> it.
>
> What's actually happening is that it's getting as far as (4), and the
> reply comes in, but the local process doesn't accept it. I'm guessing
> this is because it wasn't un-snat'd correctly, or I'm doing something
> wrong.
Are you sure you are allowing it through the INPUT chain? You can
confirm whether or not it is reaching that point with two log rules, one
as first in PREROUTING, one as first in INPUT. If it hits both, then it
is likely being dropped in INPUT, but is getting unDNATted properly. If
it gets here, check the info on the packet logged at the INPUT chain and
make sure that you have a rule to allow it through.
j
prev parent reply other threads:[~2002-12-16 21:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-08 6:42 problem with UN-DNAT, source is same machine Frank Wallingford
2002-12-16 20:04 ` Ranjeet Shetye
2002-12-16 21:22 ` Joel Newkirk [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200212161622.46685.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=frank.wallingford@technologist.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.