* What is missed for port forwarding
@ 2004-03-06 18:36 Kai Weber
2004-03-06 18:47 ` Antony Stone
0 siblings, 1 reply; 6+ messages in thread
From: Kai Weber @ 2004-03-06 18:36 UTC (permalink / raw)
To: netfilter
I have a router where only masquerading and some QOS is enabled. I have
a problem with port forwarding HTTP.
The only rules I use (sorry for long lines):
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -p tcp --dport 10143 -j DNAT --to 192.168.1.2:22
$IPTABLES -t nat -A PREROUTING -p tcp --dport 8888 -i ppp0 -j DNAT --to 192.168.1.2:80
The first DNAT rule works without a problem. I can ssh directly to my
machine. But the requests to port 8888 seems not to be answered or come
through. To bad I only have switch which has no port mirroring to listen
to the whole traffic and find out the problem.
Any ideas what I should try or I miss?
--
Kai Weber
» kai.weber@glorybox.de http://www.glorybox.de gpg-key: 0x594D4132
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: What is missed for port forwarding
2004-03-06 18:36 What is missed for port forwarding Kai Weber
@ 2004-03-06 18:47 ` Antony Stone
2004-03-07 9:40 ` Kai Weber
0 siblings, 1 reply; 6+ messages in thread
From: Antony Stone @ 2004-03-06 18:47 UTC (permalink / raw)
To: netfilter
On Saturday 06 March 2004 6:36 pm, Kai Weber wrote:
> I have a router where only masquerading and some QOS is enabled. I have
> a problem with port forwarding HTTP.
>
> The only rules I use (sorry for long lines):
(Sorry my mailer has wrapped them)
> $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 10143 -j DNAT --to
> 192.168.1.2:22
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 8888 -i ppp0
> -j DNAT --to 192.168.1.2:80
>
> The first DNAT rule works without a problem. I can ssh directly to my
> machine.
Which machine is that (192.168.1.2)? Is it the machine running the above
rules, or another machine on yur internal LAN, with packets being routed by
the netfilter box?
> But the requests to port 8888 seems not to be answered or come
> through. To bad I only have switch which has no port mirroring to listen
> to the whole traffic and find out the problem.
>
> Any ideas what I should try or I miss?
Do you have a FORWARD rule allowing traffic to 192.168.1.2:80?
Do you have a rule allowing the reply packets (probably an ESTABLISHED,RELATED
rule)?
What happens if you telnet to port 80 on 192.168.1.2? Is there a service
listening on that port?
Antony.
--
If builders made buildings the way programmers write programs, then the first
woodpecker to come along would destroy civilisation.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: What is missed for port forwarding
2004-03-06 18:47 ` Antony Stone
@ 2004-03-07 9:40 ` Kai Weber
2004-03-07 9:53 ` Antony Stone
0 siblings, 1 reply; 6+ messages in thread
From: Kai Weber @ 2004-03-07 9:40 UTC (permalink / raw)
To: netfilter
* Antony Stone <Antony@Soft-Solutions.co.uk>:
> Which machine is that (192.168.1.2)? Is it the machine running the above
> rules, or another machine on yur internal LAN, with packets being routed by
> the netfilter box?
The router has 192.168.1.250, 192.168.1.2 is the box the packets should
be forwarded to.
> Do you have a FORWARD rule allowing traffic to 192.168.1.2:80?
> Do you have a rule allowing the reply packets (probably an ESTABLISHED,RELATED
> rule)?
The 3 rules from my first mail are the only rules I have. All chain
policies are set to ACCEPT.
> What happens if you telnet to port 80 on 192.168.1.2? Is there a service
> listening on that port?
Of course there is a running Apache on that port. I have no firewall on
192.168.1.2.
The strange thing: the rule for portforwarding for SSH works. The
package counter for that rules is increasing when I try to connect to
that port. But there is now response.
--
Kai Weber
» kai.weber@glorybox.de http://www.glorybox.de gpg-key: 0x594D4132
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: What is missed for port forwarding
2004-03-07 9:40 ` Kai Weber
@ 2004-03-07 9:53 ` Antony Stone
2004-03-07 15:49 ` Kai Weber
0 siblings, 1 reply; 6+ messages in thread
From: Antony Stone @ 2004-03-07 9:53 UTC (permalink / raw)
To: netfilter
On Sunday 07 March 2004 9:40 am, Kai Weber wrote:
> The strange thing: the rule for portforwarding for SSH works. The
> package counter for that rules is increasing when I try to connect to
> that port. But there is now response.
Sorry, are you saying here that the packet counter for the port 8888 rule is
increasing when you try to connect, but you get no response from the server?
Are you testing both SSH/10143 and HTTP/8888 from the same client machine out
on the Internet?
Antony.
--
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: What is missed for port forwarding
2004-03-07 9:53 ` Antony Stone
@ 2004-03-07 15:49 ` Kai Weber
2004-03-07 16:02 ` Antony Stone
0 siblings, 1 reply; 6+ messages in thread
From: Kai Weber @ 2004-03-07 15:49 UTC (permalink / raw)
To: netfilter
* Antony Stone <Antony@Soft-Solutions.co.uk>:
> Are you testing both SSH/10143 and HTTP/8888 from the same client machine out
> on the Internet?
Thanks for the tip. It works from outside. I tested only from "inside".
Why does DNAT not work when trying from inside? The webserver is on
192.168.1.2. The DNAT and MASQUERADE rules have no specific source and
destination interfaces defined. When I try from outside the port
forwarding does work. Connecting from a PC inside trying with the
outside address does not. I do not unterstand this behaviour. What
document should I read?
--
Kai Weber
» kai.weber@glorybox.de http://www.glorybox.de gpg-key: 0x594D4132
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: What is missed for port forwarding
2004-03-07 15:49 ` Kai Weber
@ 2004-03-07 16:02 ` Antony Stone
0 siblings, 0 replies; 6+ messages in thread
From: Antony Stone @ 2004-03-07 16:02 UTC (permalink / raw)
To: netfilter
On Sunday 07 March 2004 3:49 pm, Kai Weber wrote:
> * Antony Stone <Antony@Soft-Solutions.co.uk>:
> > Are you testing both SSH/10143 and HTTP/8888 from the same client machine
> > out on the Internet?
>
> Thanks for the tip. It works from outside. I tested only from "inside".
>
> Why does DNAT not work when trying from inside?
See my sig below.
Client (eg 192.168.1.10) connects to firewall on192.168.1.250.
Firewall DNATs the packet and sends it to 192.168.1.2
192.168.1.2 replies to 192.168.1.10, which is on the local network, therefore
reply doesn't go through the firewall, therefore no reverse NAT takes place.
Result: 192.168.1.10 sent a packet to 192.168.1.250 and got a reply from
192.168.1.2.
Confused unhappy client.
See also http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html
Regards,
Antony.
--
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2004-03-07 16:02 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-06 18:36 What is missed for port forwarding Kai Weber
2004-03-06 18:47 ` Antony Stone
2004-03-07 9:40 ` Kai Weber
2004-03-07 9:53 ` Antony Stone
2004-03-07 15:49 ` Kai Weber
2004-03-07 16:02 ` Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.