From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: Natting IPs hanging
Date: Fri, 20 May 2005 11:47:46 -0400 [thread overview]
Message-ID: <20050520154746.GA11824@bender.817west.com> (raw)
In-Reply-To: <42908917.40407@tlcdelivers.com>
On Sun, May 22, 2005 at 06:28:55AM -0700, Brian Atkins wrote:
> Now, even more strange is that I stripped everything out right down to
> just the natting piece and I still can't traverse the fw:
>
> # Generated by iptables-save v1.3.1 on Fri May 20 06:23:40 2005
> *raw
> :PREROUTING ACCEPT [185327:123272626]
> :OUTPUT ACCEPT [71616:17819696]
> COMMIT
> # Completed on Fri May 20 06:23:40 2005
> # Generated by iptables-save v1.3.1 on Fri May 20 06:23:40 2005
> *nat
> :PREROUTING ACCEPT [20964:3942558]
> :POSTROUTING ACCEPT [54:3564]
> :OUTPUT ACCEPT [53:3480]
> -A PREROUTING -d [PUBLIC_IP] -i eth0 -j DNAT --to-destination [PRIVATE_IP]
> -A PREROUTING -d [PUBLIC_IP] -i eth0 -j DNAT --to-destination [PRIVATE_IP]
> -A POSTROUTING -s [PRIVATE_IP] -o eth0 -j SNAT --to-source [PUBLIC_IP]
> -A POSTROUTING -s [PRIVATE_IP] -o eth0 -j SNAT --to-source [PUBLIC_IP]
> COMMIT
> # Completed on Fri May 20 06:23:40 2005
> # Generated by iptables-save v1.3.1 on Fri May 20 06:23:40 2005
> *filter
> :INPUT ACCEPT [955:375232]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1219:191838]
> :POSTROUTING - [0:0]
> :PREROUTING - [0:0]
> -A FORWARD -i eth1 -j POSTROUTING
um--wtf is this?
looking at the hit-count numbers of INPUT and OUTPUT vs. the fact that
FORWARD is sitting steady at zero...i'm going take a swipe at the low
hanging fruit and say you forgot to enable IP forwarding:
sysctl -w net.ipv4.ip_forward=1
> COMMIT
> # Completed on Fri May 20 06:23:40 2005
>
> By all intents I should be vulnerable to the world. From the outside, I
> can hit the external facing NIC, but I can't get to the public IP of one
> of my webservers. From the inside, I can hit both NICs (inside/outside)
> on the firewall, but not the internal facing NIC on the ex-router. From
> the firewall, I can see both WWW and my internal network.
>
> Is there a tool to debug iptables to see if any of the rules are being
> used by incoming traffic?
iptables -vnxL will show you the hit-counts on your rules. in a
controlled environment and with specific rules, you should be able to
determine rather easily if the rule you think should be matching is
actually matching.
-j
--
"Brian: I've been to New York. It's like Prague sans the whimsy."
--Family Guy
next prev parent reply other threads:[~2005-05-20 15:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-19 19:55 Natting IPs hanging Brian Atkins
2005-05-20 10:38 ` Brian Atkins
2005-05-20 15:47 ` Jason Opperisano [this message]
[not found] <200505161949.j4GJnhXF027020@mail.tlcdelivers.com>
2005-05-23 20:45 ` Brian Atkins
-- strict thread matches above, loose matches on Subject: below --
2005-05-13 20:04 Brian Atkins
2005-05-14 15:26 ` Jason Opperisano
2005-05-16 15:40 ` Brian Atkins
2005-05-16 17:18 ` John Mok
2005-05-16 21:53 ` Jason Opperisano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050520154746.GA11824@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.