From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Opperisano Subject: Re: Natting IPs hanging Date: Fri, 20 May 2005 11:47:46 -0400 Message-ID: <20050520154746.GA11824@bender.817west.com> References: <428FBAB0.8030206@tlcdelivers.com> <42908917.40407@tlcdelivers.com> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: <42908917.40407@tlcdelivers.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: netfilter@lists.netfilter.org On Sun, May 22, 2005 at 06:28:55AM -0700, Brian Atkins wrote: > Now, even more strange is that I stripped everything out right down to > just the natting piece and I still can't traverse the fw: > > # Generated by iptables-save v1.3.1 on Fri May 20 06:23:40 2005 > *raw > :PREROUTING ACCEPT [185327:123272626] > :OUTPUT ACCEPT [71616:17819696] > COMMIT > # Completed on Fri May 20 06:23:40 2005 > # Generated by iptables-save v1.3.1 on Fri May 20 06:23:40 2005 > *nat > :PREROUTING ACCEPT [20964:3942558] > :POSTROUTING ACCEPT [54:3564] > :OUTPUT ACCEPT [53:3480] > -A PREROUTING -d [PUBLIC_IP] -i eth0 -j DNAT --to-destination [PRIVATE_IP] > -A PREROUTING -d [PUBLIC_IP] -i eth0 -j DNAT --to-destination [PRIVATE_IP] > -A POSTROUTING -s [PRIVATE_IP] -o eth0 -j SNAT --to-source [PUBLIC_IP] > -A POSTROUTING -s [PRIVATE_IP] -o eth0 -j SNAT --to-source [PUBLIC_IP] > COMMIT > # Completed on Fri May 20 06:23:40 2005 > # Generated by iptables-save v1.3.1 on Fri May 20 06:23:40 2005 > *filter > :INPUT ACCEPT [955:375232] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1219:191838] > :POSTROUTING - [0:0] > :PREROUTING - [0:0] > -A FORWARD -i eth1 -j POSTROUTING um--wtf is this? looking at the hit-count numbers of INPUT and OUTPUT vs. the fact that FORWARD is sitting steady at zero...i'm going take a swipe at the low hanging fruit and say you forgot to enable IP forwarding: sysctl -w net.ipv4.ip_forward=1 > COMMIT > # Completed on Fri May 20 06:23:40 2005 > > By all intents I should be vulnerable to the world. From the outside, I > can hit the external facing NIC, but I can't get to the public IP of one > of my webservers. From the inside, I can hit both NICs (inside/outside) > on the firewall, but not the internal facing NIC on the ex-router. From > the firewall, I can see both WWW and my internal network. > > Is there a tool to debug iptables to see if any of the rules are being > used by incoming traffic? iptables -vnxL will show you the hit-counts on your rules. in a controlled environment and with specific rules, you should be able to determine rather easily if the rule you think should be matching is actually matching. -j -- "Brian: I've been to New York. It's like Prague sans the whimsy." --Family Guy