* Re: [LARTC] 2 providers & DNAT: incoming packets not forwarded
2004-02-19 14:45 [LARTC] 2 providers & DNAT: incoming packets not forwarded Raphael Benedet
@ 2004-02-19 16:31 ` Alexander A. Naumov
2004-02-19 16:48 ` Raphael Benedet
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Alexander A. Naumov @ 2004-02-19 16:31 UTC (permalink / raw)
To: lartc
Hi!
May be you need to set /proc/sys/net/ipv4/ip_forward sysctl value to 1?
Best regards,
Alexander A. Naumov
On Thu, Feb 19, 2004 at 03:45:06PM +0100, Raphael Benedet wrote:
> Hi,
>
> I have a problem with incoming connections on my Linux gateway.
> I have 2 providers, cable modem on eth1 and dsl on eth2 <-> ppp0
> (pppoe). The lan network is connected to eth0. At the moment, I have a
> very simple configuration where the default route is via eth1 (cable
> modem). I set up DNAT on ppp0 to forward incoming traffic for certain
> ports to a computer behind the gateway/firewall:
> iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j DNAT
> --to-destination 172.16.1.4
> Packets get lost and never reach the FORWARD chain (I logged all packets
> to be sure)
>
> Here are my routes:
>
> # ip route ls
> 215.136.169.1 dev ppp0 proto kernel scope link src 215.136.169.15
> 135.165.199.128/25 dev eth1 proto kernel scope link src 135.165.199.139
> 172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.1.1
> default via 135.165.199.129 dev eth1
>
> So, I understand traffic by default goes via eth1, but why don't
> incoming packets redirected (DNATed) to an intranet IP address go out
> via eth0?
> If I change my default route in table main to go via ppp0, then, it
> works. And DNATing on eth1 works with the current configuration.
>
> I don't have any other routing tables nor complex routing rules:
> # ip rule ls
> 0: from all lookup local
> 32766: from all lookup main
> 32767: from all lookup default
>
> I am running kernel 2.4.23 with Julian's patches.
>
> Any help would be greatly appreciated. Thank you.
>
> Raph
>
>
> --
>
> Raphael Benedet
> 3D Artists - raph.com
> "bringing art into the third dimension"
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [LARTC] 2 providers & DNAT: incoming packets not forwarded
2004-02-19 14:45 [LARTC] 2 providers & DNAT: incoming packets not forwarded Raphael Benedet
2004-02-19 16:31 ` Alexander A. Naumov
@ 2004-02-19 16:48 ` Raphael Benedet
2004-02-20 7:29 ` Razvan Stranschi
2004-02-20 10:08 ` Raphael Benedet
3 siblings, 0 replies; 5+ messages in thread
From: Raphael Benedet @ 2004-02-19 16:48 UTC (permalink / raw)
To: lartc
Hi,
It is of course set to 1.
I already have DNATing on eth1 and it works very well.
I suppose my problem come from my routing table but I don't understand
why no route is found to 172.16.1.4 coming from ppp0 with the current
configuration.
Regards,
Raph
Alexander A. Naumov wrote:
> Hi!
> May be you need to set /proc/sys/net/ipv4/ip_forward sysctl value to 1?
>
> Best regards,
> Alexander A. Naumov
>
> On Thu, Feb 19, 2004 at 03:45:06PM +0100, Raphael Benedet wrote:
>
>>Hi,
>>
>>I have a problem with incoming connections on my Linux gateway.
>>I have 2 providers, cable modem on eth1 and dsl on eth2 <-> ppp0
>>(pppoe). The lan network is connected to eth0. At the moment, I have a
>>very simple configuration where the default route is via eth1 (cable
>>modem). I set up DNAT on ppp0 to forward incoming traffic for certain
>>ports to a computer behind the gateway/firewall:
>>iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j DNAT
>>--to-destination 172.16.1.4
>>Packets get lost and never reach the FORWARD chain (I logged all packets
>>to be sure)
>>
>>Here are my routes:
>>
>># ip route ls
>>215.136.169.1 dev ppp0 proto kernel scope link src 215.136.169.15
>>135.165.199.128/25 dev eth1 proto kernel scope link src 135.165.199.139
>>172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.1.1
>>default via 135.165.199.129 dev eth1
>>
>>So, I understand traffic by default goes via eth1, but why don't
>>incoming packets redirected (DNATed) to an intranet IP address go out
>>via eth0?
>>If I change my default route in table main to go via ppp0, then, it
>>works. And DNATing on eth1 works with the current configuration.
>>
>>I don't have any other routing tables nor complex routing rules:
>># ip rule ls
>>0: from all lookup local
>>32766: from all lookup main
>>32767: from all lookup default
>>
>>I am running kernel 2.4.23 with Julian's patches.
>>
>>Any help would be greatly appreciated. Thank you.
>>
>>Raph
>>
>>
>>--
>>
>>Raphael Benedet
>>3D Artists - raph.com
>>"bringing art into the third dimension"
>>
>>_______________________________________________
>>LARTC mailing list / LARTC@mailman.ds9a.nl
>>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] 2 providers & DNAT: incoming packets not forwarded
2004-02-19 14:45 [LARTC] 2 providers & DNAT: incoming packets not forwarded Raphael Benedet
2004-02-19 16:31 ` Alexander A. Naumov
2004-02-19 16:48 ` Raphael Benedet
@ 2004-02-20 7:29 ` Razvan Stranschi
2004-02-20 10:08 ` Raphael Benedet
3 siblings, 0 replies; 5+ messages in thread
From: Razvan Stranschi @ 2004-02-20 7:29 UTC (permalink / raw)
To: lartc
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#cccccc" text="#000000">
If you have default policy in forward chain to DROP you must permit
those packets to pass.<br>
<pre class="moz-signature" cols="90">Razvan Stranschi
<a class="moz-txt-link-abbreviated" href="mailto:razvan@arvo.ro">razvan@arvo.ro</a>
</pre>
<br>
<br>
Raphael Benedet wrote:
<blockquote cite="mid4034CBF2.50104@raph.com" type="cite">Hi,
<br>
<br>
I have a problem with incoming connections on my Linux gateway.
<br>
I have 2 providers, cable modem on eth1 and dsl on eth2 <-> ppp0
(pppoe). The lan network is connected to eth0. At the moment, I have a
very simple configuration where the default route is via eth1 (cable
modem). I set up DNAT on ppp0 to forward incoming traffic for certain
ports to a computer behind the gateway/firewall:
<br>
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j
DNAT --to-destination 172.16.1.4
<br>
Packets get lost and never reach the FORWARD chain (I logged all
packets to be sure)
<br>
<br>
Here are my routes:
<br>
<br>
# ip route ls
<br>
215.136.169.1 dev ppp0 proto kernel scope link src 215.136.169.15
<br>
135.165.199.128/25 dev eth1 proto kernel scope link src
135.165.199.139
<br>
172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.1.1
<br>
default via 135.165.199.129 dev eth1
<br>
<br>
So, I understand traffic by default goes via eth1, but why don't
incoming packets redirected (DNATed) to an intranet IP address go out
via eth0?
<br>
If I change my default route in table main to go via ppp0, then, it
works. And DNATing on eth1 works with the current configuration.
<br>
<br>
I don't have any other routing tables nor complex routing rules:
<br>
# ip rule ls
<br>
0: from all lookup local
<br>
32766: from all lookup main
<br>
32767: from all lookup default
<br>
<br>
I am running kernel 2.4.23 with Julian's patches.
<br>
<br>
Any help would be greatly appreciated. Thank you.
<br>
<br>
Raph
<br>
<br>
<br>
</blockquote>
</body>
</html>
---------------------------------------
This e-mail was scanned for viruses by ARVO.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] 2 providers & DNAT: incoming packets not forwarded
2004-02-19 14:45 [LARTC] 2 providers & DNAT: incoming packets not forwarded Raphael Benedet
` (2 preceding siblings ...)
2004-02-20 7:29 ` Razvan Stranschi
@ 2004-02-20 10:08 ` Raphael Benedet
3 siblings, 0 replies; 5+ messages in thread
From: Raphael Benedet @ 2004-02-20 10:08 UTC (permalink / raw)
To: lartc
Hi,
I have all the rules needed to accept packets in the FORWARD chain. DNAT
on eth1 works very well, I see the packets in the PREROUTING chain,
DNATed, in the FORWARD chain and then going out via the intranet
interface eth0 (traced with tcpdump). But I don't manage to have DNAT
work on ppp0.
I set as the *first* rule of my FORWARD chain a LOG target to log all
the packets. While I can see DNATed packets from eth1, DNATed packets
from ppp0 are lost. So I suppose it's a routing problem: packets are
lost at the routing level, not the iptables one.
I also use logging in my PREROUTING chain to ensure packets are DNATed:
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j LOG
--log-prefix 'before DNAT rule'
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j DNAT
--to-destination 172.16.1.4
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j LOG
--log-prefix 'after DNAT rule'
And the packets are DNATed since I never see the second log line in my logs.
I think it's a routing problem, but I don't understand why with a table
like this:
215.136.169.1 dev ppp0 proto kernel scope link src 215.136.169.15
135.165.199.128/25 dev eth1 proto kernel scope link src 135.165.199.139
172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.1.1
default via 135.165.199.129 dev eth1
packets coming in via eth1 to 172.16.1.4 are correctly routed (go out
via eth0) but packets coming in via ppp0 are lost. This is driving me nuts!
Best Regards,
Raph
Razvan Stranschi wrote:
> If you have default policy in forward chain to DROP you must permit
> those packets to pass.
>
> Razvan Stranschi
> razvan@arvo.ro
>
>
>
> Raphael Benedet wrote:
>
>> Hi,
>>
>> I have a problem with incoming connections on my Linux gateway.
>> I have 2 providers, cable modem on eth1 and dsl on eth2 <-> ppp0
>> (pppoe). The lan network is connected to eth0. At the moment, I have a
>> very simple configuration where the default route is via eth1 (cable
>> modem). I set up DNAT on ppp0 to forward incoming traffic for certain
>> ports to a computer behind the gateway/firewall:
>> iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 2000 -j
>> DNAT --to-destination 172.16.1.4
>> Packets get lost and never reach the FORWARD chain (I logged all
>> packets to be sure)
>>
>> Here are my routes:
>>
>> # ip route ls
>> 215.136.169.1 dev ppp0 proto kernel scope link src 215.136.169.15
>> 135.165.199.128/25 dev eth1 proto kernel scope link src
>> 135.165.199.139
>> 172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.1.1
>> default via 135.165.199.129 dev eth1
>>
>> So, I understand traffic by default goes via eth1, but why don't
>> incoming packets redirected (DNATed) to an intranet IP address go out
>> via eth0?
>> If I change my default route in table main to go via ppp0, then, it
>> works. And DNATing on eth1 works with the current configuration.
>>
>> I don't have any other routing tables nor complex routing rules:
>> # ip rule ls
>> 0: from all lookup local
>> 32766: from all lookup main
>> 32767: from all lookup default
>>
>> I am running kernel 2.4.23 with Julian's patches.
>>
>> Any help would be greatly appreciated. Thank you.
>>
>> Raph
>>
>>
> --------------------------------------- This e-mail was scanned for
> viruses by ARVO.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread