From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-2?Q?Gludov=E1tz_G=E1bor?= Date: Wed, 31 Mar 2004 20:53:21 +0000 Subject: [LARTC] Buggy netfilter? Message-Id: <406B2FC1.7080209@sopron.hu> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Or am I doing something really wrong. 2 public interfaces (eth0 and ppp0), with 2 public IP addresses. I can ping and connect to both interface's IP address. I can login with=20 ssh, anything on _both_ IP address. But iptables DNAT works only for eth0. Here are my settings: (ppp is initialized with 'pptp provider.ip') --- /etc/ppp/options --- nodefaultroute noipdefault name "adsluser@provider" linkname "adsl" noauth debug mtu 1400 mru 1400 --- ip route settings --- Just like in the Adv-Routing-HowTo (4.2.1. Split access), except for the=20 different IP addresses. --- iptables --- iptables -t nat -N ROUTING1 iptables -t nat -N ROUTING2 iptables -t nat -A PREROUTING -p tcp -i eth0 -j ROUTING1 iptables -t nat -A PREROUTING -p tcp -i ppp0 -j ROUTING1 iptables -t nat -A ROUTING1 -p tcp -j ROUTING2 -s $clientip1/32 iptables -t nat -A ROUTING1 -p tcp -j ROUTING2 -s $clientip2/32 iptables -t nat -A ROUTING2 -p tcp -j LOG --dport 3389 --log-prefix=20 "FW: MSTSC connection attempt " --log-level warn iptables -t nat -A ROUTING2 -p tcp -j DNAT --dport 3389 --to-destination=20 192.168.100.23:3389 --- eth2 is the 3rd interface, with access to our 192.168.100.* private network. -- The result: -- I can reach both interfaces (from the Internet), I can connect through=20 them to the firewall. But DNAT works only with the eth0 interface. Strange: iptables LOG rule is fired for ppp0 and eth0 connections, but eth0 connections are successful, and at the same time: ppp0 connections are just waiting without anything coming back. But as you can see, the packets for both go the same way in iptables. --- tcpdump --- If I go through ppp0, nothing can be seen on the inner interface (eth2).=20 The packets seem to get lost somewhere, so nothing (nothing at all) goes=20 back to the client, who tries to connect. Thanks in advance --=20 G=E1bor Gludov=E1tz / +36 (70) 520 31 62 http://www.gludovatz.com/ ... ... .. .. . . _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/