From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-2?Q?Gludov=E1tz_G=E1bor?= Date: Thu, 01 Apr 2004 06:33:21 +0000 Subject: Re: [LARTC] Buggy netfilter? Message-Id: <406BB7B1.5000409@sopron.hu> List-Id: References: <406B2FC1.7080209@sopron.hu> In-Reply-To: <406B2FC1.7080209@sopron.hu> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Roy wrote: >You mail is little hard to undersatnd what you need. > >what this configuration is supposed to do? > =20 > I would like to connect to my firewall and to the machines behind it=20 (with DNAT) from the Internet. The firewall has 2 Internet providers, one with a broadband DSL (ppp0)=20 connection, one with a cabel connection (eth0). I can connect to my firewall through both connections, but DNAT operates=20 only on eth0. However ppp0 DNAT should work as well, because the packets go the same=20 route inside the netfilter. An iptables log event is also fired, but in=20 the end the ppp0 packets get lost, while the eth0 packets get forwarded=20 to the target machine (behind the firewall). The ppp0 packets cannot be tracked down as they entered the firewall.=20 tcpdump sees only ppp0 pockets coming in, but nothing goes back, and=20 nothing goes out on the inner interface (eth2) to the target. With eth0 everything works well. ppp0 mtu is reduced as well, so I don't have more ideas what else to try=20 to make this configuration work. >----- Original Message -----=20 >From: "Gludov=E1tz G=E1bor" >To: >Sent: Wednesday, March 31, 2004 11:53 PM >Subject: [LARTC] Buggy netfilter? > > >Or am I doing something really wrong. > > >2 public interfaces (eth0 and ppp0), with 2 public IP addresses. > >I can ping and connect to both interface's IP address. I can login with >ssh, anything on _both_ IP address. > >But iptables DNAT works only for eth0. > >Here are my settings: > >(ppp is initialized with 'pptp provider.ip') > >--- /etc/ppp/options --- > >nodefaultroute >noipdefault >name '"'adsluser@provider'"' >linkname '"'adsl'"' >noauth >debug >mtu 1400 >mru 1400 > >--- ip route settings --- > >Just like in the Adv-Routing-HowTo (4.2.1. Split access), except for the >different IP addresses. > >--- iptables --- > >iptables -t nat -N ROUTING1 >iptables -t nat -N ROUTING2 > >iptables -t nat -A PREROUTING -p tcp -i eth0 -j ROUTING1 >iptables -t nat -A PREROUTING -p tcp -i ppp0 -j ROUTING1 > >iptables -t nat -A ROUTING1 -p tcp -j ROUTING2 -s $clientip1/32 >iptables -t nat -A ROUTING1 -p tcp -j ROUTING2 -s $clientip2/32 > >iptables -t nat -A ROUTING2 -p tcp -j LOG --dport 3389 --log-prefix >'"'FW: MSTSC connection attempt '"' --log-level warn >iptables -t nat -A ROUTING2 -p tcp -j DNAT --dport 3389 --to-destination >192.168.100.23:3389 > >--- > >eth2 is the 3rd interface, with access to our 192.168.100.* private networ= k. > > >-- The result: -- > >I can reach both interfaces (from the Internet), I can connect through >them to the firewall. > >But DNAT works only with the eth0 interface. > >Strange: iptables LOG rule is fired for ppp0 and eth0 connections, >but eth0 connections are successful, and at the same time: >ppp0 connections are just waiting without anything coming back. > >But as you can see, the packets for both go the same way in iptables. > >--- tcpdump --- > >If I go through ppp0, nothing can be seen on the inner interface (eth2). >The packets seem to get lost somewhere, so nothing (nothing at all) goes >back to the client, who tries to connect. > > > >Thanks in advance > --=20 G=E1bor GLUDOV=C1TZ / +36 (70) 520 31 62 http://www.gludovatz.com/ ... ... .. .. . . _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/