ebtables iptables DNAT something missing

ebtables iptables DNAT something missing

[Randy Grimshaw]

I thought I followed the recipe for DNAT on a transparent firewall correctly with the statement below, and sniffing shows that the traffic is redirected. But although the client receives the return responses from the server at the dnat destination - the client basically ignores it. (possibly as unexpected noise). What am I missing?

iptables -t nat -D PREROUTING -p tcp --dport 80 -m physdev --physdev-in eth1 -m mark --mark 9 -j DNAT --to-destination 192.168.12.12:80

Thank you
<><Randy


<><Randall Grimshaw
Room 203 Machinery Hall
Syracuse University
Syracuse, NY   13244
315-443-5779
rgrimsha@syr.edu

Re: ebtables iptables DNAT something missing

[Jörg Harmuth]

Randy Grimshaw schrieb:
> I thought I followed the recipe for DNAT on a transparent firewall correctly with the statement below, and sniffing shows that the traffic is redirected. But although the client receives the return responses from the server at the dnat destination - the client basically ignores it. (possibly as unexpected noise). What am I missing?
> 
> iptables -t nat -D PREROUTING -p tcp --dport 80 -m physdev --physdev-in eth1 -m mark --mark 9 -j DNAT --to-destination 192.168.12.12:80

Are you sure ? -D means delete. Given that this is a typo, maybe you are
missing a SNAT rule ? Also maybe, that a tcpdump helps.

Re: ebtables iptables DNAT something missing

[Jan Engelhardt]

>> I thought I followed the recipe for DNAT on a transparent firewall 
>> correctly with the statement below, and sniffing shows that the traffic 
>> is redirected. But although the client receives the return responses 
>> from the server at the dnat destination - the client basically ignores 
>> it. (possibly as unexpected noise). What am I missing?
>> 
>> iptables -t nat -D PREROUTING -p tcp --dport 80 -m physdev 
>> --physdev-in eth1 -m mark --mark 9 -j DNAT --to-destination 
>> 192.168.12.12:80
>
>Are you sure ? -D means delete. Given that this is a typo, maybe you are
>missing a SNAT rule ? Also maybe, that a tcpdump helps.

You cannot use Layer3-DNAT on a bridge (which is Layer2).



Jan Engelhardt
-- 

Re: ebtables iptables DNAT something missing

[Randy Grimshaw]

Thank you for your assistance.
The recipes I have do not describe a SNAT rule? Some describe adding an ebtables dnat for the MAC address, others say not required. 
To my embarassment I did copy the wrong line from my screen, please substitute -A for the -D, but the problem persists. Here is another recipe that has the same problem:
iptables -t nat -A PREROUTING -p tcp -m physdev --physdev-in eth1 -m mark --mark 4 --dport 80 -j REDIRECT.
The problem is that the packets are redirected, and the bridge/web service responds, but the client silently ignores the redirected server.
The tcpdump and ethereal traces show:
client.highport -> origtarget.80
bridge.80 -> client.highport         ack  
this repeats several times and the client complains with a timeout.
<><Randy


<><Randall Grimshaw
Room 203 Machinery Hall
Syracuse University
Syracuse, NY   13244
315-443-5779
rgrimsha@syr.edu
>>> Jörg Harmuth <harmuth@mnemon.de> 12/14/05 11:21 AM >>>
Randy Grimshaw schrieb:
> I thought I followed the recipe for DNAT on a transparent firewall correctly with the statement below, and sniffing shows that the traffic is redirected. But although the client receives the return responses from the server at the dnat destination - the client basically ignores it. (possibly as unexpected noise). What am I missing?
> 
> iptables -t nat -D PREROUTING -p tcp --dport 80 -m physdev --physdev-in eth1 -m mark --mark 9 -j DNAT --to-destination 192.168.12.12:80

Are you sure ? -D means delete. Given that this is a typo, maybe you are
missing a SNAT rule ? Also maybe, that a tcpdump helps.