* what's the problem of DNAT
@ 2005-10-31 3:31 Buddy wu
2005-10-31 5:24 ` Buddy wu
2005-10-31 6:59 ` Henrik Nordstrom
0 siblings, 2 replies; 7+ messages in thread
From: Buddy wu @ 2005-10-31 3:31 UTC (permalink / raw)
To: netfilter
I use '/sbin/iptables -t nat -A PREROUTING -d InternetAddr -p tcp
--dport 80 -j DNAT --to 192.168.16.100:8087' it can work, but if I use
8087 instead of 80,like follows:
/sbin/iptables -t nat -A PREROUTING -d InternetAddr -p tcp --dport
8087 -j DNAT --to 192.168.16.100:8087 then it can't work. what's wrong
with it ?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: what's the problem of DNAT
2005-10-31 3:31 what's the problem of DNAT Buddy wu
@ 2005-10-31 5:24 ` Buddy wu
2005-10-31 6:59 ` Henrik Nordstrom
1 sibling, 0 replies; 7+ messages in thread
From: Buddy wu @ 2005-10-31 5:24 UTC (permalink / raw)
To: netfilter
It's really strange, please HELP me
I've checked and I'm sure that no rules was set to forbidden access to
that ports.
2005/10/31, Buddy wu <ejournal4me@gmail.com>:
> I use '/sbin/iptables -t nat -A PREROUTING -d InternetAddr -p tcp
> --dport 80 -j DNAT --to 192.168.16.100:8087' it can work, but if I use
> 8087 instead of 80,like follows:
> /sbin/iptables -t nat -A PREROUTING -d InternetAddr -p tcp --dport
> 8087 -j DNAT --to 192.168.16.100:8087 then it can't work. what's wrong
> with it ?
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: what's the problem of DNAT
2005-10-31 3:31 what's the problem of DNAT Buddy wu
2005-10-31 5:24 ` Buddy wu
@ 2005-10-31 6:59 ` Henrik Nordstrom
2005-10-31 7:58 ` Buddy wu
1 sibling, 1 reply; 7+ messages in thread
From: Henrik Nordstrom @ 2005-10-31 6:59 UTC (permalink / raw)
To: Buddy wu; +Cc: netfilter
On Mon, 31 Oct 2005, Buddy wu wrote:
> I use '/sbin/iptables -t nat -A PREROUTING -d InternetAddr -p tcp
> --dport 80 -j DNAT --to 192.168.16.100:8087' it can work, but if I use
> 8087 instead of 80,like follows:
> /sbin/iptables -t nat -A PREROUTING -d InternetAddr -p tcp --dport
> 8087 -j DNAT --to 192.168.16.100:8087 then it can't work. what's wrong
> with it ?
Any other rules in PREROUTING on port 80?
iptables-save -t nat
Regards
Henrik
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: what's the problem of DNAT
2005-10-31 6:59 ` Henrik Nordstrom
@ 2005-10-31 7:58 ` Buddy wu
2005-10-31 8:10 ` Rob Sterenborg
0 siblings, 1 reply; 7+ messages in thread
From: Buddy wu @ 2005-10-31 7:58 UTC (permalink / raw)
To: Henrik Nordstrom; +Cc: netfilter
> Any other rules in PREROUTING on port 80?
>
> iptables-save -t nat
-A PREROUTING -d Inet1 -p tcp -m tcp --dport 6100 -j DNAT
--to-destination 192.168.16.21:6100
-A PREROUTING -d Inet1 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.16.114:80
-A PREROUTING -d Inet1 -p tcp -m tcp --dport 20 -j DNAT
--to-destination 192.168.16.114:20
-A PREROUTING -d Inet1 -p tcp -m tcp --dport 8081 -j DNAT
--to-destination 192.168.16.100:8081
-A PREROUTING -d Inet1 -p tcp -m tcp --dport 8082 -j DNAT
--to-destination 192.168.16.100:8082
-A PREROUTING -d Inet1 -p tcp -m tcp --dport 8085 -j DNAT
--to-destination 192.168.16.100:8085
-A PREROUTING -d Inet1 -p tcp -m tcp --dport 8083 -j DNAT
--to-destination 192.168.16.100:8083
-A PREROUTING -d Inet1 -p tcp -m tcp --dport 8087 -j DNAT
--to-destination 192.168.16.100:8087
these are the rules in PREROUTING. the Inet1 replaced for the
internet address. Now it only can connect to Inet1:80 through the
internet. and others like :Inet1:8083 can't be accessed.
It worked months ago . but now it don't work anyway
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: what's the problem of DNAT
2005-10-31 7:58 ` Buddy wu
@ 2005-10-31 8:10 ` Rob Sterenborg
2005-10-31 8:26 ` Buddy wu
0 siblings, 1 reply; 7+ messages in thread
From: Rob Sterenborg @ 2005-10-31 8:10 UTC (permalink / raw)
To: Buddy wu; +Cc: netfilter
On Mon, October 31, 2005 08:58, Buddy wu wrote:
> -A PREROUTING -d Inet1 -p tcp -m tcp --dport 6100 -j DNAT
> --to-destination 192.168.16.21:6100
> -A PREROUTING -d Inet1 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 192.168.16.114:80
...
> -A PREROUTING -d Inet1 -p tcp -m tcp --dport 8087 -j DNAT
> --to-destination 192.168.16.100:8087
>
> these are the rules in PREROUTING. the Inet1 replaced for the
> internet address. Now it only can connect to Inet1:80 through the
> internet. and others like :Inet1:8083 can't be accessed.
> It worked months ago . but now it don't work anyway
Has anything changed in the FORWARD chain ? You need to allow it there.
Gr,
Rob
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: what's the problem of DNAT
2005-10-31 8:10 ` Rob Sterenborg
@ 2005-10-31 8:26 ` Buddy wu
2005-10-31 13:25 ` Henrik Nordstrom
0 siblings, 1 reply; 7+ messages in thread
From: Buddy wu @ 2005-10-31 8:26 UTC (permalink / raw)
To: Rob Sterenborg; +Cc: netfilter
> Has anything changed in the FORWARD chain ? You need to allow it there.
>
follows are FORWARD chain. I think I DROP nothing except in the list.
I HAVE modified the policy of FORWARD chain to ACCEPT. that's why i'm
puzzled.
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 ipp2p
v0.8.0_rc3 --ipp2p
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.20.90 192.168.8.66 tcp dpts:137:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5554
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1433:1444
DROP all -- 0.0.0.0/0 202.101.43.60
DROP all -- 0.0.0.0/0 202.101.43.67
DROP all -- 0.0.0.0/0 202.101.43.57
And there is another Interest thing (I'm pained with the "interesting thing")
where I use 'sbin/iptables -t nat -A PREROUTING -d Inet2 -p tcp
--dport 8087 -j DNAT --to 192.168.16.100:8087' rule, I can access
http://Inet2:8087 in the LAN, but I can't access http://Inet2:8087
through Internet(I have a machine direct access to internet)
when turn to use 'sbin/iptables -t nat -A PREROUTING -d Inet2 -p tcp
--dport 80 -j DNAT --to 192.168.16.100:8087' then I can access
http://Inet2:80 in the LAN, and both can access http://Inet2:80 in
Internet... that's the thing i had meet
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: what's the problem of DNAT
2005-10-31 8:26 ` Buddy wu
@ 2005-10-31 13:25 ` Henrik Nordstrom
0 siblings, 0 replies; 7+ messages in thread
From: Henrik Nordstrom @ 2005-10-31 13:25 UTC (permalink / raw)
To: Buddy wu; +Cc: Rob Sterenborg, netfilter
On Mon, 31 Oct 2005, Buddy wu wrote:
> And there is another Interest thing (I'm pained with the "interesting thing")
> where I use 'sbin/iptables -t nat -A PREROUTING -d Inet2 -p tcp
> --dport 8087 -j DNAT --to 192.168.16.100:8087' rule, I can access
> http://Inet2:8087 in the LAN, but I can't access http://Inet2:8087
> through Internet(I have a machine direct access to internet)
Please verify the routing on 192.168.16.100. To me the data you have
indicates 192.168.16.100 does not have correct routing for the Internet.
From what I have seen the iptables rules is correct, but all your rules
with NAT to 192.168.16.100 is failing.
Quite likely the NAT and firewall rules as such is working just fine, but
192.168.16.100 does not know what to do with the return traffic.
Regards
Henrik
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-10-31 13:25 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-31 3:31 what's the problem of DNAT Buddy wu
2005-10-31 5:24 ` Buddy wu
2005-10-31 6:59 ` Henrik Nordstrom
2005-10-31 7:58 ` Buddy wu
2005-10-31 8:10 ` Rob Sterenborg
2005-10-31 8:26 ` Buddy wu
2005-10-31 13:25 ` Henrik Nordstrom
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.