From: David at roamware <david@roamware.co.uk>
To: netfilter@vger.kernel.org
Subject: Re: Failing to get forwarding to work fully.
Date: Sun, 03 Feb 2008 22:40:36 +0000 [thread overview]
Message-ID: <47A642E4.5040006@roamware.co.uk> (raw)
In-Reply-To: <000c01c86688$e22637c0$a672a740$@info>
Rob Sterenborg wrote:
>> I have tried to get this iptables script on my Centos 4.4 machine
>> working, with some help, but still have not succeeded in forwarding
>> port 722 to a machine on the LAN attached to the machine running
>> iptables attached to the internet. The logging of the FORWARD
>> packets just before drop tells me they are being forwarded. I also
>> made sure the the LAN attached machine on eth0 does accept ssh -D
>> 722 once I logged into the public facing machine via ssh. So I kinda
>> assume it is the return packet that is the problem, but cannot see
>> why. Ideas? 333.333.333.333 is substituted for the public IP addr,
>> 111.111.111.111 222.222.222.222 are machines I want to be the only
>> ones that can access. eth0 is the LAN NIC and eth1 is the public
>> facing NIC.
>>
>> # Generated by iptables-save v1.2.11 on Thu Dec 15 17:00:25 2005
>> *filter
>>
>
> [...]
>
>
>> -A FORWARD -j LOG --log-level debug
>> -A FORWARD -d 192.168.0.0/255.255.255.0 -i eth1 -o eth0 \
>> -p tcp -m multiport --dports 22,3306 -m state --state NEW \
>> -j ACCEPT
>>
>
> So NEW packets forwarded to port 22 will be allowed.
>
>
>> -A FORWARD -i eth1 -o eth0 -m state \
>> --state RELATED,ESTABLISHED -j ACCEPT
>>
>
> Here you are only accepting packets from eth1 -> eth0 in a RELATED or
> ESTABLISHED connection. What about the return packets that will go from
> eth0 -> eth1? I really don't think you can setup a connection this way.
> Try:
>
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
Tried this, it made no difference. I broadened the ports on the NEW to
cover 722, so there was no confusion to the port 22 used to connect to
the machine with the public facing NIC. Do I need a postrouting rule for
the FORWARD used for the return packets?
David
>
> Grts,
> Rob
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
next prev parent reply other threads:[~2008-02-03 22:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-03 16:53 Failing to get forwarding to work fully David at roamware
2008-02-03 17:19 ` Rob Sterenborg
2008-02-03 22:40 ` David at roamware [this message]
2008-02-04 6:29 ` Rob Sterenborg
-- strict thread matches above, loose matches on Subject: below --
2008-02-03 16:52 David Wynter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47A642E4.5040006@roamware.co.uk \
--to=david@roamware.co.uk \
--cc=david@stpenable.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.