* Access from inside proxy to server with apache @ 2008-12-17 13:30 Javi Legido 2008-12-17 14:54 ` Gáspár Lajos 2008-12-17 19:51 ` Mart Frauenlob 0 siblings, 2 replies; 6+ messages in thread From: Javi Legido @ 2008-12-17 13:30 UTC (permalink / raw) To: Netfilter list Hi. I have the following schema: [A] [Pc] (80) => (80) [Router] (80) => (80) [Server] [B] [Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server] More data: -The server has iptables and Apache -The router has port 80 tcp redirected to the server Troubleshooting: -When I 'switch on' iptables, schema [B] fails (schema [A] always works fine) -When I 'switch off' iptables, schema [B] works fine The output: ************************ iptables -S *************************** -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.1.30/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j LOG --log-prefix "INPUT_" -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT -A FORWARD -p udp -m udp --dport 5865 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT -A FORWARD -p udp -m udp --dport 8443 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT -A FORWARD -p udp -m udp --dport 4666 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT -A FORWARD -j LOG --log-prefix "FORWARD" -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT ******************** /var/log/messages **************************** Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 WINDOW=5792 RES=0x00 ACK SYN URGP=0 Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 WINDOW=5792 RES=0x00 ACK SYN URGP=0 Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 WINDOW=5792 RES=0x00 ACK SYN URGP=0 Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 WINDOW=5792 RES=0x00 ACK SYN URGP=0 Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 WINDOW=5792 RES=0x00 ACK SYN URGP=0 Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 WINDOW=5792 RES=0x00 ACK SYN URGP=0 Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 WINDOW=5792 RES=0x00 ACK SYN URGP=0 Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569 SEQ=1 Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569 SEQ=2 Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569 SEQ=3 Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569 SEQ=4 Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569 SEQ=5 Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569 SEQ=6 Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569 SEQ=7 Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569 SEQ=8 Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569 SEQ=9 Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT= MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569 SEQ=10 **************************************** end *******************************************+ Notice there are 2 different ip's: public_ip_2 and public_ip_1. Maybe there is the key... Can anybody helps me to make iptables let pass the traffic to the schema [B]? PD: I tested two simillar schemas [b]: two machines from inside a proxy, and the two machines failed to connect to server. Thanks in advice. Javier ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Access from inside proxy to server with apache 2008-12-17 13:30 Access from inside proxy to server with apache Javi Legido @ 2008-12-17 14:54 ` Gáspár Lajos 2008-12-17 19:51 ` Mart Frauenlob 1 sibling, 0 replies; 6+ messages in thread From: Gáspár Lajos @ 2008-12-17 14:54 UTC (permalink / raw) To: Javi Legido; +Cc: Netfilter list Hi, Javi Legido írta: > Hi. > > I have the following schema: > > [A] > > [Pc] (80) => (80) [Router] (80) => (80) [Server] > > [B] > > [Pc] (80) => (80) [Proxy] ?? => (80) [Router] (80) => (80) [Server] > > More data: > > -The server has iptables and Apache > -The router has port 80 tcp redirected to the server > > Troubleshooting: > > -When I 'switch on' iptables, schema [B] fails (schema [A] always works fine) > -When I 'switch off' iptables, schema [B] works fine > > ... > Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 > TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4 > [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 > ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 > Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=1 > Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=2 > Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=3 > Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=4 > Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=5 > Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=6 > Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=7 > Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=8 > Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=9 > Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=10 > I do not see in this log any http (port 80 SPT=80 or DPT=80) activity.... Swifty ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Access from inside proxy to server with apache 2008-12-17 13:30 Access from inside proxy to server with apache Javi Legido 2008-12-17 14:54 ` Gáspár Lajos @ 2008-12-17 19:51 ` Mart Frauenlob 2008-12-18 13:47 ` Javi Legido 1 sibling, 1 reply; 6+ messages in thread From: Mart Frauenlob @ 2008-12-17 19:51 UTC (permalink / raw) To: netfilter; +Cc: Javi Legido Javi Legido wrote: > Hi. > > I have the following schema: > > [A] > > [Pc] (80) => (80) [Router] (80) => (80) [Server] > > [B] > > [Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server] > > More data: > > -The server has iptables and Apache > -The router has port 80 tcp redirected to the server > > Troubleshooting: > > -When I 'switch on' iptables, schema [B] fails (schema [A] always works fine) > -When I 'switch off' iptables, schema [B] works fine > > The output: > > ************************ iptables -S *************************** > > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT > -A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -s 192.168.1.30/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -j LOG --log-prefix "INPUT_" > -A INPUT -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT > -A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT > -A FORWARD -p udp -m udp --dport 5865 -j ACCEPT > -A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT > -A FORWARD -p udp -m udp --dport 8443 -j ACCEPT > -A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT > -A FORWARD -p udp -m udp --dport 4666 -j ACCEPT > -A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT > -A FORWARD -j LOG --log-prefix "FORWARD" > -A FORWARD -j REJECT --reject-with icmp-port-unreachable > -A OUTPUT -o lo -j ACCEPT > > ******************** /var/log/messages **************************** > > Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 > TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4 > [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 > ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 > Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 > WINDOW=5792 RES=0x00 ACK SYN URGP=0 > Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=1 > Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=2 > Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=3 > Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=4 > Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=5 > Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=6 > Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=7 > Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=8 > Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=9 > Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT= > MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 > TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569 > SEQ=10 > > **************************************** end > *******************************************+ > > Notice there are 2 different ip's: public_ip_2 and public_ip_1. Maybe > there is the key... > > Can anybody helps me to make iptables let pass the traffic to the schema [B]? > > PD: I tested two simillar schemas [b]: two machines from inside a > proxy, and the two machines failed to connect to server. > > Thanks in advice. > > Javier > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > > hello, you say traffic on port 80 is redirected. how? i do not see any DNAT rules. also if the destination address is changed by nat, the packets get routed over the other interface. that is why you need to allow the traffic in the FORWARD chain. i do not see any of those in your rules above. if i understand it correctly and you have two external interfaces on the router, there are no rules either. and with two external interfaces your routing could come into account. but you did not provide any information about that. greets mart ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Access from inside proxy to server with apache 2008-12-17 19:51 ` Mart Frauenlob @ 2008-12-18 13:47 ` Javi Legido 2008-12-18 20:55 ` Mart Frauenlob 2008-12-22 13:57 ` Javi Legido 0 siblings, 2 replies; 6+ messages in thread From: Javi Legido @ 2008-12-18 13:47 UTC (permalink / raw) To: netfilter >>you say traffic on port 80 is redirected. how? [A] [Pc] (80) => (80) [Router] (80) => (80) [Server] The router does NAT. I repeat: if i quit iptables, all works fine, then I assume router NAT works >> also if the destination address is changed by nat, the packets get routed over the other >> interface. >> that is why you need to allow the traffic in the FORWARD chain. >> i do not see any of those in your rules above. I added (without success) the following rule: -A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT ------------------------------------------ The trouble continues: from inside a proxy, I can't access to the Apache server (I can access, for instance, via ssh). If I quit iptables, all works fine Thanks for your interest. Javier On 17/12/2008, Mart Frauenlob <mart.frauenlob@chello.at> wrote: > Javi Legido wrote: >> Hi. >> >> I have the following schema: >> >> [A] >> >> [Pc] (80) => (80) [Router] (80) => (80) [Server] >> >> [B] >> >> [Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server] >> >> More data: >> >> -The server has iptables and Apache >> -The router has port 80 tcp redirected to the server >> >> Troubleshooting: >> >> -When I 'switch on' iptables, schema [B] fails (schema [A] always works >> fine) >> -When I 'switch off' iptables, schema [B] works fine >> >> The output: >> >> ************************ iptables -S *************************** >> >> -P INPUT ACCEPT >> -P FORWARD ACCEPT >> -P OUTPUT ACCEPT >> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT >> -A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >> -A INPUT -s 192.168.1.30/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT >> -A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT >> -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT >> -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> -A INPUT -j LOG --log-prefix "INPUT_" >> -A INPUT -j REJECT --reject-with icmp-port-unreachable >> -A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT >> -A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT >> -A FORWARD -p udp -m udp --dport 5865 -j ACCEPT >> -A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT >> -A FORWARD -p udp -m udp --dport 8443 -j ACCEPT >> -A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT >> -A FORWARD -p udp -m udp --dport 4666 -j ACCEPT >> -A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT >> -A FORWARD -j LOG --log-prefix "FORWARD" >> -A FORWARD -j REJECT --reject-with icmp-port-unreachable >> -A OUTPUT -o lo -j ACCEPT >> >> ******************** /var/log/messages **************************** >> >> Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 >> TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4 >> [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 >> ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 >> Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >> Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=1 >> Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=2 >> Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=3 >> Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=4 >> Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=5 >> Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=6 >> Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=7 >> Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=8 >> Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=9 >> Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT= >> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >> TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >> SEQ=10 >> >> **************************************** end >> *******************************************+ >> >> Notice there are 2 different ip's: public_ip_2 and public_ip_1. Maybe >> there is the key... >> >> Can anybody helps me to make iptables let pass the traffic to the schema >> [B]? >> >> PD: I tested two simillar schemas [b]: two machines from inside a >> proxy, and the two machines failed to connect to server. >> >> Thanks in advice. >> >> Javier >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> >> > hello, > > you say traffic on port 80 is redirected. how? > i do not see any DNAT rules. > also if the destination address is changed by nat, the packets get > routed over the other interface. > that is why you need to allow the traffic in the FORWARD chain. > i do not see any of those in your rules above. > if i understand it correctly and you have two external interfaces on the > router, there are no rules either. > and with two external interfaces your routing could come into account. > but you did not provide any > information about that. > > greets > > mart > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Access from inside proxy to server with apache 2008-12-18 13:47 ` Javi Legido @ 2008-12-18 20:55 ` Mart Frauenlob 2008-12-22 13:57 ` Javi Legido 1 sibling, 0 replies; 6+ messages in thread From: Mart Frauenlob @ 2008-12-18 20:55 UTC (permalink / raw) To: netfilter Javi Legido wrote: >>> you say traffic on port 80 is redirected. how? >>> > > [A] > > [Pc] (80) => (80) [Router] (80) => (80) [Server] > > The router does NAT. I repeat: if i quit iptables, all works fine, > then I assume router NAT works > > >>> also if the destination address is changed by nat, the packets get routed over the other >>> interface. >>> that is why you need to allow the traffic in the FORWARD chain. >>> i do not see any of those in your rules above. >>> > > I added (without success) the following rule: > > -A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT > > ------------------------------------------ > > The trouble continues: from inside a proxy, I can't access to the > Apache server (I can access, for instance, via ssh). If I quit > iptables, all works fine > > Thanks for your interest. > > Javier > > > > On 17/12/2008, Mart Frauenlob <mart.frauenlob@chello.at> wrote: > >> Javi Legido wrote: >> >>> Hi. >>> >>> I have the following schema: >>> >>> [A] >>> >>> [Pc] (80) => (80) [Router] (80) => (80) [Server] >>> >>> [B] >>> >>> [Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server] >>> >>> More data: >>> >>> -The server has iptables and Apache >>> -The router has port 80 tcp redirected to the server >>> >>> Troubleshooting: >>> >>> -When I 'switch on' iptables, schema [B] fails (schema [A] always works >>> fine) >>> -When I 'switch off' iptables, schema [B] works fine >>> >>> The output: >>> >>> ************************ iptables -S *************************** >>> >>> -P INPUT ACCEPT >>> -P FORWARD ACCEPT >>> -P OUTPUT ACCEPT >>> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >>> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT >>> -A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >>> -A INPUT -s 192.168.1.30/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >>> -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT >>> -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT >>> -A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT >>> -A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT >>> -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT >>> -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT >>> -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT >>> -A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT >>> -A INPUT -i lo -j ACCEPT >>> -A INPUT -j LOG --log-prefix "INPUT_" >>> -A INPUT -j REJECT --reject-with icmp-port-unreachable >>> -A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT >>> -A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT >>> -A FORWARD -p udp -m udp --dport 5865 -j ACCEPT >>> -A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT >>> -A FORWARD -p udp -m udp --dport 8443 -j ACCEPT >>> -A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT >>> -A FORWARD -p udp -m udp --dport 4666 -j ACCEPT >>> -A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT >>> -A FORWARD -j LOG --log-prefix "FORWARD" >>> -A FORWARD -j REJECT --reject-with icmp-port-unreachable >>> -A OUTPUT -o lo -j ACCEPT >>> >>> ******************** /var/log/messages **************************** >>> >>> Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 >>> TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4 >>> [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 >>> ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 >>> Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=1 >>> Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=2 >>> Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=3 >>> Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=4 >>> Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=5 >>> Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=6 >>> Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=7 >>> Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=8 >>> Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=9 >>> Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=10 >>> >>> **************************************** end >>> *******************************************+ >>> >>> Notice there are 2 different ip's: public_ip_2 and public_ip_1. Maybe >>> there is the key... >>> >>> Can anybody helps me to make iptables let pass the traffic to the schema >>> [B]? >>> >>> PD: I tested two simillar schemas [b]: two machines from inside a >>> proxy, and the two machines failed to connect to server. >>> >>> Thanks in advice. >>> >>> Javier >>> -- >>> To unsubscribe from this list: send the line "unsubscribe netfilter" in >>> the body of a message to majordomo@vger.kernel.org >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> >> hello, >> >> you say traffic on port 80 is redirected. how? >> i do not see any DNAT rules. >> also if the destination address is changed by nat, the packets get >> routed over the other interface. >> that is why you need to allow the traffic in the FORWARD chain. >> i do not see any of those in your rules above. >> if i understand it correctly and you have two external interfaces on the >> router, there are no rules either. >> and with two external interfaces your routing could come into account. >> but you did not provide any >> information about that. >> >> greets >> >> mart >> >> hello, sorry i got you wrong. i assumed the router is running iptables too. hence the forward rules are not required, only the INPUT and OUTPUT chain matter in that case. as we do not see any of the traffic to port 80 in the log, the rule to port 80 in INPUT chain allows incoming, your OUTPUT policy is ACCEPT, it should not block the traffic. don't you have any entries in the log including `DPT=80'? A usual browser to http server traffic would be from unpriviledged ports 1024-above to port 80 and vice versa. I'm not sure if that is what you trying to do? you want to browse a website on the server, right? iptables -A INPUT -p tcp --sport 1024: --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp --sport 80 --dport 1024: -j ACCEPT should be a matching rule. greets mart setting policies to accept and just do a reject is maybe a bit unusual. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Access from inside proxy to server with apache 2008-12-18 13:47 ` Javi Legido 2008-12-18 20:55 ` Mart Frauenlob @ 2008-12-22 13:57 ` Javi Legido 1 sibling, 0 replies; 6+ messages in thread From: Javi Legido @ 2008-12-22 13:57 UTC (permalink / raw) To: netfilter Once again: I have this schema: [B] [Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server] No matter proxy_out_ip 192.168.1.1 192.168.1.2 The router 'nats' port 80, 22, ... from outside to Server. I can't access from Pc to Server (trying to display an http page from the Apache server). I can access: -From other pc not inside a proxy -Via ssh from Pc to Server If I 'shut down' iptables, I can access from Pc to Server The /var/log/messge log: Dec 22 14:30:55 servidor kernel: [117607.138711] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3450 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=36562 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:30:55 servidor kernel: [117607.138753] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3451 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=36562 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:30:55 servidor kernel: [117607.427453] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3452 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=36564 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:30:56 servidor kernel: [117607.971455] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3453 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=36565 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:30:57 servidor kernel: [117609.059455] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3454 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=36566 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:30:59 servidor kernel: [117611.330798] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3455 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=36567 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:31:03 servidor kernel: [117615.983963] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3456 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=36568 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:31:12 servidor kernel: [117624.939056] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3457 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=36569 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:31:29 servidor kernel: [117643.902748] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3458 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=36570 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:32:04 servidor kernel: [117684.519431] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3462 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=36571 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:33:54 servidor kernel: [117808.239771] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3470 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=30858 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:33:54 servidor kernel: [117808.239812] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3471 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=30858 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:33:55 servidor kernel: [117808.511961] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3472 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=30860 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:33:55 servidor kernel: [117809.276341] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3473 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=30861 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:33:56 servidor kernel: [117810.537497] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3474 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=30862 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:33:59 servidor kernel: [117813.014252] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3475 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=30863 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:34:03 servidor kernel: [117818.310717] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3476 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=30864 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:34:12 servidor kernel: [117828.414218] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3477 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=30865 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:34:29 servidor kernel: [117848.339947] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3478 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=30866 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 Dec 22 14:35:04 servidor kernel: [117890.700795] INPUT_IN=eth0 OUT= MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3480 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=30867 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 The iptables -S config: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -s proxy_out_ip/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s proxy_out_ip/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j LOG --log-prefix "INPUT_" -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT -A FORWARD -p udp -m udp --dport 5865 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT -A FORWARD -p udp -m udp --dport 8443 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT -A FORWARD -p udp -m udp --dport 4666 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT -A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -j LOG --log-prefix "FORWARD" -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT Can someone tell me how to 'open' iptables to get access from Pc (port 80) to Server (port 80)? Thanks On 18/12/2008, Javi Legido <javi@legido.com> wrote: >>>you say traffic on port 80 is redirected. how? > > [A] > > [Pc] (80) => (80) [Router] (80) => (80) [Server] > > The router does NAT. I repeat: if i quit iptables, all works fine, > then I assume router NAT works > >>> also if the destination address is changed by nat, the packets get routed >>> over the other >>> interface. >>> that is why you need to allow the traffic in the FORWARD chain. >>> i do not see any of those in your rules above. > > I added (without success) the following rule: > > -A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT > > ------------------------------------------ > > The trouble continues: from inside a proxy, I can't access to the > Apache server (I can access, for instance, via ssh). If I quit > iptables, all works fine > > Thanks for your interest. > > Javier > > > > On 17/12/2008, Mart Frauenlob <mart.frauenlob@chello.at> wrote: >> Javi Legido wrote: >>> Hi. >>> >>> I have the following schema: >>> >>> [A] >>> >>> [Pc] (80) => (80) [Router] (80) => (80) [Server] >>> >>> [B] >>> >>> [Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server] >>> >>> More data: >>> >>> -The server has iptables and Apache >>> -The router has port 80 tcp redirected to the server >>> >>> Troubleshooting: >>> >>> -When I 'switch on' iptables, schema [B] fails (schema [A] always works >>> fine) >>> -When I 'switch off' iptables, schema [B] works fine >>> >>> The output: >>> >>> ************************ iptables -S *************************** >>> >>> -P INPUT ACCEPT >>> -P FORWARD ACCEPT >>> -P OUTPUT ACCEPT >>> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >>> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT >>> -A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >>> -A INPUT -s 192.168.1.30/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >>> -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT >>> -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT >>> -A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT >>> -A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT >>> -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT >>> -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT >>> -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT >>> -A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT >>> -A INPUT -i lo -j ACCEPT >>> -A INPUT -j LOG --log-prefix "INPUT_" >>> -A INPUT -j REJECT --reject-with icmp-port-unreachable >>> -A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT >>> -A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT >>> -A FORWARD -p udp -m udp --dport 5865 -j ACCEPT >>> -A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT >>> -A FORWARD -p udp -m udp --dport 8443 -j ACCEPT >>> -A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT >>> -A FORWARD -p udp -m udp --dport 4666 -j ACCEPT >>> -A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT >>> -A FORWARD -j LOG --log-prefix "FORWARD" >>> -A FORWARD -j REJECT --reject-with icmp-port-unreachable >>> -A OUTPUT -o lo -j ACCEPT >>> >>> ******************** /var/log/messages **************************** >>> >>> Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56 >>> TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4 >>> [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 >>> ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492 >>> Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60 >>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202 >>> WINDOW=5792 RES=0x00 ACK SYN URGP=0 >>> Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=1 >>> Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=2 >>> Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=3 >>> Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=4 >>> Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=5 >>> Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=6 >>> Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=7 >>> Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=8 >>> Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=9 >>> Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT= >>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84 >>> TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569 >>> SEQ=10 >>> >>> **************************************** end >>> *******************************************+ >>> >>> Notice there are 2 different ip's: public_ip_2 and public_ip_1. Maybe >>> there is the key... >>> >>> Can anybody helps me to make iptables let pass the traffic to the schema >>> [B]? >>> >>> PD: I tested two simillar schemas [b]: two machines from inside a >>> proxy, and the two machines failed to connect to server. >>> >>> Thanks in advice. >>> >>> Javier >>> -- >>> To unsubscribe from this list: send the line "unsubscribe netfilter" in >>> the body of a message to majordomo@vger.kernel.org >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> >>> >> hello, >> >> you say traffic on port 80 is redirected. how? >> i do not see any DNAT rules. >> also if the destination address is changed by nat, the packets get >> routed over the other interface. >> that is why you need to allow the traffic in the FORWARD chain. >> i do not see any of those in your rules above. >> if i understand it correctly and you have two external interfaces on the >> router, there are no rules either. >> and with two external interfaces your routing could come into account. >> but you did not provide any >> information about that. >> >> greets >> >> mart >> >> > ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-12-22 13:57 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-12-17 13:30 Access from inside proxy to server with apache Javi Legido 2008-12-17 14:54 ` Gáspár Lajos 2008-12-17 19:51 ` Mart Frauenlob 2008-12-18 13:47 ` Javi Legido 2008-12-18 20:55 ` Mart Frauenlob 2008-12-22 13:57 ` Javi Legido
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.