Access from inside proxy to server with apache

Access from inside proxy to server with apache

[Javi Legido]

Hi.

I have the following schema:

[A]

[Pc] (80) => (80) [Router] (80) => (80) [Server]

[B]

[Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server]

More data:

-The server has iptables and Apache
-The router has port 80 tcp redirected to the server

Troubleshooting:

-When I 'switch on' iptables, schema [B] fails (schema [A] always works fine)
-When I 'switch off' iptables, schema [B] works fine

The output:

************************ iptables -S ***************************

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.30/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT_"
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT
-A FORWARD -p udp -m udp --dport 5865 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT
-A FORWARD -p udp -m udp --dport 8443 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT
-A FORWARD -p udp -m udp --dport 4666 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD"
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT

******************** /var/log/messages ****************************

Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56
TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4
[SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63
ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
WINDOW=5792 RES=0x00 ACK SYN URGP=0
Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
WINDOW=5792 RES=0x00 ACK SYN URGP=0
Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
WINDOW=5792 RES=0x00 ACK SYN URGP=0
Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
WINDOW=5792 RES=0x00 ACK SYN URGP=0
Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
WINDOW=5792 RES=0x00 ACK SYN URGP=0
Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
WINDOW=5792 RES=0x00 ACK SYN URGP=0
Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
WINDOW=5792 RES=0x00 ACK SYN URGP=0
Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569
SEQ=1
Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569
SEQ=2
Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569
SEQ=3
Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569
SEQ=4
Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569
SEQ=5
Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569
SEQ=6
Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569
SEQ=7
Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569
SEQ=8
Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569
SEQ=9
Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT=
MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569
SEQ=10

**************************************** end
*******************************************+

Notice there are 2 different ip's: public_ip_2 and public_ip_1. Maybe
there is the key...

Can anybody helps me to make iptables let pass the traffic to the schema [B]?

PD: I tested two simillar schemas [b]: two machines from inside a
proxy, and the two machines failed to connect to server.

Thanks in advice.

Javier

Re: Access from inside proxy to server with apache

[Gáspár Lajos]

Hi,

Javi Legido írta:
> Hi.
>
> I have the following schema:
>
> [A]
>
> [Pc] (80) => (80) [Router] (80) => (80) [Server]
>
> [B]
>
> [Pc] (80) => (80) [Proxy] ?? => (80) [Router] (80) => (80) [Server]
>
> More data:
>
> -The server has iptables and Apache
> -The router has port 80 tcp redirected to the server
>
> Troubleshooting:
>
> -When I 'switch on' iptables, schema [B] fails (schema [A] always works fine)
> -When I 'switch off' iptables, schema [B] works fine
>
>   
...
> Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56
> TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4
> [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63
> ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
> Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=1
> Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=2
> Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=3
> Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=4
> Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=5
> Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=6
> Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=7
> Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=8
> Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=9
> Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=10
>   
I do not see in this log any http (port 80 SPT=80 or DPT=80) activity....

Swifty

Re: Access from inside proxy to server with apache

[Mart Frauenlob]

Javi Legido wrote:
> Hi.
>
> I have the following schema:
>
> [A]
>
> [Pc] (80) => (80) [Router] (80) => (80) [Server]
>
> [B]
>
> [Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server]
>
> More data:
>
> -The server has iptables and Apache
> -The router has port 80 tcp redirected to the server
>
> Troubleshooting:
>
> -When I 'switch on' iptables, schema [B] fails (schema [A] always works fine)
> -When I 'switch off' iptables, schema [B] works fine
>
> The output:
>
> ************************ iptables -S ***************************
>
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
> -A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s 192.168.1.30/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -j LOG --log-prefix "INPUT_"
> -A INPUT -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT
> -A FORWARD -p udp -m udp --dport 5865 -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT
> -A FORWARD -p udp -m udp --dport 8443 -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT
> -A FORWARD -p udp -m udp --dport 4666 -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT
> -A FORWARD -j LOG --log-prefix "FORWARD"
> -A FORWARD -j REJECT --reject-with icmp-port-unreachable
> -A OUTPUT -o lo -j ACCEPT
>
> ******************** /var/log/messages ****************************
>
> Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56
> TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4
> [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63
> ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
> Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
> WINDOW=5792 RES=0x00 ACK SYN URGP=0
> Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=1
> Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=2
> Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=3
> Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=4
> Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=5
> Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=6
> Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=7
> Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=8
> Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=9
> Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT=
> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
> TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569
> SEQ=10
>
> **************************************** end
> *******************************************+
>
> Notice there are 2 different ip's: public_ip_2 and public_ip_1. Maybe
> there is the key...
>
> Can anybody helps me to make iptables let pass the traffic to the schema [B]?
>
> PD: I tested two simillar schemas [b]: two machines from inside a
> proxy, and the two machines failed to connect to server.
>
> Thanks in advice.
>
> Javier
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   
hello,

you say traffic on port 80 is redirected. how?
i do not see any DNAT rules.
also if the destination address is changed by nat, the packets get 
routed over the other interface.
that is why you need to allow the traffic in the FORWARD chain.
i do not see any of those in your rules above.
if i understand it correctly and you have two external interfaces on the 
router, there are no rules either.
and with two external interfaces your routing could come into account. 
but you did not provide any
information about that.

greets

mart

Re: Access from inside proxy to server with apache

[Javi Legido]

>>you say traffic on port 80 is redirected. how?

[A]

[Pc] (80) => (80) [Router] (80) => (80) [Server]

The router does NAT. I repeat: if i quit iptables, all works fine,
then I assume router NAT works

>> also if the destination address is changed by nat, the packets get routed over the other
>> interface.
>> that is why you need to allow the traffic in the FORWARD chain.
>> i do not see any of those in your rules above.

I added (without success) the following rule:

-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

------------------------------------------

The trouble continues: from inside a proxy, I can't access to the
Apache server (I can access, for instance, via ssh). If I quit
iptables, all works fine

Thanks for your interest.

Javier



On 17/12/2008, Mart Frauenlob <mart.frauenlob@chello.at> wrote:
> Javi Legido wrote:
>> Hi.
>>
>> I have the following schema:
>>
>> [A]
>>
>> [Pc] (80) => (80) [Router] (80) => (80) [Server]
>>
>> [B]
>>
>> [Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server]
>>
>> More data:
>>
>> -The server has iptables and Apache
>> -The router has port 80 tcp redirected to the server
>>
>> Troubleshooting:
>>
>> -When I 'switch on' iptables, schema [B] fails (schema [A] always works
>> fine)
>> -When I 'switch off' iptables, schema [B] works fine
>>
>> The output:
>>
>> ************************ iptables -S ***************************
>>
>> -P INPUT ACCEPT
>> -P FORWARD ACCEPT
>> -P OUTPUT ACCEPT
>> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
>> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
>> -A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
>> -A INPUT -s 192.168.1.30/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
>> -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
>> -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
>> -A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT
>> -A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT
>> -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
>> -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
>> -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
>> -A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -j LOG --log-prefix "INPUT_"
>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
>> -A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT
>> -A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT
>> -A FORWARD -p udp -m udp --dport 5865 -j ACCEPT
>> -A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT
>> -A FORWARD -p udp -m udp --dport 8443 -j ACCEPT
>> -A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT
>> -A FORWARD -p udp -m udp --dport 4666 -j ACCEPT
>> -A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT
>> -A FORWARD -j LOG --log-prefix "FORWARD"
>> -A FORWARD -j REJECT --reject-with icmp-port-unreachable
>> -A OUTPUT -o lo -j ACCEPT
>>
>> ******************** /var/log/messages ****************************
>>
>> Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56
>> TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4
>> [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63
>> ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
>> Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>> Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>> Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>> Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>> Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>> Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>> Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>> Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>> TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>> SEQ=1
>> Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>> TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>> SEQ=2
>> Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>> TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>> SEQ=3
>> Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>> TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>> SEQ=4
>> Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>> TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>> SEQ=5
>> Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>> TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>> SEQ=6
>> Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>> TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>> SEQ=7
>> Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>> TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>> SEQ=8
>> Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>> TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>> SEQ=9
>> Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT=
>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>> TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>> SEQ=10
>>
>> **************************************** end
>> *******************************************+
>>
>> Notice there are 2 different ip's: public_ip_2 and public_ip_1. Maybe
>> there is the key...
>>
>> Can anybody helps me to make iptables let pass the traffic to the schema
>> [B]?
>>
>> PD: I tested two simillar schemas [b]: two machines from inside a
>> proxy, and the two machines failed to connect to server.
>>
>> Thanks in advice.
>>
>> Javier
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>
> hello,
>
> you say traffic on port 80 is redirected. how?
> i do not see any DNAT rules.
> also if the destination address is changed by nat, the packets get
> routed over the other interface.
> that is why you need to allow the traffic in the FORWARD chain.
> i do not see any of those in your rules above.
> if i understand it correctly and you have two external interfaces on the
> router, there are no rules either.
> and with two external interfaces your routing could come into account.
> but you did not provide any
> information about that.
>
> greets
>
> mart
>
>

Re: Access from inside proxy to server with apache

[Mart Frauenlob]

Javi Legido wrote:
>>> you say traffic on port 80 is redirected. how?
>>>       
>
> [A]
>
> [Pc] (80) => (80) [Router] (80) => (80) [Server]
>
> The router does NAT. I repeat: if i quit iptables, all works fine,
> then I assume router NAT works
>
>   
>>> also if the destination address is changed by nat, the packets get routed over the other
>>> interface.
>>> that is why you need to allow the traffic in the FORWARD chain.
>>> i do not see any of those in your rules above.
>>>       
>
> I added (without success) the following rule:
>
> -A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
>
> ------------------------------------------
>
> The trouble continues: from inside a proxy, I can't access to the
> Apache server (I can access, for instance, via ssh). If I quit
> iptables, all works fine
>
> Thanks for your interest.
>
> Javier
>
>
>
> On 17/12/2008, Mart Frauenlob <mart.frauenlob@chello.at> wrote:
>   
>> Javi Legido wrote:
>>     
>>> Hi.
>>>
>>> I have the following schema:
>>>
>>> [A]
>>>
>>> [Pc] (80) => (80) [Router] (80) => (80) [Server]
>>>
>>> [B]
>>>
>>> [Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server]
>>>
>>> More data:
>>>
>>> -The server has iptables and Apache
>>> -The router has port 80 tcp redirected to the server
>>>
>>> Troubleshooting:
>>>
>>> -When I 'switch on' iptables, schema [B] fails (schema [A] always works
>>> fine)
>>> -When I 'switch off' iptables, schema [B] works fine
>>>
>>> The output:
>>>
>>> ************************ iptables -S ***************************
>>>
>>> -P INPUT ACCEPT
>>> -P FORWARD ACCEPT
>>> -P OUTPUT ACCEPT
>>> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
>>> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
>>> -A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
>>> -A INPUT -s 192.168.1.30/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
>>> -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
>>> -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
>>> -A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT
>>> -A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT
>>> -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
>>> -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
>>> -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
>>> -A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT
>>> -A INPUT -i lo -j ACCEPT
>>> -A INPUT -j LOG --log-prefix "INPUT_"
>>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
>>> -A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT
>>> -A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT
>>> -A FORWARD -p udp -m udp --dport 5865 -j ACCEPT
>>> -A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT
>>> -A FORWARD -p udp -m udp --dport 8443 -j ACCEPT
>>> -A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT
>>> -A FORWARD -p udp -m udp --dport 4666 -j ACCEPT
>>> -A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT
>>> -A FORWARD -j LOG --log-prefix "FORWARD"
>>> -A FORWARD -j REJECT --reject-with icmp-port-unreachable
>>> -A OUTPUT -o lo -j ACCEPT
>>>
>>> ******************** /var/log/messages ****************************
>>>
>>> Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56
>>> TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4
>>> [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63
>>> ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
>>> Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=1
>>> Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=2
>>> Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=3
>>> Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=4
>>> Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=5
>>> Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=6
>>> Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=7
>>> Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=8
>>> Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=9
>>> Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=10
>>>
>>> **************************************** end
>>> *******************************************+
>>>
>>> Notice there are 2 different ip's: public_ip_2 and public_ip_1. Maybe
>>> there is the key...
>>>
>>> Can anybody helps me to make iptables let pass the traffic to the schema
>>> [B]?
>>>
>>> PD: I tested two simillar schemas [b]: two machines from inside a
>>> proxy, and the two machines failed to connect to server.
>>>
>>> Thanks in advice.
>>>
>>> Javier
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>       
>> hello,
>>
>> you say traffic on port 80 is redirected. how?
>> i do not see any DNAT rules.
>> also if the destination address is changed by nat, the packets get
>> routed over the other interface.
>> that is why you need to allow the traffic in the FORWARD chain.
>> i do not see any of those in your rules above.
>> if i understand it correctly and you have two external interfaces on the
>> router, there are no rules either.
>> and with two external interfaces your routing could come into account.
>> but you did not provide any
>> information about that.
>>
>> greets
>>
>> mart
>>
>>     

hello,

sorry i got you wrong. i assumed the router is running iptables too.
hence the forward rules are not required, only the INPUT and OUTPUT 
chain matter in that case.

as we do not see any of the traffic to port 80 in the log,
the rule to port 80 in INPUT chain allows incoming,
your OUTPUT policy is ACCEPT,
it should not block the traffic.

don't you have any entries in the log including `DPT=80'?

A usual browser to http server traffic would be from unpriviledged ports 
1024-above to port 80 and vice versa.
I'm not sure if that is what you trying to do? you want to browse a 
website on the server, right?
iptables -A INPUT -p tcp --sport 1024: --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 --dport 1024: -j ACCEPT

should be a matching rule.

greets
mart

setting policies to accept and just do a reject is maybe a bit unusual.

Re: Access from inside proxy to server with apache

[Javi Legido]

Once again:

I have this schema:

[B]

[Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server]

No matter          proxy_out_ip           192.168.1.1             192.168.1.2

The router 'nats' port 80, 22, ... from outside to Server.

I can't access from Pc to Server (trying to display an http page from
the Apache server). I can access:

-From other pc not inside a proxy
-Via ssh from Pc to Server

If I 'shut down' iptables, I can access from Pc to Server

The /var/log/messge log:

Dec 22 14:30:55 servidor kernel: [117607.138711] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3450 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=36562 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:30:55 servidor kernel: [117607.138753] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3451 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=36562 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:30:55 servidor kernel: [117607.427453] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3452 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=36564 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:30:56 servidor kernel: [117607.971455] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3453 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=36565 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:30:57 servidor kernel: [117609.059455] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3454 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=36566 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:30:59 servidor kernel: [117611.330798] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3455 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=36567 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:31:03 servidor kernel: [117615.983963] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3456 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=36568 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:31:12 servidor kernel: [117624.939056] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3457 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=36569 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:31:29 servidor kernel: [117643.902748] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3458 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=36570 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:32:04 servidor kernel: [117684.519431] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3462 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=36571 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:33:54 servidor kernel: [117808.239771] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3470 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=30858 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:33:54 servidor kernel: [117808.239812] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3471 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=30858 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:33:55 servidor kernel: [117808.511961] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3472 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=30860 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:33:55 servidor kernel: [117809.276341] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3473 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=30861 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:33:56 servidor kernel: [117810.537497] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3474 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=30862 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:33:59 servidor kernel: [117813.014252] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3475 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=30863 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:34:03 servidor kernel: [117818.310717] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3476 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=30864 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:34:12 servidor kernel: [117828.414218] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3477 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=30865 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:34:29 servidor kernel: [117848.339947] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3478 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=30866 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
Dec 22 14:35:04 servidor kernel: [117890.700795] INPUT_IN=eth0 OUT=
MAC=192_168_1_2_MAC:00:01:38:da:5c:e9:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=155 ID=3480 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.1.2 DST=proxy_out_ip LEN=1500 TOS=0x00
PREC=0x00 TTL=63 ID=30867 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492

The iptables -S config:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s proxy_out_ip/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s proxy_out_ip/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT_"
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT
-A FORWARD -p udp -m udp --dport 5865 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT
-A FORWARD -p udp -m udp --dport 8443 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT
-A FORWARD -p udp -m udp --dport 4666 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD"
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT

Can someone tell me how to 'open' iptables to get access from Pc (port
80) to Server (port 80)?

Thanks


On 18/12/2008, Javi Legido <javi@legido.com> wrote:
>>>you say traffic on port 80 is redirected. how?
>
> [A]
>
> [Pc] (80) => (80) [Router] (80) => (80) [Server]
>
> The router does NAT. I repeat: if i quit iptables, all works fine,
> then I assume router NAT works
>
>>> also if the destination address is changed by nat, the packets get routed
>>> over the other
>>> interface.
>>> that is why you need to allow the traffic in the FORWARD chain.
>>> i do not see any of those in your rules above.
>
> I added (without success) the following rule:
>
> -A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
>
> ------------------------------------------
>
> The trouble continues: from inside a proxy, I can't access to the
> Apache server (I can access, for instance, via ssh). If I quit
> iptables, all works fine
>
> Thanks for your interest.
>
> Javier
>
>
>
> On 17/12/2008, Mart Frauenlob <mart.frauenlob@chello.at> wrote:
>> Javi Legido wrote:
>>> Hi.
>>>
>>> I have the following schema:
>>>
>>> [A]
>>>
>>> [Pc] (80) => (80) [Router] (80) => (80) [Server]
>>>
>>> [B]
>>>
>>> [Pc] (80) => (80) [Proxy] ¿? => (80) [Router] (80) => (80) [Server]
>>>
>>> More data:
>>>
>>> -The server has iptables and Apache
>>> -The router has port 80 tcp redirected to the server
>>>
>>> Troubleshooting:
>>>
>>> -When I 'switch on' iptables, schema [B] fails (schema [A] always works
>>> fine)
>>> -When I 'switch off' iptables, schema [B] works fine
>>>
>>> The output:
>>>
>>> ************************ iptables -S ***************************
>>>
>>> -P INPUT ACCEPT
>>> -P FORWARD ACCEPT
>>> -P OUTPUT ACCEPT
>>> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
>>> -A INPUT -s public_ip_1/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
>>> -A INPUT -s 192.168.1.31/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
>>> -A INPUT -s 192.168.1.30/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
>>> -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
>>> -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
>>> -A INPUT -i eth0 -p tcp -m tcp --dport 4080 -j ACCEPT
>>> -A INPUT -i eth0 -p udp -m udp --dport 4080 -j ACCEPT
>>> -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
>>> -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
>>> -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
>>> -A INPUT -i eth0 -p tcp -m tcp --sport 23 -j ACCEPT
>>> -A INPUT -i lo -j ACCEPT
>>> -A INPUT -j LOG --log-prefix "INPUT_"
>>> -A INPUT -j REJECT --reject-with icmp-port-unreachable
>>> -A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT
>>> -A FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT
>>> -A FORWARD -p udp -m udp --dport 5865 -j ACCEPT
>>> -A FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT
>>> -A FORWARD -p udp -m udp --dport 8443 -j ACCEPT
>>> -A FORWARD -p tcp -m tcp --dport 8443 -j ACCEPT
>>> -A FORWARD -p udp -m udp --dport 4666 -j ACCEPT
>>> -A FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT
>>> -A FORWARD -j LOG --log-prefix "FORWARD"
>>> -A FORWARD -j REJECT --reject-with icmp-port-unreachable
>>> -A OUTPUT -o lo -j ACCEPT
>>>
>>> ******************** /var/log/messages ****************************
>>>
>>> Dec 17 12:32:24 servidor kernel: [1120947.846431] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=56
>>> TOS=0x00 PREC=0x00 TTL=155 ID=31428 PROTO=ICMP TYPE=3 CODE=4
>>> [SRC=192.168.1.2 DST=public_ip_1 LEN=1500 TOS=0x00 PREC=0x00 TTL=63
>>> ID=16093 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1492
>>> Dec 17 12:32:54 servidor kernel: [1120979.925513] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:32:57 servidor kernel: [1120983.069334] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:32:57 servidor kernel: [1120983.693341] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:33:03 servidor kernel: [1120989.596154] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:33:03 servidor kernel: [1120990.224560] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:33:15 servidor kernel: [1121001.913149] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:33:15 servidor kernel: [1121002.550066] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=public_ip_2 DST=192.168.1.2 LEN=60
>>> TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=4242 DPT=56202
>>> WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>> Dec 17 12:33:45 servidor kernel: [1121033.566738] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31434 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=1
>>> Dec 17 12:33:46 servidor kernel: [1121034.571848] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31435 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=2
>>> Dec 17 12:33:47 servidor kernel: [1121035.592819] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31436 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=3
>>> Dec 17 12:33:48 servidor kernel: [1121036.789595] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31437 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=4
>>> Dec 17 12:33:49 servidor kernel: [1121037.817587] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31438 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=5
>>> Dec 17 12:33:50 servidor kernel: [1121038.945584] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31439 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=6
>>> Dec 17 12:33:51 servidor kernel: [1121039.974620] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31440 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=7
>>> Dec 17 12:33:52 servidor kernel: [1121040.974610] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31441 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=8
>>> Dec 17 12:33:53 servidor kernel: [1121041.978981] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31442 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=9
>>> Dec 17 12:33:54 servidor kernel: [1121042.991844] INPUT_IN=eth0 OUT=
>>> MAC=mac_server:mac_client:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=84
>>> TOS=0x00 PREC=0x00 TTL=128 ID=31443 PROTO=ICMP TYPE=0 CODE=0 ID=33569
>>> SEQ=10
>>>
>>> **************************************** end
>>> *******************************************+
>>>
>>> Notice there are 2 different ip's: public_ip_2 and public_ip_1. Maybe
>>> there is the key...
>>>
>>> Can anybody helps me to make iptables let pass the traffic to the schema
>>> [B]?
>>>
>>> PD: I tested two simillar schemas [b]: two machines from inside a
>>> proxy, and the two machines failed to connect to server.
>>>
>>> Thanks in advice.
>>>
>>> Javier
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>>
>> hello,
>>
>> you say traffic on port 80 is redirected. how?
>> i do not see any DNAT rules.
>> also if the destination address is changed by nat, the packets get
>> routed over the other interface.
>> that is why you need to allow the traffic in the FORWARD chain.
>> i do not see any of those in your rules above.
>> if i understand it correctly and you have two external interfaces on the
>> router, there are no rules either.
>> and with two external interfaces your routing could come into account.
>> but you did not provide any
>> information about that.
>>
>> greets
>>
>> mart
>>
>>
>