From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom van Leeuwen Subject: Re: Problems with a forward rule Date: Mon, 14 May 2012 09:24:39 +0200 Message-ID: <4FB0B337.4030208@saasplaza.com> References: <4FAECDBA.9030302@saasplaza.com> <4FB0A732.4070909@saasplaza.com> <4FB0AE39.6040805@saasplaza.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: "C. L. Martinez" Cc: "netfilter@vger.kernel.org" On 05/14/2012 09:06 AM, C. L. Martinez wrote: > On Mon, May 14, 2012 at 9:03 AM, Tom van Leeuwen > wrote: >> So, when you do a ping from your host 172.24.50.3 to 1.1.1.x you will >> probably see the counter increase for your rule (with restricted >> destination). >> Do "iptables -vnL FORWARD" to check. >> >> That rule is not the problem. >> >> What traffic are you sending that times out? >> source ip, source port, destination ip, dest port, protocol? >> >> Your forward and postrouting rules look fine and should work >> >> Regards, >> Tom > My principal problems are with http, https and ssh. For example with a > https connection: > > Chain FORWARD (policy DROP 48 packets, 2432 bytes) > pkts bytes target prot opt in out source > destination > 4628 1901K ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 12 746 ACCEPT all -- * * 172.24.50.3 > 10.196.0.0/16 state NEW > 42 2184 ACCEPT tcp -- * * 172.24.50.3 > 195.76.69.66 tcp multiport dports 80,443 state NEW > 1 52 ACCEPT tcp -- * * 172.24.50.3 > 195.76.69.69 tcp dpt:443 state NEW > 48 2432 LOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 LOG flags 0 level 4 prefix `IPT FORWARD packet > died: ' > > First packets goes well, but after few seconds all goes to "IPT > FORWARD .." chain ... So stuff is logged! Please show what is logged, cause that is the key!