From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Kent Wang" Subject: RE: IP forwarding on port 80 Date: Fri, 13 Jun 2003 02:24:34 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <002201c3317c$d9fc6b50$0300a8c0@eclipse> References: <09B04A55822EFF4DA48D2E0BB2941D4A0D6E89@wardrive.citadelcomputer.com.au> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0023_01C33152.F1266350" Return-path: In-Reply-To: <09B04A55822EFF4DA48D2E0BB2941D4A0D6E89@wardrive.citadelcomputer.com.au> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: 'George Vieira' , netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0023_01C33152.F1266350 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit OK, more info. My belief is that the packets are not being DNAT'd properly. I added this to that chain: -A PREROUTING -j LOG --log-prefix "test" --log-level 7 And was able to log all the incoming HTTP packets. I then added these two: -A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "test" --log-level 7 -A OUTPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix "test" --log-level 7 A properly DNAT'd packet should pass through FORWARD and then OUTPUT, but I found nothing in the log. Is it possible that the DNAT module isn't loaded? I've done tcpdump and the firewall definitely always receives the internet-incoming message and the web server never receives it. Any clues? -----Original Message----- From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of George Vieira Sent: Thursday, June 12, 2003 5:18 PM To: Kent Wang; netfilter@lists.netfilter.org Subject: RE: IP forwarding on port 80 What debugging have you done? tcpdump, iptables logging, anything? Does your web server have a default gateway of the firewall? Thanks, ____________________________________________ George Vieira Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au Citadel Computer Systems Pty Ltd Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 http://www.citadelcomputer.com.au ------=_NextPart_000_0023_01C33152.F1266350 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

OK, more info. My belief is that = the packets are not being DNAT’d properly. I added this to that = chain:

 

-A PREROUTING -j LOG --log-prefix "test" --log-level 7

 

And was able to log all the = incoming HTTP packets. I then added these two:

 

-A FORWARD -p tcp -m tcp --dport 80 = -j LOG --log-prefix "test" --log-level 7

-A OUTPUT -p tcp -m tcp --dport 80 = -j LOG --log-prefix "test" --log-level 7

 

A properly DNAT’d packet = should pass through FORWARD and then OUTPUT, but I found nothing in the log. Is it = possible that the DNAT module isn’t loaded?

 

I’ve done tcpdump and the = firewall definitely always receives the internet-incoming message and the web = server never receives it.

 

Any clues?

 

-----Original = Message-----
From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of George Vieira
Sent: Thursday, June 12, = 2003 5:18 PM
To: Kent Wang; netfilter@lists.netfilter.org
Subject: RE: IP = forwarding on port 80

 

What debugging = have you done? tcpdump, iptables logging, anything?

 

Does your web = server have a default gateway of the firewall?

Thanks,

 

____________________________________________

 George Vieira
 Citadel Computer Systems Pty Ltd   Systems Manager   georgev AT citadelcomputer DOT com DOT = au  

Citadel Computer Systems Pty Ltd

Phone : +61 2 9955 2644   HelpDesk: +61 2 9955 2698   http://www.citadelcomputer.co= m.au

 

------=_NextPart_000_0023_01C33152.F1266350--