From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Kent Wang" Subject: IP forwarding on port 80 Date: Thu, 12 Jun 2003 02:17:09 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <000301c330b2$a68c7280$0300a8c0@eclipse> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0004_01C33088.BDB66A80" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0004_01C33088.BDB66A80 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Firewall, called dscp, has these iptables settings: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- localhost.localdomain anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:sftp DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere dscp.nur.utexas.edutcp dpt:http to:192.168.0.2 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination HTTP server has these settings: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- localhost.localdomain anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:sftp DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Firewall connects to the world via eth1 and to the HTTP server on eth0. HTTP server connects to the firewall on eth0 and to another machine on eth1. I can access the HTTP server from the firewall just fine but not from the Internet (times out). Any clues? ------=_NextPart_000_0004_01C33088.BDB66A80 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable 
Firewall, called dscp, has these iptables =
settings:
 
Chain =
INPUT (policy ACCEPT)
target     prot opt =
source           &=
nbsp;   destination
ACCEPT     tcp  =
--  localhost.localdomain  =
anywhere
ACCEPT     all  =
--  =
anywhere           =
;  =
anywhere           =
state
RELATED,ESTABLISHED
ACCEPT     icmp --  =
anywhere           =
;  anywhere
ACCEPT     tcp  =
--  =
anywhere           =
;  =
anywhere           tcp =
dpt:http
ACCEPT     tcp  =
--  =
anywhere           =
;  =
anywhere           tcp =
dpt:ssh
ACCEPT     tcp  =
--  =
anywhere           =
;  =
anywhere           tcp =
dpt:sftp
DROP       =
all  --  =
anywhere           =
;  anywhere
 
Chain =
FORWARD (policy ACCEPT)
target     prot opt =
source           &=
nbsp;   destination
 
Chain =
OUTPUT (policy ACCEPT)
target     prot opt =
source           &=
nbsp;   destination
 
Chain =
PREROUTING (policy ACCEPT)
target     prot opt =
source           &=
nbsp;   destination
DNAT       =
tcp  --  =
anywhere           =
;  dscp.nur.utexas.edutcp dpt:http
to:192.168.0.2
 
Chain =
POSTROUTING (policy ACCEPT)
target     prot opt =
source           &=
nbsp;   destination
 
Chain =
OUTPUT (policy ACCEPT)
target     prot opt =
source           &=
nbsp;   destination
 
HTTP =
server has these settings:
 
Chain =
INPUT (policy ACCEPT)
target     prot opt =
source           &=
nbsp;   destination
ACCEPT     tcp  =
--  localhost.localdomain  =
anywhere
ACCEPT     all  =
--  =
anywhere           =
;  =
anywhere           =
state
RELATED,ESTABLISHED
ACCEPT     icmp --  =
anywhere           =
;  anywhere
ACCEPT     tcp  =
--  =
anywhere           =
;  =
anywhere           tcp =
dpt:http
ACCEPT     tcp  =
--  =
anywhere           =
;  anywhere    =
       tcp =
dpt:ssh
ACCEPT     tcp  =
--  =
anywhere           =
;  =
anywhere           tcp =
dpt:sftp
DROP       =
all  --  =
anywhere           =
;  anywhere
 
Chain =
FORWARD (policy ACCEPT)
target     prot opt =
source           &=
nbsp;   destination
 
Chain =
OUTPUT (policy ACCEPT)
target     prot opt =
source           &=
nbsp;   destination
 
Firewall =
connects to the world via eth1 and to the HTTP server on eth0. =
HTTP
server =
connects to the firewall on eth0 and to another machine on =
eth1.
 
I can =
access the HTTP server from the firewall just fine but not from =
the
Internet =
(times out). Any clues?

 

------=_NextPart_000_0004_01C33088.BDB66A80-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "George Vieira" Subject: RE: IP forwarding on port 80 Date: Fri, 13 Jun 2003 08:18:25 +1000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <09B04A55822EFF4DA48D2E0BB2941D4A0D6E89@wardrive.citadelcomputer.com.au> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C33130.8AA2D7E8" Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Kent Wang , netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C33130.8AA2D7E8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable What debugging have you done? tcpdump, iptables logging, anything? =20 Does your web server have a default gateway of the firewall? Thanks, =20 ____________________________________________ George Vieira Citadel Computer Systems Pty Ltd Systems Manager georgev AT = citadelcomputer DOT com DOT au=20 Citadel Computer Systems Pty Ltd Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 = http://www.citadelcomputer.com.au =20 ------_=_NextPart_001_01C33130.8AA2D7E8 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
What=20 debugging have you done? tcpdump, iptables logging,=20 anything?
 
Does=20 your web server have a default gateway of the = firewall?

Thanks,

 
____________________________________________George=20 Vieira
 Citadel=20 Computer Systems Pty Ltd Systems=20 Manager georgev AT=20 citadelcomputer DOT com DOT au
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955=20 2644 HelpDesk: +61 2 9955=20 2698 http://www.citadelcomputer.co= m.au
 
------_=_NextPart_001_01C33130.8AA2D7E8-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Kent Wang" Subject: RE: IP forwarding on port 80 Date: Fri, 13 Jun 2003 02:24:34 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <002201c3317c$d9fc6b50$0300a8c0@eclipse> References: <09B04A55822EFF4DA48D2E0BB2941D4A0D6E89@wardrive.citadelcomputer.com.au> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0023_01C33152.F1266350" Return-path: In-Reply-To: <09B04A55822EFF4DA48D2E0BB2941D4A0D6E89@wardrive.citadelcomputer.com.au> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: 'George Vieira' , netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0023_01C33152.F1266350 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit OK, more info. My belief is that the packets are not being DNAT'd properly. I added this to that chain: -A PREROUTING -j LOG --log-prefix "test" --log-level 7 And was able to log all the incoming HTTP packets. I then added these two: -A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "test" --log-level 7 -A OUTPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix "test" --log-level 7 A properly DNAT'd packet should pass through FORWARD and then OUTPUT, but I found nothing in the log. Is it possible that the DNAT module isn't loaded? I've done tcpdump and the firewall definitely always receives the internet-incoming message and the web server never receives it. Any clues? -----Original Message----- From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of George Vieira Sent: Thursday, June 12, 2003 5:18 PM To: Kent Wang; netfilter@lists.netfilter.org Subject: RE: IP forwarding on port 80 What debugging have you done? tcpdump, iptables logging, anything? Does your web server have a default gateway of the firewall? Thanks, ____________________________________________ George Vieira Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au Citadel Computer Systems Pty Ltd Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 http://www.citadelcomputer.com.au ------=_NextPart_000_0023_01C33152.F1266350 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

OK, more info. My belief is that = the packets are not being DNAT’d properly. I added this to that = chain:

 

-A PREROUTING -j LOG --log-prefix "test" --log-level 7

 

And was able to log all the = incoming HTTP packets. I then added these two:

 

-A FORWARD -p tcp -m tcp --dport 80 = -j LOG --log-prefix "test" --log-level 7

-A OUTPUT -p tcp -m tcp --dport 80 = -j LOG --log-prefix "test" --log-level 7

 

A properly DNAT’d packet = should pass through FORWARD and then OUTPUT, but I found nothing in the log. Is it = possible that the DNAT module isn’t loaded?

 

I’ve done tcpdump and the = firewall definitely always receives the internet-incoming message and the web = server never receives it.

 

Any clues?

 

-----Original = Message-----
From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of George Vieira
Sent: Thursday, June 12, = 2003 5:18 PM
To: Kent Wang; netfilter@lists.netfilter.org
Subject: RE: IP = forwarding on port 80

 

What debugging = have you done? tcpdump, iptables logging, anything?

 

Does your web = server have a default gateway of the firewall?

Thanks,

 

____________________________________________

 George Vieira
 Citadel Computer Systems Pty Ltd   Systems Manager   georgev AT citadelcomputer DOT com DOT = au  

Citadel Computer Systems Pty Ltd

Phone : +61 2 9955 2644   HelpDesk: +61 2 9955 2698   http://www.citadelcomputer.co= m.au

 

------=_NextPart_000_0023_01C33152.F1266350-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Cedric Blancher Subject: RE: IP forwarding on port 80 Date: 13 Jun 2003 10:05:21 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1055491521.665.8.camel@elendil.intranet.cartel-securite.net> References: <002201c3317c$d9fc6b50$0300a8c0@eclipse> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <002201c3317c$d9fc6b50$0300a8c0@eclipse> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="utf-8" To: Kent Wang Cc: 'George Vieira' , netfilter@lists.netfilter.org Le ven 13/06/2003 =C3=A0 09:24, Kent Wang a =C3=A9crit : > A properly DNAT=E2=80=99d packet should pass through FORWARD and then O= UTPUT, > but I found nothing in the log. A forwarded packets only crosses FORWARD chain. Framework has changed from ipchains' one. Now, a given packet goes through one filter table chain, and one only, depending it is destined to the hosts, destined to be routed or locally generated. If your DNAT implies packet to get routed, then you'll them in FORWARD chain. Otherwise, you'll see them in INPUT chain. > Any clues? Well, read the doc. --=20 C=C3=A9dric Blancher IT systems and networks security - Cartel S=C3=A9curit=C3=A9 Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE From mboxrd@z Thu Jan 1 00:00:00 1970 From: Subject: RE: IP forwarding on port 80 Date: Fri, 13 Jun 2003 15:45:12 -0500 (CDT) Sender: netfilter-admin@lists.netfilter.org Message-ID: <33015.128.83.147.87.1055537112.squirrel@www.kwang.org> References: <00b401c331da$246caf80$7035a8c0@hoeschen> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <00b401c331da$246caf80$7035a8c0@hoeschen> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: chris.hoeschen@primevest.com Cc: netfilter@lists.netfilter.org 128.83.147.87 is indeed the external IP. I can ping, ssh and telnet 80 to this address from an offsite machine, and since -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG --log-prefix "prerouting" --log-level 7 catches it, it seems that -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2:80 would also catch it. Also, since I have: -A INPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix "input" --log-level 7 -A FORWARD -j LOG --log-prefix "forward" --log-level 7 then I should have a log entry no matter what with a prefix of either "input" or "forward". However, with the PREROUTING -j DNAT line in place, neither INPUT nor FORWARD logs the packet traversing through their chains. Isn't this behavior quite impossible since a packet that traverses PREROUTING (which I do successfully log in that chain), should definitely go to either INPUT or FORWARD? BTW, my iptables version is iptables-1.2.6a-2. Could there be some sort of patch I need? I'm not really using a special case since people do simple port 80 forwarding all the time. Kent Wang > Verify that 128.83.147.87 is the external IP address for this box. > Also how did you test this? If you are inside the internal network (on > 192.168.0.5 for example) you can't access the web site by going to > 128.83.147.87. So in other words you will have to be outside of your > network to test it. > From: kwang@kwang.org [mailto:kwang@kwang.org] > Sent: Friday, June 13, 2003 12:58 PM > To: chris.hoeschen@primevest.com > Cc: kwang@kwang.org > Subject: RE: IP forwarding on port 80 > > > This is the iptables-save dump: > > *nat > :PREROUTING ACCEPT [37311:5054668] > :POSTROUTING ACCEPT [72:4540] > :OUTPUT ACCEPT [72:4540] > -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG > --log-prefix "prerouting" --log-level 7 -A PREROUTING -d 128.83.147.87 > -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2:80 COMMIT > # Completed on Fri Jun 13 03:09:25 2003 # Generated by iptables-save > v1.2.6a on Fri Jun 13 03:09:25 2003 *filter :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [17013:3920003] -A INPUT -d > 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG --log-prefix "input" > --log-level 7 -A INPUT -s 127.0.0.1 -p tcp -j ACCEPT -A INPUT -m state > --state > RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p > tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j > ACCEPT -A INPUT -p tcp -m tcp --dport 115 -j ACCEPT -A INPUT -j DROP -A > FORWARD -j LOG --log-prefix "forward" --log-level 7 COMMIT > > This is the same as above, but with iptables -L and then -L -nat: > > Chain INPUT (policy ACCEPT) > target prot opt source destination > LOG tcp -- anywhere dscp.nur.utexas.edutcp > dpt:http LOG > level debug prefix `input' > ACCEPT tcp -- localhost.localdomain anywhere > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere tcp > dpt:http ACCEPT tcp -- anywhere anywhere > tcp dpt:ssh ACCEPT tcp -- anywhere anywhere > tcp dpt:sftp DROP all -- anywhere anywhere > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > LOG all -- anywhere anywhere LOG level > debug > prefix `forward' > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > > Anyway, I really appreciate you and everybody on the mailing list > helping me out. > > Kent Wang > >> Could you send me your entire firewall rules >> >> >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> >> | Chris Hoeschen - Distributed System Analysts | >> >> | PrimeVest Financial Services | >> >> | (320) 656-4035 E-Mail: chris.hoeschen@primevest.com | >> >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> >> >> >> "Only two things are infinite, the universe and human stupidity, and >> I'm not sure about the former." >> >> -- Albert Einstein >> Hippopotomonstrosesquippedaliophobia is the fear of long words >> >> -----Original Message----- >> From: Kent Wang [mailto:kwang@kwang.org] >> Sent: Friday, June 13, 2003 11:45 AM >> To: 'Chris Hoeschen' >> Subject: RE: IP forwarding on port 80 >> >> >> --> >> >> HereR17;s the contents of PREROUTING: >> >> >> >> -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG >> --log-prefix "prerouting" --log-level 7 >> >> -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j DNAT >> --to-destination 192.168.0.2:80 >> >> >> >> Apparently -m tcp is implied since my original command didn't include >> it but this is what the iptables-save dump says. But since these two >> are identical other than the action part, if something gets LOG'd, it >> should be DNAT'd and therefore passed to FORWARD right? >> >> >> >> This is what I have in FORWARD: >> >> >> >> -A FORWARD -j LOG --log-prefix "forward" --log-level 7 >> >> >> >> So this means everything that passes through FORWARD gets logged, >> right? But my log has entries from PREROUTING (cause it has log-prefix >> 'prerouting) but none from FORWARD. >> >> >> >> The situation with tcpdump is still the same. Nothing incoming, except > >> when I manually do telnet 192.168.0.2 80. >> >> >> >> I think the fault is somewhere at the actual DNAT target or the >> FORWARDing mechanism. Could there have been a module that I didn't >> load properly? I don't know how to check that (and I would think that >> iptables would've told me about it already). This is a standard RedHat > >> 7 install with the latest iptables RPM. >> >> >> >> Kent Wang >> >> >> >> -----Original Message----- >> From: Chris Hoeschen [mailto:chris.hoeschen@primevest.com] >> Sent: Friday, June 13, 2003 8:03 AM >> To: 'Kent Wang' >> Subject: RE: IP forwarding on port 80 >> >> >> >> A packet coming into your firewall will first travel through the >> prerouting table. Depending on where that packet is destined will >> determine what other table it will be traveling through. If that >> packet is going to your firewall itself then it will travel through >> the input table. If it is going to be routed through your firewall to > >> another box then it will travel through the forward table. The output > >> table only handles packets that originated from your firewall and is >> going out, it does not handle any packets that are getting routed >> through it. >> >> >> >> I didn't see you DNAT rule so make sure that is set correctly, an >> example for routing web would be as follows: >> >> iptables -t nat -A PREROUTING -p tcp -d {EXT_IP} --dport 80 -j DNAT >> --to-destination {WWW_IP}:80 >> >> >> >> when you web server receives the packet the source address (the one it > >> will be sending the ACK back to) will still be set to the original >> source and not the firewall. So it is important that the web server's > >> gateway is set to be your firewall. If this will not work in your >> environment then you can put a rule into the postrouting table to SNAT > >> the packet, this way the web server will see the packet as coming from > >> your firewall and (granted that they are on the same subnet) will >> return the packet to the firewall. This is not recommended as all >> connections to the web server will appear as if it was coming from the > >> firewall. >> >> >> >> Sorry for all the routing mojo but helps to get a understanding of the > >> tables for troubleshooting. >> >> >> >> >> >> -A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "test" >> --log-level 7 >> >> I don't know what the -m tcp module is and this might be your problem, > >> try removing it and see if it works. >> >> >> >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> | Chris Hoeschen - Distributed System Analysts | >> | PrimeVest Financial Services | >> | (320) 656-4035 E-Mail: chris.hoeschen@primevest.com | >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> >> "Only two things are infinite, the universe and human stupidity, and >> I'm not sure about the former." >> -- Albert Einstein >> Hippopotomonstrosesquippedaliophobia is the fear of long words >> >> -----Original Message----- >> From: netfilter-admin@lists.netfilter.org >> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Kent Wang >> Sent: Friday, June 13, 2003 2:25 AM >> To: 'George Vieira'; netfilter@lists.netfilter.org >> Subject: RE: IP forwarding on port 80 >> >> --> >> >> OK, more info. My belief is that the packets are not being DNAT'd >> properly. I added this to that chain: >> >> >> >> -A PREROUTING -j LOG --log-prefix "test" --log-level 7 >> >> >> >> And was able to log all the incoming HTTP packets. I then added these >> two: >> >> >> >> -A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "test" >> --log-level 7 >> >> -A OUTPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix "test" >> --log-level 7 >> >> >> >> A properly DNAT'd packet should pass through FORWARD and then OUTPUT, >> but I found nothing in the log. Is it possible that the DNAT module >> isn't loaded? >> >> >> >> IR17;ve done tcpdump and the firewall definitely always receives the >> internet-incoming message and the web server never receives it. >> >> >> >> Any clues? >> >> >> >> -----Original Message----- >> From: netfilter-admin@lists.netfilter.org >> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of George >> Vieira >> Sent: Thursday, June 12, 2003 5:18 PM >> To: Kent Wang; netfilter@lists.netfilter.org >> Subject: RE: IP forwarding on port 80 >> >> >> >> What debugging have you done? tcpdump, iptables logging, anything? >> >> >> >> Does your web server have a default gateway of the firewall? >> >> Thanks, >> >> >> >> ____________________________________________ >> >> >> >> George Vieira >> Citadel Computer Systems Pty Ltd Systems Manager georgev AT >> citadelcomputer DOT com DOT au >> >> >> >> Citadel Computer Systems Pty Ltd >> >> Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 >> http://www.citadelcomputer.com.au > >> From mboxrd@z Thu Jan 1 00:00:00 1970 From: Subject: IP forwarding on port 80 Date: Tue, 10 Jun 2003 17:08:20 -0500 (CDT) Sender: netfilter-admin@lists.netfilter.org Message-ID: <33603.128.83.147.87.1055282900.squirrel@www.kwang.org> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Firewall, called dscp, has these iptables settings: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- localhost.localdomain anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:sftp DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere dscp.nur.utexas.edutcp dpt:http to:192.168.0.2 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination HTTP server has these settings: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- localhost.localdomain anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:sftp DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Firewall connects to the world via eth1 and to the HTTP server on eth0. HTTP server connects to the firewall on eth0 and to another machine on eth1. I can access the HTTP server from the firewall just fine but not from the internet. Any clues?