From: Cody Harris <hchs@ns.sympatico.ca>
To: netfilter@lists.netfilter.org
Subject: Re: Not forwarding?
Date: Mon, 29 Mar 2004 15:51:47 -0400 [thread overview]
Message-ID: <20040329155147.4fa98da1@darna.vectec.net> (raw)
In-Reply-To: <200403282224.12071.Antony@Soft-Solutions.co.uk>
It didn't work. I'm getting somebody on my ISP to test it (offsite). The firewall IPs are: 10.30.7.147 for net (my ISP nats it) and 192.168.0.1 and my box i want to forward to is 192.168.0.2. It still doesn't work. Here's an updated ruleset:
Chain INPUT (policy ACCEPT 3787 packets, 1815K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpt:10000
0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpt:631
3 144 DROP tcp -- eth0 any anywhere anywhere tcp dpt:http
0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpt:smtp
0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpt:ftp
0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp echo-reply
0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp redirect
0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp echo-request
0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp time-exceeded
0 0 DROP icmp -- eth0 any anywhere anywhere
Chain FORWARD (policy DROP 36 packets, 2291 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any 192.168.0.2 anywhere tcp dpt:ssh
Chain OUTPUT (policy ACCEPT 3996 packets, 585K bytes)
pkts bytes target prot opt in out source destination
On Sun, 28 Mar 2004 22:24:12 +0100,
Someone named Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Sunday 28 March 2004 10:07 pm, Cody Harris wrote:
>
> > I rewrote the rules following your suggestions. It still doesn't work:
> >
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> > target prot opt in out source destination
> > ACCEPT all -- eth1 any anywhere anywhere
>
> Okay, that will allow all packets coming through from eth1
>
> > ACCEPT tcp -- any any anywhere 192.168.0.2
> > tcp dpt:ssh state RELATED,ESTABLISHED
>
> That will allow packets coming through from 192.168.0.2 (which is plugged in
> to eth1) to destination port 22.
>
> You have no rule to allow the reply packets back (and the above rule won't
> allow the NEW packets through, either).
>
> Try this:
>
> iptables -F FORWARD
> iptables -P FORWARD DROP
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -s 192.168.0.2 -p tcp --dport 22 -j ACCEPT
>
> If that doesn't work tell us exactly how you are testing it - which machine is
> the SSH client on, where is the server, what are the IP addresses...
>
> Regards,
>
> Antony.
>
> --
> It is also possible that putting the birds in a laboratory setting
> inadvertently renders them relatively incompetent.
>
> - Daniel C Dennet
>
> Please reply to the list;
> please don't CC me.
>
>
--
+------------------+-----------------------------+
| Cody Harris | --------------------------- |
| ---------------- | --------------------------- |
+------------------+-------+---------------------+---+
| *Sigh*. No key. |
+----------------------------------------------------+
next prev parent reply other threads:[~2004-03-29 19:51 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-28 19:52 Not forwarding? Cody Harris
2004-03-28 20:43 ` David Cannings
2004-03-28 20:54 ` Antony Stone
2004-03-28 21:07 ` Cody Harris
2004-03-28 21:15 ` David Cannings
2004-03-29 19:53 ` Cody Harris
2004-03-28 21:24 ` Antony Stone
2004-03-29 19:51 ` Cody Harris [this message]
2004-03-29 20:26 ` Cody Harris
2004-03-29 21:42 ` Antony Stone
2004-03-29 22:56 ` Cody Harris
2004-03-30 7:48 ` Antony Stone
2004-03-30 11:33 ` Cody Harris
2004-03-30 11:53 ` Antony Stone
2004-03-30 20:01 ` Adding a flag to a packet Cody Harris
2004-03-30 20:24 ` Antony Stone
2004-03-30 20:35 ` Cody Harris
2004-03-30 20:50 ` Antony Stone
2004-03-30 21:06 ` Cody Harris
2004-03-30 21:23 ` Antony Stone
2004-03-30 21:28 ` Cody Harris
2004-03-30 21:40 ` Antony Stone
2004-03-30 22:19 ` Cody Harris
2004-03-31 8:19 ` Cedric Blancher
2004-03-31 8:22 ` Cedric Blancher
2004-03-30 22:12 ` Tony Earnshaw
2004-03-30 22:25 ` Cody Harris
2004-03-30 23:46 ` Antony Stone
2004-03-31 0:21 ` Tony Earnshaw
2004-03-28 20:48 ` Not forwarding? Antony Stone
2004-03-28 20:59 ` Cody Harris
2004-03-28 21:09 ` Antony Stone
2004-03-28 21:16 ` Cody Harris
2004-03-28 21:14 ` David Cannings
2004-03-28 21:15 ` Cody Harris
2004-03-28 21:32 ` Antony Stone
-- strict thread matches above, loose matches on Subject: below --
2004-03-28 19:49 Cody Harris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040329155147.4fa98da1@darna.vectec.net \
--to=hchs@ns.sympatico.ca \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox