From: Jason Opperisano <opie@817west.com>
To: Roderik van Heijst <roderik@digicit.nl>
Cc: netfilter@lists.netfilter.org
Subject: Re: forwarding to an external ip (edition II)
Date: Wed, 19 Jan 2005 12:53:20 -0500 [thread overview]
Message-ID: <20050119175320.GA12400@bender.817west.com> (raw)
In-Reply-To: <20050119110416.GA28664@digicit.nl>
On Wed, Jan 19, 2005 at 12:04:16PM +0100, Roderik van Heijst wrote:
> this is phex (the working one):
>
>
> Chain PREROUTING (policy ACCEPT 307796 packets, 19158968 bytes)
> pkts bytes target prot opt in out source destination
> 2 108 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1111 to:131.155.228.4
slight difference--here you don't have an inbound interface specified.
> 7 348 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:131.155.228.4:1111
slight difference--here you're mapping port 8080 -> port 1111
>
> Chain POSTROUTING (policy ACCEPT 41528 packets, 2703403 bytes)
> pkts bytes target prot opt in out source destination
> 14 756 MASQUERADE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1111
> 15428 1089859 MASQUERADE all -- * * 10.0.0.0/24 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 70013 packets, 8101780 bytes)
> pkts bytes target prot opt in out source destination
> Chain INPUT (policy ACCEPT 5992886 packets, 2962747150 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 5969935 packets, 2763419996 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 8497655 packets, 958047964 bytes)
> pkts bytes target prot opt in out source destination
>
>
> and this is boron (who refuses acting nicely):
>
> Chain PREROUTING (policy ACCEPT 2739595 packets, 217170951 bytes)
> pkts bytes target prot opt in out source destination
> 8 480 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1111 to:131.155.228.4
whereas here you do have the inbound interface specified as eth0.
> 166 8828 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:80.69.73.147:80
whereas here you're mapping port 8080 -> port 80
>
> Chain POSTROUTING (policy ACCEPT 233464 packets, 14658006 bytes)
> pkts bytes target prot opt in out source destination
> 1 60 MASQUERADE tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1111
um--since you mapped 8080 -> 80 above, this rule that matches on dport =
1111 will not match the DNAT-ed packets above, as their dport = 80 at
this point.
<--snip-->
dunno if any of that helps. your next step to trouble shoot is to
tcpdump on the external interface of boron, as i love to say, "the wire
doesn't lie."
-j
--
"Weaseling out of things is important to learn. It's what separates
us from the animals...except the weasel."
--The Simpsons
prev parent reply other threads:[~2005-01-19 17:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-19 11:04 forwarding to an external ip (edition II) Roderik van Heijst
2005-01-19 17:53 ` Jason Opperisano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050119175320.GA12400@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
--cc=roderik@digicit.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox