Fedora Core 2. Port Forwarding Problems

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Fedora Core 2. Port Forwarding Problems
@ 2004-07-24  3:25 Василий Свиридов
  2004-07-24 14:55 ` Antony Stone
  0 siblings, 1 reply; 4+ messages in thread
From: Василий Свиридов @ 2004-07-24  3:25 UTC (permalink / raw)
  To: netfilter

Hello all.

I had to upgrade my border machine because previous installation had 
failed for some reason. Any attempt to modprobe any netfilter related 
modules returned "Floating point exception"

I've installed fedora core 2 and tried to reuse my old settings i 
retained from redhat9 system.

Masqeurading works fine, but when i try to do port forwarding like this
iptables -t nat -A PREROUTING -p tcp -d <domainname.com> --dport 80 -j 
DNAT --to 192.168.20.40:80
rule adds itself fine, but port 80 is not accessible from outside.

when i try to connect from outside it doesn't say connection refused, it 
dies after a timeout.
/proc/net/ip_conntrack doesn't show any presence of connection, I tried 
to send it to -j LOG & ULOG but both end up empty.

I have to restore the firewall asap. Help me figure this one out. (I 
still have the option to rollback to rh9)

p.s.
sys.net.ipv4.ip_forwarding is 1

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Fedora Core 2. Port Forwarding Problems
  2004-07-24  3:25 Fedora Core 2. Port Forwarding Problems Василий Свиридов
@ 2004-07-24 14:55 ` Antony Stone
  2004-07-24 20:12   ` Василий Свиридов
  0 siblings, 1 reply; 4+ messages in thread
From: Antony Stone @ 2004-07-24 14:55 UTC (permalink / raw)
  To: netfilter

On Saturday 24 July 2004 4:25 am, Василий Свиридов wrote:

> I've installed fedora core 2 and tried to reuse my old settings i
> retained from redhat9 system.
>
> Masqeurading works fine, but when i try to do port forwarding like this
> iptables -t nat -A PREROUTING -p tcp -d <domainname.com> --dport 80 -j
> DNAT --to 192.168.20.40:80
> rule adds itself fine, but port 80 is not accessible from outside.

Are you sure about the resolving of domainname.com?   What does the rule get 
added as?

> when i try to connect from outside it doesn't say connection refused, it
> dies after a timeout.
> /proc/net/ip_conntrack doesn't show any presence of connection, I tried
> to send it to -j LOG & ULOG but both end up empty.

Please show us your ruleset.   We would like to see:
 - what IP address the above PREROUTING rule gets installed with
 - the corresponding FORWARD rule for the packets
 - an appropriate reply packet rule
 - how you have been LOGging packets for testing

I suggest the output of "iptables -L -nvx; iptables -L -t nat -nvx" and if 
appropriate also "iptables -L -t mangle -nvx" is a good format for us to 
understand where you're starting from.

Regards,

Antony.

-- 
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Fedora Core 2. Port Forwarding Problems
  2004-07-24 14:55 ` Antony Stone
@ 2004-07-24 20:12   ` Василий Свиридов
       [not found]     ` <+nfcan+jimlaur+c1d788382f.netspider#mail.ru@spamgourmet.com>
  0 siblings, 1 reply; 4+ messages in thread
From: Василий Свиридов @ 2004-07-24 20:12 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 2471 bytes --]

Antony Stone wrote:

>On Saturday 24 July 2004 4:25 am, Василий Свиридов wrote:
>
>  
>
>>I've installed fedora core 2 and tried to reuse my old settings i
>>retained from redhat9 system.
>>
>>Masqeurading works fine, but when i try to do port forwarding like this
>>iptables -t nat -A PREROUTING -p tcp -d <domainname.com> --dport 80 -j
>>DNAT --to 192.168.20.40:80
>>rule adds itself fine, but port 80 is not accessible from outside.
>>    
>>
>
>Are you sure about the resolving of domainname.com?   What does the rule get 
>added as?
>  
>
It simply resolves the address and adds the IP.

>  
>
>>when i try to connect from outside it doesn't say connection refused, it
>>dies after a timeout.
>>/proc/net/ip_conntrack doesn't show any presence of connection, I tried
>>to send it to -j LOG & ULOG but both end up empty.
>>    
>>
>
>Please show us your ruleset.   We would like to see:
> - what IP address the above PREROUTING rule gets installed with
> - the corresponding FORWARD rule for the packets
> - an appropriate reply packet rule
> - how you have been LOGging packets for testing
>
>I suggest the output of "iptables -L -nvx; iptables -L -t nat -nvx" and if 
>appropriate also "iptables -L -t mangle -nvx" is a good format for us to 
>understand where you're starting from.
>
>Regards,
>
>Antony.
>
>  
>
iptables -L -nvx doesn't contain any rules yet.

[root@border root]# iptables -L -t nat -nvx
Chain PREROUTING (policy ACCEPT 5913 packets, 353422 bytes)
    pkts      bytes target     prot opt in     out     
source               destination
       8      408 DNAT       tcp  --  *      *       
0.0.0.0/0            207.6.196.64        tcp dpt:80 to:192.168.20.40:80

Chain POSTROUTING (policy ACCEPT 4 packets, 244 bytes)
    pkts      bytes target     prot opt in     out     
source               destination
     744    42337 MASQUERADE  all  --  *      eth0    
0.0.0.0/0            0.0.0.0/0
      11      588 SNAT       tcp  --  *      *       
0.0.0.0/0            192.168.20.40       ctstate DNAT tcp dpt:80 
to:207.6.196.64

Chain OUTPUT (policy ACCEPT 123 packets, 7641 bytes)
    pkts      bytes target     prot opt in     out     
source               destination
       3      180 DNAT       tcp  --  *      *       
0.0.0.0/0            207.6.196.64        tcp dpt:80 to:192.168.20.40:80

This kind of configuration worked just fine on RH9. But it wasn't 
working on it when I've tried to install kernel 2.6.6.

Thanks.

[-- Attachment #2: Type: text/html, Size: 3393 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

[parent not found: <+nfcan+jimlaur+c1d788382f.netspider#mail.ru@spamgourmet.com>]

```
[parent not found: <netspider@mail.ru>]
```

* Re: Fedora Core 2. Port Forwarding Problems (nfcan: addressed to exclusive sender for this address)
       [not found]       ` <netspider@mail.ru>
@ 2004-07-25 23:48         ` Jim Laurino
  0 siblings, 0 replies; 4+ messages in thread
From: Jim Laurino @ 2004-07-25 23:48 UTC (permalink / raw)
  To: netfilter

On 2004.07.24 16:12, "=?UTF-8?B?0JLQsNGB0LjQu9C40Lkg0KHQstC40YDQuNC00L7Qsg==?=   
- netspider@mail.ru<+nfcan+jimlaur+c1d788382f.netspider#mail.ru@spamgourmet. 
com> <netspider@mail.ru>Organization" wrote:
> 
>> On Saturday 24 July 2004 4:25 am, Василий Свиридов wrote:
>>  
>>> I've installed fedora core 2 and tried to reuse my old settings i
>>> retained from redhat9 system.
>>> 
>>> Masqeurading works fine, but when i try to do port forwarding like this
>>> iptables -t nat -A PREROUTING -p tcp -d <domainname.com> --dport 80 -j
>>> DNAT --to 192.168.20.40:80
>>> rule adds itself fine, but port 80 is not accessible from outside.
>>  
>>> when i try to connect from outside it doesn't say connection refused, it
>>> dies after a timeout.
>>> /proc/net/ip_conntrack doesn't show any presence of connection, I tried
>>> to send it to -j LOG & ULOG but both end up empty.
>>>
>>
> iptables -L -nvx doesn't contain any rules yet.

Vasily, you have not told us what the default polity for the filter
table is. In the absence of any rules, the default policy controls
the behavior. Might this policy be DROP?
Perhaps the default policy has changed between versions.

Hope this helps.

Jim


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2004-07-25 23:48 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-24  3:25 Fedora Core 2. Port Forwarding Problems Василий Свиридов
2004-07-24 14:55 ` Antony Stone
2004-07-24 20:12   ` Василий Свиридов
     [not found]     ` <+nfcan+jimlaur+c1d788382f.netspider#mail.ru@spamgourmet.com>
     [not found]       ` <netspider@mail.ru>
2004-07-25 23:48         ` Fedora Core 2. Port Forwarding Problems (nfcan: addressed to exclusive sender for this address) Jim Laurino

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox