Port Forwarding .

Port Forwarding .

[Charles Romestant]

Hello to all, I write here after having tried to find the solution to
this for about 3 days and still no luck.

Let me explain the setup

                                                         eth0           eth1
10.0.1.200                                  10.0.1.192   10.0.10.2
                                       10.0.10.1
        |______________________________|__________________________________|
     A                                                             B
                                                                C

so 3 boxes, A B and C

on C there is a web server, running on port 80, I want to be able to
access it through B from A.

So basically the ruleset should be on B if its port 80, forward to port 80 on C.

have tried these :

iptables -t nat -A PREROUTING -p tcp -d 10.0.1.200 --dport 80 -j DNAT
--to 10.0.10.1:80
iptables -t nat -A POSTROUTING -d 10.0.10.1 -j MASQUERADE


no luck, using iptables -t nat -nvL i saw that the first rule did
match since the number of packets went up, but i still can t see the
web server.


I also tried this :
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.0.10.1:80
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT


did not work.

Any helo would be appreciated, thank you in advance,

Charles.

BTW : a little more bg info, this is a box in which i m implementing a
Single Packet authentication sistem, so the INPUT table s default
policy is drop, also i have a usercreated table called SPA which is
called upon as the first rule of INPUT.

for the sake of the forwarding experiment i flushed all tables and put
the policy on accept, but bear in mind that i will need to use that
type of restrictive ruleset.

thank you.
-- 
Charz

Re: Port Forwarding .

[Grant Taylor]

On 07/07/08 16:49, Charles Romestant wrote:
> on C there is a web server, running on port 80, I want to be able to 
> access it through B from A.
> 
> So basically the ruleset should be on B if its port 80, forward to 
> port 80 on C.

These two rules should do the trick to get the traffic forwarded on 
through B to C.

iptables -t nat -A PREROUTING -i eth0 -d 10.0.1.192 -p tcp --dport 80 -j 
DNAT --to-destination 10.0.10.1
iptables -t filter -A FORWARD -i eth0 -o eth1 -d 10.0.10.1 -p tcp 
--dport 80 -j ACCEPT

You will need to make sure that the reply traffic back from C is allowed 
and appears to be from B.

iptables -t filter -A FORWARD -i eth1 -o eth0 -s 10.0.10.1 -p tcp 
--sport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.10.1 -p tcp --sport 80 -j 
SNAT --to-source 10.0.1.192

> Any help would be appreciated, thank you in advance,

You are welcome.



Grant. . . .

Re: Port Forwarding .

[Charles Romestant]

thanks for answer

hmm tried it and still does not work...

any ideas, at least to get some debug info... still can t see the
server from a browser on A.


On Tue, Jul 8, 2008 at 5:40 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 07/07/08 16:49, Charles Romestant wrote:
>>
>> on C there is a web server, running on port 80, I want to be able to
>> access it through B from A.
>>
>> So basically the ruleset should be on B if its port 80, forward to port 80
>> on C.
>
> These two rules should do the trick to get the traffic forwarded on through
> B to C.
>
> iptables -t nat -A PREROUTING -i eth0 -d 10.0.1.192 -p tcp --dport 80 -j
> DNAT --to-destination 10.0.10.1
> iptables -t filter -A FORWARD -i eth0 -o eth1 -d 10.0.10.1 -p tcp --dport 80
> -j ACCEPT
>
> You will need to make sure that the reply traffic back from C is allowed and
> appears to be from B.
>
> iptables -t filter -A FORWARD -i eth1 -o eth0 -s 10.0.10.1 -p tcp --sport 80
> -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth0 -s 10.0.10.1 -p tcp --sport 80 -j
> SNAT --to-source 10.0.1.192
>
>> Any help would be appreciated, thank you in advance,
>
> You are welcome.
>
>
>
> Grant. . . .
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Charz

Re: Port Forwarding .

[Charles Romestant]

by the way, from B i can see the server on C, so it is not a NIC problem.

thanks again.

charles

On Tue, Jul 8, 2008 at 6:02 PM, Charles Romestant <cromestant@gmail.com> wrote:
> thanks for answer
>
> hmm tried it and still does not work...
>
> any ideas, at least to get some debug info... still can t see the
> server from a browser on A.
>
>
> On Tue, Jul 8, 2008 at 5:40 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
>> On 07/07/08 16:49, Charles Romestant wrote:
>>>
>>> on C there is a web server, running on port 80, I want to be able to
>>> access it through B from A.
>>>
>>> So basically the ruleset should be on B if its port 80, forward to port 80
>>> on C.
>>
>> These two rules should do the trick to get the traffic forwarded on through
>> B to C.
>>
>> iptables -t nat -A PREROUTING -i eth0 -d 10.0.1.192 -p tcp --dport 80 -j
>> DNAT --to-destination 10.0.10.1
>> iptables -t filter -A FORWARD -i eth0 -o eth1 -d 10.0.10.1 -p tcp --dport 80
>> -j ACCEPT
>>
>> You will need to make sure that the reply traffic back from C is allowed and
>> appears to be from B.
>>
>> iptables -t filter -A FORWARD -i eth1 -o eth0 -s 10.0.10.1 -p tcp --sport 80
>> -j ACCEPT
>> iptables -t nat -A POSTROUTING -o eth0 -s 10.0.10.1 -p tcp --sport 80 -j
>> SNAT --to-source 10.0.1.192
>>
>>> Any help would be appreciated, thank you in advance,
>>
>> You are welcome.
>>
>>
>>
>> Grant. . . .
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
>
>
> --
> Charz
>



-- 
Charz

Re: Port Forwarding .

[Charles Romestant]

ok i just saw that the little "diagram" I sent on OP had been moved
about when sent, so resending the interface information just in case.

A: 10.0.1.200
B : eth0 10.0.1.192, eth1 10.0.10.2
C : eth0 10.0.10.1


A and B are on the same subnet and B and C are on another subnet.

The idea is to open the browser in A type 10.0.1.192 and get the web
server that is on C.

I did what you suggested Mr Taylor, and still does not work.

iptables -L lists this :


Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             Macintosh.local     tcp dpt:www
ACCEPT     tcp  --  Macintosh.local      anywhere            tcp spt:www

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (0 references)


thank you again

Charles

On Tue, Jul 8, 2008 at 6:03 PM, Charles Romestant <cromestant@gmail.com> wrote:
> by the way, from B i can see the server on C, so it is not a NIC problem.
>
> thanks again.
>
> charles
>
> On Tue, Jul 8, 2008 at 6:02 PM, Charles Romestant <cromestant@gmail.com> wrote:
>> thanks for answer
>>
>> hmm tried it and still does not work...
>>
>> any ideas, at least to get some debug info... still can t see the
>> server from a browser on A.
>>
>>
>> On Tue, Jul 8, 2008 at 5:40 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
>>> On 07/07/08 16:49, Charles Romestant wrote:
>>>>
>>>> on C there is a web server, running on port 80, I want to be able to
>>>> access it through B from A.
>>>>
>>>> So basically the ruleset should be on B if its port 80, forward to port 80
>>>> on C.
>>>
>>> These two rules should do the trick to get the traffic forwarded on through
>>> B to C.
>>>
>>> iptables -t nat -A PREROUTING -i eth0 -d 10.0.1.192 -p tcp --dport 80 -j
>>> DNAT --to-destination 10.0.10.1
>>> iptables -t filter -A FORWARD -i eth0 -o eth1 -d 10.0.10.1 -p tcp --dport 80
>>> -j ACCEPT
>>>
>>> You will need to make sure that the reply traffic back from C is allowed and
>>> appears to be from B.
>>>
>>> iptables -t filter -A FORWARD -i eth1 -o eth0 -s 10.0.10.1 -p tcp --sport 80
>>> -j ACCEPT
>>> iptables -t nat -A POSTROUTING -o eth0 -s 10.0.10.1 -p tcp --sport 80 -j
>>> SNAT --to-source 10.0.1.192
>>>
>>>> Any help would be appreciated, thank you in advance,
>>>
>>> You are welcome.
>>>
>>>
>>>
>>> Grant. . . .
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>
>>
>>
>> --
>> Charz
>>
>
>
>
> --
> Charz
>



-- 
Charz

Re: Port Forwarding .

[Charles Romestant]

ok a little more info, for debugs sake...

root@charz-server:/home/charz# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 157 packets, 20335 bytes)
 pkts bytes target     prot opt in     out     source
destination
  112  5904 DNAT       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:80 to:10.0.10.1:80
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0
10.0.1.192          tcp dpt:80 to:10.0.10.1

Chain POSTROUTING (policy ACCEPT 8 packets, 795 bytes)
 pkts bytes target     prot opt in     out     source
destination
    6   480 MASQUERADE  0    --  *      *       0.0.0.0/0
10.0.10.1
    0     0 SNAT       tcp  --  *      eth0    10.0.10.1
0.0.0.0/0           tcp spt:80 to:10.0.1.192

Chain OUTPUT (policy ACCEPT 14 packets, 1275 bytes)
 pkts bytes target     prot opt in     out     source
destination

again it seems only the first rulein the PREROUTING is executing as
consecutive looks at this while trying to browse to the page show
increment in pckts.


again, thank you for your patience.
On Tue, Jul 8, 2008 at 6:40 PM, Charles Romestant <cromestant@gmail.com> wrote:
> ok i just saw that the little "diagram" I sent on OP had been moved
> about when sent, so resending the interface information just in case.
>
> A: 10.0.1.200
> B : eth0 10.0.1.192, eth1 10.0.10.2
> C : eth0 10.0.10.1
>
>
> A and B are on the same subnet and B and C are on another subnet.
>
> The idea is to open the browser in A type 10.0.1.192 and get the web
> server that is on C.
>
> I did what you suggested Mr Taylor, and still does not work.
>
> iptables -L lists this :
>
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere             Macintosh.local     tcp dpt:www
> ACCEPT     tcp  --  Macintosh.local      anywhere            tcp spt:www
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain fail2ban-ssh (0 references)
>
>
> thank you again
>
> Charles
>
> On Tue, Jul 8, 2008 at 6:03 PM, Charles Romestant <cromestant@gmail.com> wrote:
>> by the way, from B i can see the server on C, so it is not a NIC problem.
>>
>> thanks again.
>>
>> charles
>>
>> On Tue, Jul 8, 2008 at 6:02 PM, Charles Romestant <cromestant@gmail.com> wrote:
>>> thanks for answer
>>>
>>> hmm tried it and still does not work...
>>>
>>> any ideas, at least to get some debug info... still can t see the
>>> server from a browser on A.
>>>
>>>
>>> On Tue, Jul 8, 2008 at 5:40 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
>>>> On 07/07/08 16:49, Charles Romestant wrote:
>>>>>
>>>>> on C there is a web server, running on port 80, I want to be able to
>>>>> access it through B from A.
>>>>>
>>>>> So basically the ruleset should be on B if its port 80, forward to port 80
>>>>> on C.
>>>>
>>>> These two rules should do the trick to get the traffic forwarded on through
>>>> B to C.
>>>>
>>>> iptables -t nat -A PREROUTING -i eth0 -d 10.0.1.192 -p tcp --dport 80 -j
>>>> DNAT --to-destination 10.0.10.1
>>>> iptables -t filter -A FORWARD -i eth0 -o eth1 -d 10.0.10.1 -p tcp --dport 80
>>>> -j ACCEPT
>>>>
>>>> You will need to make sure that the reply traffic back from C is allowed and
>>>> appears to be from B.
>>>>
>>>> iptables -t filter -A FORWARD -i eth1 -o eth0 -s 10.0.10.1 -p tcp --sport 80
>>>> -j ACCEPT
>>>> iptables -t nat -A POSTROUTING -o eth0 -s 10.0.10.1 -p tcp --sport 80 -j
>>>> SNAT --to-source 10.0.1.192
>>>>
>>>>> Any help would be appreciated, thank you in advance,
>>>>
>>>> You are welcome.
>>>>
>>>>
>>>>
>>>> Grant. . . .
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>>
>>>
>>>
>>>
>>> --
>>> Charz
>>>
>>
>>
>>
>> --
>> Charz
>>
>
>
>
> --
> Charz
>



-- 
Charz

Re: Port Forwarding .

[Grant Taylor]

On 7/7/2008 6:58 PM, Charles Romestant wrote:
> ok a little more info, for debugs sake...

Ok!  You have not been clearing your IPTables before adding additional 
rules.  Please run the following commands and re-try what I submitted 
earlier.

iptables -t filter -F
iptables -t nat -F

> again it seems only the first rulein the PREROUTING is executing as 
> consecutive looks at this while trying to browse to the page show 
> increment in pckts.

*nod*

Your first DNAT rule, which is incorrect, is being matched before the 
rule(s) that I provided.  You need to flush your IP tables and chains.

> again, thank you for your patience.

*nod*

You are welcome.



Grant. . . .

Re: Port Forwarding .

[Charles Romestant]

ok, flushed all tables, and all chains, changed back the policy to
accept, and then reentered the rules you sent me before Grant.  And
stil no dice.
root@charz-server:/home/charz# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1241 packets, 167K bytes)
 pkts bytes target     prot opt in     out     source
destination
   24  1296 DNAT       tcp  --  eth0   *       0.0.0.0/0
10.0.1.192          tcp dpt:80 to:10.0.10.1

Chain POSTROUTING (policy ACCEPT 29 packets, 5063 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 SNAT       tcp  --  *      eth0    10.0.10.1
0.0.0.0/0           tcp spt:80 to:10.0.1.192

Chain OUTPUT (policy ACCEPT 35 packets, 5543 bytes)
 pkts bytes target     prot opt in     out     source
destination

still the prerouting seems to be matching but the others stay at 0.

At the moment i m still reading documentation to see if i can spot the mistake,
thanks again for the help.

Why would the prerouting accept and not continue to postrouting?

On Tue, Jul 8, 2008 at 9:53 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 7/7/2008 6:58 PM, Charles Romestant wrote:
>>
>> ok a little more info, for debugs sake...
>
> Ok!  You have not been clearing your IPTables before adding additional
> rules.  Please run the following commands and re-try what I submitted
> earlier.
>
> iptables -t filter -F
> iptables -t nat -F
>
>> again it seems only the first rulein the PREROUTING is executing as
>> consecutive looks at this while trying to browse to the page show increment
>> in pckts.
>
> *nod*
>
> Your first DNAT rule, which is incorrect, is being matched before the
> rule(s) that I provided.  You need to flush your IP tables and chains.
>
>> again, thank you for your patience.
>
> *nod*
>
> You are welcome.
>
>
>
> Grant. . . .
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Charz

Re: Port Forwarding .

[Grant Taylor]

On 07/08/08 14:20, Charles Romestant wrote:
> ok, flushed all tables, and all chains, changed back the policy to 
> accept, and then reentered the rules you sent me before Grant.  And 
> still no dice.

*nod*

<snip>

> still the prerouting seems to be matching but the others stay at 0.

Agreed.

> At the moment i m still reading documentation to see if i can spot 
> the mistake, thanks again for the help.
> 
> Why would the prerouting accept and not continue to postrouting?

If ip forwarding is not enabled, things may not do what they need to. 
What is your /proc/sys/net/ipv4/ip_forward file set to?  Try setting it 
to 1.

echo "1" > /proc/sys/net/ipv4/ip_forward

Also, can I get a current iptables-save output?



Grant. . . .

Re: Port Forwarding .

[Charles Romestant]

ok it was set to 0, but changing it did not do anything,
here is the iptables-save output

root@charz-server:/home/charz# iptables-save
# Generated by iptables-save v1.3.6 on Tue Jul  8 15:09:21 2008
*nat
:PREROUTING ACCEPT [1273:171111]
:POSTROUTING ACCEPT [37:5861]
:OUTPUT ACCEPT [41:6213]
-A PREROUTING -d 10.0.1.192 -i eth0 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.0.10.1
-A POSTROUTING -s 10.0.10.1 -o eth0 -p tcp -m tcp --sport 80 -j SNAT
--to-source 10.0.1.192
COMMIT
# Completed on Tue Jul  8 15:09:21 2008
# Generated by iptables-save v1.3.6 on Tue Jul  8 15:09:21 2008
*filter
:INPUT ACCEPT [7428:682763]
:FORWARD ACCEPT [1:48]
:OUTPUT ACCEPT [2978:507120]
:fail2ban-ssh - [0:0]
:spa - [0:0]
-A FORWARD -d 10.0.10.1 -i eth0 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 10.0.10.1 -i eth1 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT
COMMIT
# Completed on Tue Jul  8 15:09:21 2008


Again , thank you for your help

On Wed, Jul 9, 2008 at 3:07 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 07/08/08 14:20, Charles Romestant wrote:
>>
>> ok, flushed all tables, and all chains, changed back the policy to accept,
>> and then reentered the rules you sent me before Grant.  And still no dice.
>
> *nod*
>
> <snip>
>
>> still the prerouting seems to be matching but the others stay at 0.
>
> Agreed.
>
>> At the moment i m still reading documentation to see if i can spot the
>> mistake, thanks again for the help.
>>
>> Why would the prerouting accept and not continue to postrouting?
>
> If ip forwarding is not enabled, things may not do what they need to. What
> is your /proc/sys/net/ipv4/ip_forward file set to?  Try setting it to 1.
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> Also, can I get a current iptables-save output?
>
>
>
> Grant. . . .
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Charz

Re: Port Forwarding .

[Grant Taylor]

On 07/08/08 14:40, Charles Romestant wrote:
> ok it was set to 0, but changing it did not do anything, here is the 
> iptables-save output

*nod*

Uh, can I (re)ask for an iptables-save, but this time with a "-c" added 
to the end of it so that it will include packet counters?  (I forgot 
that iptables-save does not show packet counts like iptables -L.  Sorry.)

> Again , thank you for your help

*nod*

You are welcome.



Grant. . . .

Re: Port Forwarding .

[Charles Romestant]

Ok here are 2 consecutives saves while trying to access the web server.


root@charz-server:/home/charz# iptables-save -c
# Generated by iptables-save v1.3.6 on Tue Jul  8 15:23:36 2008
*nat
:PREROUTING ACCEPT [1287:172779]
:POSTROUTING ACCEPT [39:5989]
:OUTPUT ACCEPT [41:6213]
[2:128] -A PREROUTING -d 10.0.1.192 -i eth0 -p tcp -m tcp --dport 80
-j DNAT --to-destination 10.0.10.1
[0:0] -A POSTROUTING -s 10.0.10.1 -o eth0 -p tcp -m tcp --sport 80 -j
SNAT --to-source 10.0.1.192
COMMIT
# Completed on Tue Jul  8 15:23:36 2008
# Generated by iptables-save v1.3.6 on Tue Jul  8 15:23:36 2008
*filter
:INPUT ACCEPT [7829:710453]
:FORWARD ACCEPT [1:48]
:OUTPUT ACCEPT [3244:550936]
:fail2ban-ssh - [0:0]
:spa - [0:0]
[19:1008] -A FORWARD -d 10.0.10.1 -i eth0 -o eth1 -p tcp -m tcp
--dport 80 -j ACCEPT
[0:0] -A FORWARD -s 10.0.10.1 -i eth1 -o eth0 -p tcp -m tcp --sport 80
-j ACCEPT
COMMIT
# Completed on Tue Jul  8 15:23:36 2008

------------------------------------------------------------------------------------------------------------------------------------------

root@charz-server:/home/charz# iptables-save -c
# Generated by iptables-save v1.3.6 on Tue Jul  8 15:23:38 2008
*nat
:PREROUTING ACCEPT [1288:172897]
:POSTROUTING ACCEPT [39:5989]
:OUTPUT ACCEPT [41:6213]
[2:128] -A PREROUTING -d 10.0.1.192 -i eth0 -p tcp -m tcp --dport 80
-j DNAT --to-destination 10.0.10.1
[0:0] -A POSTROUTING -s 10.0.10.1 -o eth0 -p tcp -m tcp --sport 80 -j
SNAT --to-source 10.0.1.192
COMMIT
# Completed on Tue Jul  8 15:23:38 2008
# Generated by iptables-save v1.3.6 on Tue Jul  8 15:23:38 2008
*filter
:INPUT ACCEPT [7844:711502]
:FORWARD ACCEPT [1:48]
:OUTPUT ACCEPT [3254:553344]
:fail2ban-ssh - [0:0]
:spa - [0:0]
[19:1008] -A FORWARD -d 10.0.10.1 -i eth0 -o eth1 -p tcp -m tcp
--dport 80 -j ACCEPT
[0:0] -A FORWARD -s 10.0.10.1 -i eth1 -o eth0 -p tcp -m tcp --sport 80
-j ACCEPT
COMMIT
# Completed on Tue Jul  8 15:23:38 2008


On Wed, Jul 9, 2008 at 3:20 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 07/08/08 14:40, Charles Romestant wrote:
>>
>> ok it was set to 0, but changing it did not do anything, here is the
>> iptables-save output
>
> *nod*
>
> Uh, can I (re)ask for an iptables-save, but this time with a "-c" added to
> the end of it so that it will include packet counters?  (I forgot that
> iptables-save does not show packet counts like iptables -L.  Sorry.)
>
>> Again , thank you for your help
>
> *nod*
>
> You are welcome.
>
>
>
> Grant. . . .
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Charz

Re: Port Forwarding .

[Charles Romestant]

Ok, found out what the problem was... and i am trlly sorry to have
wasted your time.
Problem was simple
host C did not have the gateway set to the ip of the NAT... so
basically no return path for packets IIRC.

again, thank you very much for your help

Charles.

On Wed, Jul 9, 2008 at 3:24 PM, Charles Romestant <cromestant@gmail.com> wrote:
> Ok here are 2 consecutives saves while trying to access the web server.
>
>
> root@charz-server:/home/charz# iptables-save -c
> # Generated by iptables-save v1.3.6 on Tue Jul  8 15:23:36 2008
> *nat
> :PREROUTING ACCEPT [1287:172779]
> :POSTROUTING ACCEPT [39:5989]
> :OUTPUT ACCEPT [41:6213]
> [2:128] -A PREROUTING -d 10.0.1.192 -i eth0 -p tcp -m tcp --dport 80
> -j DNAT --to-destination 10.0.10.1
> [0:0] -A POSTROUTING -s 10.0.10.1 -o eth0 -p tcp -m tcp --sport 80 -j
> SNAT --to-source 10.0.1.192
> COMMIT
> # Completed on Tue Jul  8 15:23:36 2008
> # Generated by iptables-save v1.3.6 on Tue Jul  8 15:23:36 2008
> *filter
> :INPUT ACCEPT [7829:710453]
> :FORWARD ACCEPT [1:48]
> :OUTPUT ACCEPT [3244:550936]
> :fail2ban-ssh - [0:0]
> :spa - [0:0]
> [19:1008] -A FORWARD -d 10.0.10.1 -i eth0 -o eth1 -p tcp -m tcp
> --dport 80 -j ACCEPT
> [0:0] -A FORWARD -s 10.0.10.1 -i eth1 -o eth0 -p tcp -m tcp --sport 80
> -j ACCEPT
> COMMIT
> # Completed on Tue Jul  8 15:23:36 2008
>
> ------------------------------------------------------------------------------------------------------------------------------------------
>
> root@charz-server:/home/charz# iptables-save -c
> # Generated by iptables-save v1.3.6 on Tue Jul  8 15:23:38 2008
> *nat
> :PREROUTING ACCEPT [1288:172897]
> :POSTROUTING ACCEPT [39:5989]
> :OUTPUT ACCEPT [41:6213]
> [2:128] -A PREROUTING -d 10.0.1.192 -i eth0 -p tcp -m tcp --dport 80
> -j DNAT --to-destination 10.0.10.1
> [0:0] -A POSTROUTING -s 10.0.10.1 -o eth0 -p tcp -m tcp --sport 80 -j
> SNAT --to-source 10.0.1.192
> COMMIT
> # Completed on Tue Jul  8 15:23:38 2008
> # Generated by iptables-save v1.3.6 on Tue Jul  8 15:23:38 2008
> *filter
> :INPUT ACCEPT [7844:711502]
> :FORWARD ACCEPT [1:48]
> :OUTPUT ACCEPT [3254:553344]
> :fail2ban-ssh - [0:0]
> :spa - [0:0]
> [19:1008] -A FORWARD -d 10.0.10.1 -i eth0 -o eth1 -p tcp -m tcp
> --dport 80 -j ACCEPT
> [0:0] -A FORWARD -s 10.0.10.1 -i eth1 -o eth0 -p tcp -m tcp --sport 80
> -j ACCEPT
> COMMIT
> # Completed on Tue Jul  8 15:23:38 2008
>
>
> On Wed, Jul 9, 2008 at 3:20 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
>> On 07/08/08 14:40, Charles Romestant wrote:
>>>
>>> ok it was set to 0, but changing it did not do anything, here is the
>>> iptables-save output
>>
>> *nod*
>>
>> Uh, can I (re)ask for an iptables-save, but this time with a "-c" added to
>> the end of it so that it will include packet counters?  (I forgot that
>> iptables-save does not show packet counts like iptables -L.  Sorry.)
>>
>>> Again , thank you for your help
>>
>> *nod*
>>
>> You are welcome.
>>
>>
>>
>> Grant. . . .
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
>
>
> --
> Charz
>



-- 
Charz

Re: Port Forwarding .

[Grant Taylor]

On 07/08/08 15:11, Charles Romestant wrote:
> Ok, found out what the problem was... and i am trlly sorry to have 
> wasted your time. Problem was simple host C did not have the gateway 
> set to the ip of the NAT... so basically no return path for packets 
> IIRC.

Dough!  That will do it.

> again, thank you very much for your help

We are all human.

You are welcome.



Grant. . . .