* INPUT chain doesen´t receive packets
@ 2005-09-07 11:27 Carsten Rachfahl
2005-09-07 16:40 ` curby .
0 siblings, 1 reply; 2+ messages in thread
From: Carsten Rachfahl @ 2005-09-07 11:27 UTC (permalink / raw)
To: netfilter
Hi everyone on the list.
I have problems with iptables and iproute2. In my scenario I want to use a host with a dsl connection on eth0 and a lan connection eth1 for policy based routing. I want to route http traffic generated by the host itself over eth0 and the rest over eth1. To solve the problem I implement a second routing table called overdsl and route all http packets over the dsl interface. In the following you see the rules that work (proven with ethereal at the eth0 interface).
iptables -A OUTPUT -t mangle -p tcp --dport http -j MARK --set-mark 0x9
iptables -A POSTROUTING -t nat -s 80.156.24.98 -p tcp --dport http -j SNAT --to 192.168.0.2
iptables -A PREROUTING -t mangle -i eth0 -d 192.168.0.2 -p tcp --sport http -j MARK --set-mark 0x9
My problem is that the answering packages from the connected web server aren't delivering to the browser process. I see them in the PREROUTING but not at the INPUT netfilter. What is going wrong? Any advice probably would help me to solve my problem.
Thanks in advaced
Carsten Rachfahl
Rachfahl & Tielke OHG
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: INPUT chain doesen´t receive packets
2005-09-07 11:27 INPUT chain doesen´t receive packets Carsten Rachfahl
@ 2005-09-07 16:40 ` curby .
0 siblings, 0 replies; 2+ messages in thread
From: curby . @ 2005-09-07 16:40 UTC (permalink / raw)
To: Carsten Rachfahl; +Cc: netfilter
On 9/7/05, Carsten Rachfahl <cr@raut.de> wrote:
> I have problems with iptables and iproute2. In my scenario I want to use a host with a dsl connection on eth0 and a lan connection eth1 for policy based routing. I want to route http traffic generated by the host itself over eth0 and the rest over eth1. To solve the problem I
Hopefully your situation is simple enough that you don't need to do
special routing. Can you try to restate what you want to happen to
web traffic going through your firewall? Does the LAN have access to
the Internet besides the DSL connection? If not, it might be as
simple as using NAT, and leaving iproute2/ip alone. Assuming the
firewall machine is routing for the LAN, and its DSL connection on
eth0 is the only way to the Internet, it sounds like you want to use
SNAT/masquerading to let LAN clients out onto the web, and stateful
rules to let replies back in.
If you have your own web server on the LAN and not on the same machine
as the firewall, you'll want to look for packets in the FORWARD chain,
not the INPUT chain. You might also want to use DNAT to allow the
Internet to access the internal server, and stateful rules to let
replies back out.
I wasn't able to glean what your goals and network configuration is
though, so these suggstions may be way off.
--Curby
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-09-07 16:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-07 11:27 INPUT chain doesen´t receive packets Carsten Rachfahl
2005-09-07 16:40 ` curby .
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox