From: Jorge Davila <davila@nicaraguaopensource.com>
To: admin <admin@tsvrn.ru>, netfilter@lists.netfilter.org
Subject: Re: SNAT trouble: Linux box ignores incoming packets
Date: Thu, 16 Aug 2007 15:38:00 -0600 [thread overview]
Message-ID: <web-79588733@bk2.webmaillogin.com> (raw)
In-Reply-To: <278283523.20070816185903@tsvrn.ru>
Sorry admin:
I tried to read your rules .. but reading is some sort of "guessing" about
what address spaces is linked with what interface.
What public interfaces is using the LAN (eth2 or eth3). eth1 is useless in
your configuration?
The LAN is supossed to send the traffic via eth2 or eth3? What we can see
with
ip a
ip r
?
Jorge Dávila.
On Thu, 16 Aug 2007 18:59:03 +0400
admin <admin@tsvrn.ru> wrote:
> I've got a rather bizarre configuration: Linux box has 4 ethernet
> devices (eth0, eth1, eth2, and eth3). eth2 and eth3 are looking to
> Internet, eth0 is LAN.
>
> I've configured SNAT so that it should give Internet access to the
> 192.168.91.0/24 network. Outgoing packets are translated right, and
> the external server sends a reply. However, the reply packet seems to
> be killed by iptables or otherwise ignored by the box (wireshark
> shows it, but the packet isn't going anywhere else). Having said that,
> I should notice that SNAT for tcp port 4000 works fine (this one is
> for an outgoing connection from the box to 192.168.91.254. I know this
> string should be modified but this is not the main trouble for now).
>
> IP forwarding is turned on, and iptables look
> like this:
>
> # Generated by iptables-save v1.3.7 on Thu Aug 16 14:10:37 2007
> *nat
> :PREROUTING ACCEPT [70:7232]
> :POSTROUTING ACCEPT [1:73]
> :OUTPUT ACCEPT [1:73]
> -A POSTROUTING -p ip -s 192.168.92.0/255.255.255.0 -d ! 192.168.92.0/24 -j
>SNAT --to-source <REALIP>
> -A POSTROUTING -p ip -s 192.168.91.0/255.255.255.0 -d ! 192.168.91.0/24 -j
>LOG --log-prefix "SNAT "
> -A POSTROUTING -p ip -s 192.168.91.0/255.255.255.0 -d ! 192.168.91.0/24 -j
>SNAT --to-source <REALIP>
> -A POSTROUTING -p tcp -s ! 192.168.91.0/24 -d 192.168.91.0/24 --dport 4000
>-j SNAT --to-source 192.168.91.223
> -A PREROUTING -d <REALIP> -p tcp -m tcp --dport 4000 -j DNAT
>--to-destination 192.168.91.254
> -A OUTPUT -d <REALIP> -p tcp -m tcp --dport 4000 -j DNAT --to-destination
>192.168.91.254:4000
> COMMIT
> # Completed on Thu Aug 16 14:10:37 2007
> # Generated by iptables-save v1.3.7 on Thu Aug 16 14:10:37 2007
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [7063:2716993]
> :FWFORWARD - [0:0]
> :FWINPUT - [0:0]
> :INPUTDMZ - [0:0]
> :INPUTINET - [0:0]
> :INPUTETH2 - [0:0]
> :INPUTETH3 - [0:0]
> :INPUTLAN - [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -j FWINPUT
> -A FORWARD -j FWFORWARD
> -A OUTPUT -j ACCEPT
> -A FWFORWARD -p tcp -d 192.168.91.254 --dport 4000 -j ACCEPT
> -A FWFORWARD -i eth2 -j DROP
> -A FWFORWARD -i eth3 -j DROP
> -A FWFORWARD -p ip -d 192.168.92.0/255.255.255.0 -j DROP
> -A FWFORWARD -p ip -d 192.168.91.0/255.255.255.0 -j DROP
> -A FWFORWARD -j ACCEPT
> -A FWINPUT -i lo -j ACCEPT
> -A FWINPUT -p icmp -j ACCEPT
> -A FWINPUT -i eth0 -j INPUTLAN
> -A FWINPUT -i eth1 -j INPUTDMZ
> -A FWINPUT -i eth2 -j INPUTINET
> -A FWINPUT -i eth3 -j INPUTINET
> -A FWINPUT -j DROP
> -A INPUTDMZ -p ip -s ! 192.168.92.0/255.255.255.0 -j DROP
> -A INPUTDMZ -p ip -d 192.168.91.0/24 -j DROP
> -A INPUTDMZ -j ACCEPT
> -A INPUTINET -d 192.168.91.0/24 -j ACCEPT
> -A INPUTINET -d <REALIP> -j INPUTETH2
> -A INPUTINET -d <REALIP> -j INPUTETH3
> -A INPUTINET -j DROP
> -A INPUTETH2 -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUTETH2 -p tcp -m tcp --dport 25 -j ACCEPT
> -A INPUTETH2 -p tcp -m tcp --dport 110 -j ACCEPT
> -A INPUTETH2 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUTETH2 -j DROP
> -A INPUTETH3 -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUTETH3 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUTETH3 -p tcp -m tcp --dport 4000 -j ACCEPT
> -A INPUTETH3 -p tcp -m tcp --dport 6112 -j ACCEPT
> -A INPUTETH3 -p tcp -m tcp --dport 6200 -j ACCEPT
> -A INPUTETH3 -p tcp -m tcp --dport 6113 -j ACCEPT
> -A INPUTETH3 -j DROP
> -A INPUTLAN -p tcp -m tcp --dport 25 -j ACCEPT
> -A INPUTLAN -p tcp -m tcp --dport 110 -j ACCEPT
> -A INPUTLAN -p tcp -m tcp --dport 3128 -j ACCEPT
> -A INPUTLAN -p ip -s 192.168.91.222 -j ACCEPT
> -A INPUTLAN -p ip -s 192.168.91.254 -j ACCEPT
> -A INPUTLAN -p ip -s 192.168.91.88 -j ACCEPT
> -A INPUTLAN -p ip -s 192.168.91.233 -j ACCEPT
> -A INPUTLAN -p ip -s 192.168.91.0/24 -d ! 192.168.92.0/24 -j ACCEPT
> -A INPUTLAN -j DROP
> COMMIT
> # Completed on Thu Aug 16 14:10:37 2007
>
>
>
Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com
prev parent reply other threads:[~2007-08-16 21:38 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-16 14:59 SNAT trouble: Linux box ignores incoming packets admin
2007-08-16 21:38 ` Jorge Davila [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=web-79588733@bk2.webmaillogin.com \
--to=davila@nicaraguaopensource.com \
--cc=admin@tsvrn.ru \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox